Russian Intelligence‑Linked Phishing Campaign Hijacks WhatsApp and Signal Accounts of Government Officials and Journalists
What Happened — Threat actors tied to Russian intelligence services have been running a large‑scale phishing operation that impersonates messaging‑app support teams. By sending crafted messages that request verification codes or prompt users to click malicious links, the actors have taken control of thousands of WhatsApp and Signal accounts belonging to current and former U.S. government officials, military personnel, politicians, and journalists.
Why It Matters for TPRM —
- Compromised messenger accounts expose sensitive communications, strategic plans, and personal data of high‑value individuals.
- Attackers can impersonate trusted contacts to launch further social‑engineering attacks against third‑party vendors and partners.
- The campaign demonstrates that end‑to‑end encryption does not protect against credential‑theft, highlighting a gap in many organizations’ third‑party risk controls.
Who Is Affected — Government & military agencies, political offices, media organizations, and any enterprise that relies on WhatsApp or Signal for internal or external communications.
Recommended Actions —
- Enforce multi‑factor authentication (MFA) and disable the “link new device” feature where possible.
- Conduct targeted security awareness training focused on phishing tactics that mimic app support.
- Deploy mobile‑device management (MDM) solutions to monitor and control app installations and linking requests.
- Review and harden incident‑response playbooks for compromised communications accounts.
Technical Notes — The attackers use social‑engineering lures (fake support messages) to obtain verification codes or persuade victims to click malicious URLs. No vulnerability in the apps themselves is exploited; instead, the campaign relies on credential compromise and, in some cases, malware payloads delivered via the phishing links. Source: Security Affairs