Dutch intelligence agencies have revealed an extensive cyber campaign by Russian state-backed hackers aimed at infiltrating Signal and WhatsApp accounts of high-profile individuals worldwide. The Military Intelligence and Security Service (MIVD) and General Intelligence and Security Service (AIVD) describe the effort as large-scale and ongoing, exploiting user vulnerabilities rather than app flaws. The operation focuses on government officials, military personnel, and civil servants, with Dutch employees among those targeted. Journalists and others deemed of interest in Moscow may also be at risk.[1]
Hackers deceive users into disclosing security verification codes and PINs, often by impersonating a Signal Support chatbot. This tactic allows account takeover without breaching the apps' end-to-end encryption. Another approach involves abusing the 'linked devices' feature in both Signal and WhatsApp, enabling unauthorized access to connected gadgets. Once inside an account, intruders can intercept incoming messages, including those in group chats, potentially exposing sensitive data.
Signal's popularity among governments stems from its independent, encrypted nature, making it an attractive conduit for secure internal discussions.
- The MIVD Director Vice-Admiral Peter Reesink cautioned: “Despite their end-to-end encryption option, messaging apps such as Signal and WhatsApp should not be used as channels for classified, confidential or sensitive information.”
- AIVD Director-General Simone Smit clarified: “It is not the case that Signal or WhatsApp as a whole have been compromised. Individual user accounts are being targeted.” The agencies emphasize that the campaign does not exploit technical weaknesses but manipulates legitimate security mechanisms.
In expert comment Cody Barrow, former NSA cyber chief and CEO of EclecticIQ, considered on the broader implications. He noted that state-aligned actors are adapting by avoiding direct assaults on robust encryption. Instead, they pursue accounts through phishing, social engineering, and device compromises.
“Once an attacker gains access to a messaging account or a linked device, they can monitor conversations, map networks of contacts, and collect intelligence over time,” Barrow said. He highlighted the value of such access for foreign intelligence services, particularly when targeting government officials and journalists handling delicate matters.
Barrow stressed: “Campaigns like this show that the real target is often the user, not the encryption. Strong account security, multi-factor authentication, and awareness of phishing attempts are critical protections.”
MIVD and AIVD have released joint Cyber Advisory outlining detection and mitigation strategies. Users should scan group chats for duplicate members identical or similar names may signal a breach. Verification through alternative means, such as email or phone calls, is advised. If a compromise is confirmed, group administrators should expel both suspicious and legitimate accounts, permitting the genuine user to re-enter.
Additional vigilance includes monitoring for unrecognized participants or name alterations, like 'Deleted account', which might not trigger alerts. Unauthorized joiners via group links prompt notifications, and suspicious entries should be removed promptly. If the administrator appears compromised, users are urged to leave and form a new group.
The advisory emphasizes the need for ongoing caution in digital communications, as these platforms, while encrypted, remain susceptible to human-targeted exploits, escalating geopolitical tensions and state actors refining methods to gather intelligence and spread disruption.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.cybersecurityintelligence.com/blog/russian-hackers-target-signal-and-whatsapp--9191.html
Comments