Russian‑Linked Phishing Campaign Hijacks Signal & WhatsApp Accounts of Government Officials, Military Personnel, and Journalists
What Happened — The FBI and CISA issued a joint PSA warning that Russian‑state‑backed actors are running a global phishing operation to hijack Signal and WhatsApp accounts. By posing as “Signal Support” or “WhatsApp Security Bot,” they trick high‑value targets into sharing SMS verification codes and app PINs, allowing attackers to add a device to the victim’s account and bypass end‑to‑end encryption. Evidence points to thousands of compromised accounts worldwide.
Why It Matters for TPRM —
- Credential‑theft attacks on messaging platforms can expose confidential communications of partners, suppliers, and senior executives.
- The playbook is publicly known and likely to be adopted by criminal groups targeting corporate accounts for fraud or espionage.
- Compromise of a single executive’s messaging app can cascade into broader supply‑chain risk, especially for organizations that rely on these channels for incident response coordination.
Who Is Affected — Government & public sector, defense & military, media & journalism, and any enterprise that uses Signal or WhatsApp for privileged communications.
Recommended Actions —
- Instruct all users to treat unsolicited “support” messages inside Signal/WhatsApp as suspicious.
- Enforce a policy prohibiting the sharing of SMS verification codes or app PINs.
- Deploy MFA on associated email and identity platforms; consider using hardware‑based authenticators for privileged accounts.
- Conduct phishing‑simulation training focused on messaging‑app social engineering.
Technical Notes — Attack vector: phishing/social engineering → stolen credentials (SMS codes, app PINs). No vulnerability in the apps’ encryption; attackers rely on user error. Data at risk: message content, contacts, and any files exchanged via the compromised accounts. Source: Malwarebytes Labs