FBI Ties Signal Phishing to Russian Intelligence
▼ Summary
– The FBI has publicly attributed widespread phishing campaigns targeting encrypted messaging app users to Russian intelligence services for the first time.
– These attacks bypass end-to-end encryption by hijacking accounts or linking attacker-controlled devices, primarily targeting Signal users.
– The campaigns have compromised thousands of accounts globally, focusing on high-value individuals like government officials, military personnel, and journalists.
– Attackers trick victims into sharing verification codes or scanning malicious QR codes, often by impersonating platform support accounts.
– Once access is gained, attackers can silently read messages, impersonate the user, and launch further phishing attacks from the compromised account.
The FBI has publicly attributed a widespread phishing campaign targeting encrypted messaging apps to Russian intelligence services, marking a significant shift from broader state-actor warnings to a specific, named adversary. This campaign, which has already compromised thousands of accounts globally, does not break end-to-end encryption but instead relies on account hijacking to bypass the security of platforms like Signal and WhatsApp. The advisory highlights that these attacks are not exploiting software vulnerabilities but are instead using sophisticated social engineering to gain unauthorized access.
These operations primarily target individuals considered to be of high intelligence value, including current and former U. S. government officials, military personnel, political figures, and journalists. By compromising these accounts, threat actors can read private messages, access contact lists, impersonate the victim, and launch further phishing attacks from a position of trust. The FBI’s announcement aligns with recent warnings from cybersecurity authorities in the Netherlands and France, which described nearly identical tactics targeting the same platforms.
The core technique involves phishing messages that impersonate official support accounts. These messages trick users into performing actions that secretly grant access, such as sharing verification codes or scanning malicious QR codes. Scanning the code or providing the code links the victim’s messaging account to a device controlled by the attacker. Once access is obtained, the adversary can silently monitor all communications, join private group chats, and send messages as the compromised user, making detection exceptionally difficult and enabling the campaign to spread.
This coordinated international reporting confirms that the threat is ongoing and widespread. The French Cyber Crisis Coordination Center (C4) noted the activity spans multiple countries, while the Dutch intelligence services previously warned of state-backed attackers using these methods. All agencies stress that the security of the encryption protocols themselves remains intact; the weakness lies in the human element being manipulated through deception.
To protect against these attacks, users should treat unexpected messages, especially those requesting account actions, with extreme suspicion. Never share verification codes with anyone, and be cautious of any request to scan a QR code to link a new device. Legitimate support services will not ask for these credentials. Enabling registration lock or similar security features, where available, can provide an additional layer of defense against unauthorized device linking.
(Source: BleepingComputer)
