The United States has issued a cautionary note regarding cyber actors linked to Russian intelligence services, who are reportedly targeting users of commercial messaging applications, with a particular emphasis on Signal. This campaign has already compromised thousands of individual accounts across the globe.
Details of the Campaign
In a public service announcement released on March 20, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) outlined the operation’s focus on individuals considered to be of “high intelligence value.” Among the likely targets are current and former U.S. government officials, military personnel, political figures, and journalists. The advisory highlights the global nature of this campaign, which has led to unauthorized access to numerous accounts.
This warning is significant not due to any inherent flaws in the encryption of these messaging applications, but rather because it illustrates how state-sponsored hackers can circumvent technical safeguards by manipulating users. The FBI and CISA clarified that the attackers have not breached the encryption of these platforms or compromised the applications themselves. Instead, they have gained access by persuading users to disclose verification codes, PINs, or other credentials, or by tricking them into linking an attacker-controlled device to their accounts.
Methods of Deception
The advisory indicates that Russian intelligence-linked actors often pose as official support accounts within the app, sending messages that appear to originate from security teams. These messages create a sense of urgency, warning recipients about suspicious login attempts or alleged data leaks, and prompt them to respond with security codes. Additionally, the operation may utilize malicious links or QR codes to exploit linked device functions available in some messaging services. Once access is achieved, attackers can read messages, view contact lists, send messages from the compromised account, and use the victim’s identity to launch further phishing attempts against others.
Concerns similar to those raised by U.S. officials were echoed earlier this month by the Dutch intelligence and security services, AIVD and MIVD. In an advisory published on March 9, the Dutch agencies reported that Russian state hackers were engaged in a large-scale global campaign aimed at gaining access to Signal and WhatsApp accounts belonging to dignitaries, military personnel, and civil servants. The Dutch services noted that their targets included government employees in the Netherlands, as well as journalists and other individuals of interest to the Russian state.
Exploiting Trust
Dutch officials emphasized that the campaign does not rely on uncovering technical vulnerabilities within the apps. Instead, it exploits legitimate security features and users’ willingness to trust messages that appear authentic. Once an account is compromised, attackers can read incoming messages, including those exchanged in group chats, potentially obtaining sensitive information in the process. Users are advised to be vigilant for duplicate accounts in chat groups, altered display names, and unauthorized additions via group links, all of which may signal an account takeover or the insertion of an attacker’s identity into a conversation.
In response to the earlier Dutch warning, Signal stated that the incidents stemmed from sophisticated phishing campaigns designed to deceive users into sharing information, reiterating that neither its encryption nor its infrastructure had been compromised. This distinction is crucial, as end-to-end encryption remains effective when messages are exchanged between legitimate users. The vulnerability arises when an attacker successfully masquerades as one of those users by taking control of an account or discreetly adding a linked device. In such scenarios, the security of the underlying platform becomes largely irrelevant, as the intruder is effectively inside the conversation.
Implications for Sensitive Communications
For officials, military personnel, and journalists, the implications are clear. Messaging applications, often regarded as secure, remain appealing targets precisely because they facilitate sensitive exchanges. The strong reputation of platforms like Signal can foster a false sense of immunity, particularly when the real point of failure lies not in the software, but in user behavior. The FBI and CISA have urged users to never share PINs, passwords, or two-factor authentication codes for actions they did not initiate, to treat unexpected messages with skepticism, to inspect links before clicking, and to verify unusual requests through alternative channels.
This episode serves as a reminder that in the realm of cybersecurity, the most vulnerable point is often not the application itself, but the account holder. State-backed operators do not always need to breach encryption if they can convince a target to open the door.
