Russian intelligence services are utilizing sophisticated phishing schemes to hijack WhatsApp and Signal accounts of high-profile targets like government officials and journalists. These operations bypass encryption by tricking users into providing verification codes or linking malicious devices, allowing attackers to read messages and impersonate victims.
The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency have issued a warning regarding targeted phishing campaigns originating from Russian intelligence affiliates. These attacks specifically focus on individuals deemed to be of high intelligence value, including military personnel, political figures, and members of the media. By gaining unauthorized access to commercial messaging applications, threat actors can monitor private conversations, harvest contact lists, and use the victim's trusted identity to launch further attacks against their colleagues and associates.
It is important to understand that these breaches do not represent a technical failure of the encryption used by applications like Signal or WhatsApp. Instead, the attackers rely on social engineering tactics to create a sense of urgency, often sending fake security alerts about suspicious login attempts. These messages are designed to manipulate the recipient into either clicking a malicious link or revealing a sensitive verification PIN that allows the attacker to seize control of the account.
Different methods used in these campaigns result in different levels of access for the intruders. If a victim provides a verification code, the attacker can move the account to their own device, which kicks the original user out and allows the actor to send and receive new messages. If the victim scans a QR code or clicks a link to link a new device, the attacker can remain hidden while gaining access to the entire history of the user’s past conversations without the victim realizing their account has been compromised.
European cybersecurity agencies in France, Germany, and the Netherlands have observed similar surges in this activity, noting that attackers often pose as technical support entities. For instance, some schemes involve a fraudulent account claiming to be a support bot that requests the user to verify their identity. These agencies emphasize that legitimate messaging services will never initiate contact to ask for a verification code or a PIN, and any such request should be treated as a clear sign of a scam.
To defend against these persistent threats, security experts recommend a few essential digital hygiene practices. Users should never share SMS verification codes with anyone and must be extremely skeptical of unexpected messages from unknown contacts or supposed support accounts. Regularly reviewing the list of linked devices within the settings of messaging apps is also a critical step, as it allows users to identify and disconnect any unrecognized hardware that may be monitoring their private communications.
Source: https://www.cisa.gov/resources-tools/resources/russian-intelligence-services-target-commercial-messaging-application-accounts