Russian government hackers are targeting Signal and WhatsApp users, particularly government and military officials, as well as journalists around the world, Dutch intelligence agencies said on Monday.
The Netherlands Intelligence and Security Agency (MIVD) and the General Intelligence and Security Agency (AIVD) published details of a “wide-scale global” hacking campaign against Signal and WhatsApp users. The two agencies accused “Russian state actors” of using phishing and social engineering techniques – rather than malware – to take over accounts on the two messaging apps.
In Signal’s case, hackers masquerade as the app’s support team and directly message targets with warnings of suspicious activity, “potential data leakage,” or attempts to access the target’s private data. If the target falls for it, the hackers request a verification code sent via SMS—the hackers themselves request this code from Signal—as well as the targets’ PIN.
Contact us
Do you have more information about this hacking campaign or other campaigns targeting Signal and WhatsApp? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email.
Hackers then use the verification codes and PINs to register a new device with a new phone number, impersonate the target and potentially access their contacts, according to the report. Also, the target is locked out of their account, but can re-register their number.
“Because Signal stores the conversation history locally on the phone, a victim can access this history again after rewriting. As a result, the victim may assume that nothing is wrong. The Dutch authorities want to emphasize that this assumption may be incorrect,” the report states.
Signal does not provide support directly through the app. And it’s important to note that, generally, when a user adds a new device to their Signal account, the new device doesn’t have access to previous messages.
Signal did not respond to a request for comment, but posted a thread on social media advising users on how to protect themselves, including advising them never to share their SMS verification code and PIN;
Hackers also try to trick targets in both apps into scanning malicious QR codes or clicking on malicious links. “For example, an actor might send a QR code or link to a victim to add them to a chat group, but that QR code or link actually connects the actor’s device to the victim’s account,” the report explains.
In the case of WhatsApp, hackers abuse the “Connected Devices” feature, which allows users to access WhatsApp from a secondary device such as a laptop or tablet. If hackers successfully fool their targets, – unlike Signal – they can potentially read past messages. And sometimes, the victim may not realize that they have given access to the hackers since they don’t log out of their account.
Meta spokesperson Zade Alsawah said that WhatsApp suggests users to never share their six-digit code with anyone, and it showed a Help Center page to help users identify suspicious messages and a page about Operation of Connected Devices.
The Dutch Ministry of the Interior and Ministry of Defense did not respond to a request for more information about the hacking campaign.
The Russian embassy in Washington did not respond to a request for comment.
Some of the techniques highlighted by the Dutch intelligence services in this report are known to be used by Russian government hackers as part of the war against Ukraine.
