Russian government hackers are targeting Signal and WhatsApp users, particularly government and military officials, as well as journalists all over the world, Dutch intelligence said on Monday.
The Netherlands’ Defence Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) published details about a “large-scale global” hacking campaign against Signal and WhatsApp users. The two agencies accused “Russian state actors” of using phishing and social engineering techniques — rather than malware — to take over accounts on the two messaging apps.
In the case of Signal, the hackers are masquerading as the app’s support team and messaging targets directly with warnings of suspicious activity, “a possible data leak,” or of attempts to access the target’s private data. If the target falls for it, the hackers ask for a verification code sent via SMS — the hackers themselves request this code from Signal — as well as the targets’ PIN code.
Contact Us Do you have more information about this hacking campaign, or other campaigns targeting Signal and WhatsApp? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or . Do you have more information about this hacking campaign, or other campaigns targeting Signal and WhatsApp? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email
The hackers then use the verification and PIN codes to register a new device with a new phone number, impersonate the target, and potentially access their contacts, according to the report. Also, the target gets locked out of their account, but can re-register their number.
“Because Signal stores the chat history locally on the phone, a victim can regain access to that history after re‑registering. As a result, the victim may assume that nothing is wrong. The Dutch services want to stress that this assumption could be incorrect,” the report reads.
Signal does not provide support directly through the app. And it’s important to note that, generally speaking, when a user adds a new device to their Signal account, the new device does not have access to previous messages.
Signal did not respond to a request for comment.
Image: an example of a malicious Signal message sent by the hackers, currently “the most common illustration of such a message and the method of account takeover.” (Image Credits: Netherlands’ General Intelligence and Security Services)
Hackers are also trying to trick targets on both apps into scanning malicious QR codes or clicking on malicious links. “For example, an actor may send a QR code or link to a victim to add them to a chat group, but this QR code or link actually links the actor’s device to the victim’s account,” the report explained.
... continue reading