Dutch intelligence agencies announced on Monday that Russian government hackers are targeting Signal and WhatsApp users, particularly government and military personnel, as well as journalists around the world.
The Netherlands' Defense Intelligence and Security Agency (MIVD) and the General Intelligence and Security Agency (AIVD) have announced details of a “large-scale global” hacking campaign against Signal and WhatsApp users. The agencies accused “Russian state actors” of using phishing and social engineering techniques, rather than malware, to take over accounts on the two messaging apps.
In the case of Signal, the hacker poses as the app's support team and sends a message directly to the target alerting them to suspicious activity, a “potential data breach,” or an attempt to access the target's personal data. Once the target falls for it, the hacker not only asks for the target's PIN code, but also a verification code sent via SMS (which the hacker himself requests from Signal).
Contact Us Do you have more information about this hacking campaign or other campaigns targeting Signal and WhatsApp? You can contact Lorenzo Franceschi-Bicchierai securely from your non-work device at Signal (+1 917 257 1382) or on Telegram and Keybase @lorenzofb or by email.
According to the report, hackers could use the verification code and PIN code to register a new device with a new phone number, impersonate the target, and access their contacts. The target will also be locked out of their account, but will be able to re-register their number.
“Signal stores chat history locally on the phone, allowing victims to access it again after re-registering. As a result, victims may think that nothing is wrong. The Dutch service would like to emphasize that this assumption may be wrong,” the report says.
Signal does not provide support directly through the app. It's also important to note that, in general, when a user adds a new device to their Signal account, the new device won't have access to their previous messages.
Signal did not respond to requests for comment.
Image: An example of a malicious Signal message sent by a hacker. Currently, “the most common example of such messages and methods of account takeover.” (Image credit: Netherlands General Intelligence and Security Agency)
Hackers are also trying to trick targets in both apps into scanning malicious QR codes or clicking malicious links. “For example, an attacker may send a QR code or link to add a victim to a chat group, but this QR code or link actually links the attacker's device to the victim's account,” the report explains.
In the case of WhatsApp, hackers exploit the “Linked Devices” feature, which allows users to access WhatsApp from secondary devices such as laptops and tablets. If hackers are successful in fooling their targets, they may be able to read past messages, unlike Signal. Also, in some cases, victims may not be aware that they have given hackers access because they are not logged out of their accounts.
Meta spokesperson Zade Alswah said WhatsApp recommends users never share their six-digit code with anyone, pointing to a Help Center page to help users recognize suspicious messages and a linked page on device features.
The Dutch Interior and Defense ministries did not respond to requests for further information about the hacking activity.
The Russian embassy in Washington, D.C., did not respond to a request for comment.
Some of the techniques revealed by Dutch intelligence in this report are known to have been used by Russian government hackers in the context of the war against Ukraine.