Full Report
Plus: US takes down Iranian propaganda sites; Marketing company asks 'Why Do We Have Your Information?' And more! Infosec In Brief Russian intelligence-affiliated parties are posing as customer support services on commercial messaging applications such as Signal to compromise accounts and conduct phishing attacks, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) warned last Friday.…
Analysis Summary
# Threat Actor: Russian Intelligence-Affiliated Parties
## Attribution & Identity
* **Actor Name/Alias:** Not specifically named in the text (often associated with groups like APT28 or APT29 in broader threat intel, though the article refers to them broadly as "Russian intelligence-affiliated parties").
* **Known Associations:** Russian Intelligence Services (SVR/GRU/FSB).
* **Official Warnings:** FBI and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint warning on March 20, 2026.
## Activity Summary
According to the March 2026 warning, Russian actors are currently engaged in a widespread phishing campaign on the Signal messaging platform. They impersonate customer support services to gain unauthorized access to encrypted communications and account metadata. These "phishing raids" have successfully snared thousands of individual accounts.
## Tactics, Techniques & Procedures
* **Impersonation:** Posing as legitimate customer support or help desk services from commercial messaging applications (specifically Signal).
* **Social Engineering:** Sending messages notifying targets of "suspicious activity" to create a sense of urgency.
* **Phishing Links:** Urging victims to click external links to "verify" their accounts or identity.
* **Credential/2FA Theft:** Direct solicitation of account credentials or Two-Factor Authentication (2FA) codes to bypass security.
* **Account Linking:** Connecting the attacker's device to the victim’s account to maintain persistent access.
* **Post-Compromise Activity:** Reading private messages, sending messages as the victim, and harvesting contact lists.
## Targeting
* **Sectors:** Government, Military, Intelligence, and Media/Journalism.
* **Geography:** Primarily United States (implied by FBI/CISA involvement) and international high-value targets.
* **Victims:** Former government officials, military figures, politicians, and journalists.
## Tools & Infrastructure
* **Platforms:** Signal (Commercial messaging app).
* **Infrastructure:** Phishing domains mimicking official support portals (specific URLs not provided in the text, but noted as being used for the "verification process").
## Implications
This campaign demonstrates that even end-to-end encrypted (E2EE) platforms remain vulnerable to "Identity-based" attacks. By compromising the account endpoint rather than the encryption protocol itself, Russian intelligence can bypass sophisticated security measures to conduct espionage, track personnel movements via contact metadata, and potentially use compromised accounts for lateral movement or disinformation.
## Mitigations
* **Verification:** Treat unsolicited messages from "Support" on private messaging apps as suspicious.
* **Out-of-Band Authentication:** Never share 2FA codes or account PINs with any party via chat.
* **Official Channels:** Only use official website portals (verified via browser) for account security settings rather than clicking links in messages.
* **Security Settings:** Enable Signal’s "Registration Lock" (PIN) to prevent unauthorized account transfers.
* **User Awareness:** Follow standard anti-phishing recommendations provided by the FBI/IC3: [https://www.ic3.gov/PSA/2026/PSA260320]
***
# Secondary Actor: Handala (Iran-Linked)
## Attribution & Identity
* **Name:** Handala
* **Affiliation:** Iran-linked "hacktivist" group (described as a "front for Tehran" by federal authorities).
## Activity Summary
The group has been conducting psychological operations (psyops) and data wiping attacks. They recently claimed credit for an attack on the U.S. med-tech firm Stryker and have been involved in doxxing military personnel.
## Tactics, Techniques & Procedures
* **Data Destruction:** Wiping information on employee devices.
* **Psychological Operations:** Using dedicated web domains to incite violence and spread propaganda.
* **Doxxing:** Publicly releasing private information of military members (IDF).
* **Exploitation:** Utilizing vulnerabilities in software (specifically mentioned: [Redacted/Hole in software]).
## Infrastructure (Defanged)
* Justicehomeland[.]org
* Handala-Hack[.]to
* Karmabelow80[.]org
* Handala-Redwanted[.]to