According to the Dutch services, the campaign aims to gain access to messaging accounts used by individuals of interest to the Russian government. Journalists and other persons of interest may also be potential targets.
The campaign focuses on persuading users to reveal their security verification and PIN codes. By obtaining these codes, attackers are able to gain control of Signal or WhatsApp accounts.
One of the most commonly observed methods involves hackers impersonating a Signal Support chatbot. In this approach, victims are tricked into providing their security codes, which are then used by the attackers to take over the account.
Another technique exploits the ‘linked devices’ function available in both messaging applications. Once access has been obtained, attackers are able to read incoming messages and monitor conversations within group chats.
Dutch intelligence services believe that this campaign may already have resulted in the exposure of sensitive information. The compromised accounts provide potential access to private communications between government officials and other users.
The agencies noted that Russia’s interest in Signal is likely connected to the application’s strong reputation for security. Signal is widely regarded as a reliable communication platform offering end-to-end encryption.
This reputation has made the service popular among governments seeking secure internal communication channels. At the same time, it creates opportunities for malicious actors seeking to capture sensitive information.
Vice-Admiral Peter Reesink, Director of the MIVD, stressed that messaging applications are not suitable for highly sensitive communication. “Despite their end-to-end encryption option, messaging apps such as Signal and WhatsApp should not be used as channels for classified, confidential or sensitive information.”
The intelligence services emphasised that the cyber campaign does not exploit technical vulnerabilities within the applications themselves. Instead, attackers misuse legitimate security features of the platforms to gain access to individual accounts.
Simone Smit, Director-General of the AIVD, clarified the nature of the attacks. “It is not the case that Signal or WhatsApp as a whole have been compromised. Individual user accounts are being targeted.”
To strengthen resilience against the campaign, the MIVD and AIVD have published a Cyber Advisory outlining methods to identify and respond to suspicious activity. The advisory includes guidance for Signal users on how to recognise potentially compromised contacts.
Users are advised to check their group chats for duplicated member names that appear identical or slightly different. Such duplications may indicate either a compromised account or a new account created by an attacker.
If suspicious activity is detected, users are encouraged to report it to their organisation’s information security department. Verification should preferably take place using a different communication channel, such as email or telephone.
Where a duplicated account is confirmed as illegitimate, group administrators are advised to remove both entries from the chat. The legitimate user can then request to rejoin the group after the situation has been resolved.
The advisory also urges users to remain vigilant for unfamiliar group members. Attackers may change the display name of compromised accounts, sometimes using names such as “Deleted account”, in order to remain unnoticed.
The services also warn that attacker-controlled accounts can enter groups through obtained Group Links. In such cases, group members will receive a notification when a new account joins the chat.
If there are signs that a group administrator may have been compromised, the Dutch services recommend leaving the existing group and creating a new one. These measures are intended to help reduce the risk of further unauthorised access and protect sensitive communications.
Download: Cybersecurity Advisory Signal and WhatsApp.
