Russian Intelligence Linked to Phishing Hijacks of Signal and WhatsApp Accounts Affecting Thousands of High‑Value Users
What Happened – Russian‑state‑aligned threat actors are running large‑scale phishing campaigns that hijack accounts on encrypted messaging apps such as Signal and WhatsApp. By tricking users into sharing verification codes or scanning malicious QR codes, attackers link their own devices to victim accounts, gaining read‑only access to private messages, contact lists, and the ability to impersonate the compromised user.
Why It Matters for TPRM –
- Compromise of communication channels used by senior executives, government officials, and journalists creates a covert data‑exfiltration vector that bypasses traditional network defenses.
- Account hijacks can be leveraged to launch further spear‑phishing attacks against a vendor’s ecosystem, expanding supply‑chain risk.
- The tactics are repeatable across multiple commercial messaging platforms, indicating a persistent threat to any third‑party that relies on end‑to‑end encrypted messaging for sensitive coordination.
Who Is Affected – Government & public sector, defense & intelligence, political organizations, media outlets, and any enterprise that uses Signal or WhatsApp for confidential communications.
Recommended Actions –
- Instruct all high‑value users to adopt multi‑factor authentication that does not rely on SMS or QR‑code verification for messaging apps.
- Conduct a rapid awareness campaign highlighting the specific phishing lure (fake support messages requesting verification codes).
- Review third‑party communication policies; consider alternative vetted secure‑messaging solutions with hardware‑based key management.
Technical Notes – Attack vector: phishing via social engineering (fake support messages) → credential compromise (verification codes) → device linking to victim account. No known CVE; the vulnerability is procedural. Data types exposed include private messages, contact lists, and any attached files. Source: BleepingComputer