Russia-linked actors target WhatsApp and Signal in phishing campaign

Russia-linked actors target WhatsApp and Signal accounts of officials and journalists via phishing, gaining access to messages and contacts.

Threat actors linked to Russian Intelligence Services are running phishing campaigns to hijack high-value accounts on messaging apps like WhatsApp and Signal, the FBI warns.

“The FBI has identified cyber actors associated with Russian Intelligence Services targeting users of commercial messaging applications, including Signal.” FBI Director Kash Patel wrote on X. “The campaign targets individuals of high intelligence value, including current and former U.S. government officials, military personnel, political figures, and journalists.”

Targets include government officials, military personnel, politicians, and journalists. The attackers do not break app encryption but instead use phishing to gain account access. The attacks have already compromised thousands of accounts worldwide. Once inside, attackers can read messages, access contacts, impersonate victims, and launch further phishing using trusted identities.

Attackers especially target Signal but use similar tactics across other platforms. Users who strengthen their security and stay alert to social engineering attempts can reduce the risk and limit the impact of these attacks.

Russia-linked actors pose as messaging app support accounts and send phishing messages tailored to trick targets. They push users to click links or share verification codes or PINs. When victims comply, attackers gain access by linking their own device or taking over the account entirely. As the campaign evolves, they may also deploy malware to further compromise victims.

“If the user performs any of the requested actions, they unwittingly provide the actors with unauthorized access to their account either by adding the attacker’s device as a linked device or through a full account takeover.” reads a joint Public Service Announcement (PSA) published by CISA and the Federal Bureau of Investigation. “As the campaign evolves, actors may use additional techniques, such as malware to infect the victim.”

Phishing remains a simple but highly effective way to compromise accounts, bypassing protections like end-to-end encryption by targeting users directly. Attackers trick victims into sharing codes or clicking malicious links, gaining full account access.

Users should stay alert: pause if something feels off, never share PINs or 2FA codes, and treat unexpected messages with suspicion, even from known contacts. Always check links before clicking, verify group members, and use built-in security features.

Report suspicious activity quickly to security teams or authorities. Remember, legitimate app support will never ask for codes or send links to “verify” accounts, always use official channels.

Recently, Dutch intelligence agencies (MIVD and AIVD) also warned of a global campaign by Russia-linked threat actors aiming to compromise Signal and WhatsApp accounts. The operation targets government officials, civil servants, and military personnel, highlighting growing cyber risks to sensitive communications among national security actors.

Russian cyber spies are tricking users into revealing verification codes to hijack Signal and WhatsApp accounts. They impersonate Signal Support or exploit the “linked devices” feature, gaining access to messages and chat groups, potentially exposing sensitive information from government and military targets.

Dutch intelligence warned that Russia targets Signal for its strong end-to-end encryption, aiming to access sensitive government communications. Officials stressed that apps like Signal and WhatsApp should not be used for classified or confidential information.

The government experts pointed out that attackers don’t exploit app vulnerabilities but abuse legitimate features of Signal and WhatsApp. Only individual accounts are targeted, not the platforms themselves, officials say.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WhatsApp, Signal)