Russian-linked hackers are trying to break into the Signal and WhatsApp accounts of government officials, journalists, and military personnel globally – not by cracking encryption, but by simply tricking people into handing over the keys.
That's the warning issued Monday by the Netherlands' intelligence and military security agencies, the AIVD and MIVD, which say a "large-scale" Russian cyber campaign is actively targeting Signal and WhatsApp accounts. The goal isn't to defeat the apps' end-to-end encryption, but to take over the accounts themselves and quietly read whatever conversations are inside.
According to the agencies, the attackers approach targets directly via chats and persuade them to share security verification codes or PINs, effectively giving the intruders full access to the account. In some cases, the attackers reportedly impersonate a Signal support bot to make the request look legitimate. Once the code is shared, attackers can log in and read messages or monitor group chats without needing to defeat the underlying encryption.
Another trick involves abusing Signal's "linked devices" feature, which allows users to connect additional devices to their account. If an attacker manages to link their own device, they can effectively mirror the victim's messages in real time.
The Dutch agencies say that the campaign has already snared victims, including people working inside the Dutch government. "The Russian hackers have likely gained access to sensitive information," the AIVD and MIVD said, adding that "targets and victims of the campaign include Dutch government employees" as well as journalists.
Ironically, the very reason officials and reporters often favor these apps – their strong encryption – also makes them a juicy intelligence target once an account itself is compromised. End-to-end encryption protects messages in transit, but it does little if an attacker manages to log into the account itself.
A Meta spokesperson told The Register that users should never share their six-digit code with others and that it provides detailed advice on how WhatsApp users can protect themselves from scams.
Signal did not immediately respond to The Register's questions.
Dutch authorities released a cybersecurity advisory and are assisting affected users in securing their accounts. They also warned that subtle clues can indicate a compromise, such as contacts suddenly appearing twice in a list or numbers unexpectedly showing up as "deleted account."
The bigger message from the spooks is that encrypted consumer messaging apps might be convenient, but they're not exactly a classified communications system. As MIVD director Vice-Admiral Peter Reesink put it:
"Despite their end-to-end encryption option, messaging apps such as Signal and WhatsApp should not be used as channels for classified, confidential or sensitive information."
In other words, if your operational security plan relies on the hope that nobody will ever ask you for a six-digit code in a chat, it might be time for a rethink. ®
Source: The register