A cybersecurity advisory from the Netherlands General Intelligence and Security Service (AIVD advisory) says Russian state-sponsored hackers are running a phishing campaign that hijacks Signal and WhatsApp accounts used by government officials, military personnel, and journalists.
KEY FACTS
- Incident Phishing and device-linking attacks to take over messaging accounts
- Targets Government officials, military personnel, and journalists
- Techniques Fake support chatbots and malicious QR codes or links
- Outcome Account takeover or silent device linking to read and send messages
The campaign uses two main techniques. One impersonates a support chatbot that instructs users to enter an SMS verification code and their Signal PIN. Providing both allows attackers to register the account on their device and take full control.
Another method abuses device linking. Victims receive a QR code or link that looks like a chat invite or connection request. Scanning or opening the item links the attacker device to the victim account and can sync messages in real time while the victim often retains access.
After access, attackers may change the phone number associated with the account, view contacts and incoming messages including group chats, and send messages as the victim. Local storage of chat history can let victims regain visible messages when they re-register and so miss signs of compromise.
Recommended precautions include never sharing SMS verification codes or PINs, checking the list of linked devices in app settings and removing unknown entries, ignoring unsolicited links and invitations, and avoiding transmission of sensitive or classified information over messaging apps unless explicitly approved.
WHY IT MATTERS
The campaign targets high value accounts and exploits legitimate authentication features to persistently access communications. Compromised accounts can expose contacts, group conversations, and sensitive information while appearing normal to the victim.