Threat actors linked to the Russian Intelligence Services are conducting phishing campaigns to compromise commercial messaging applications (CMAs) such as WhatsApp and Signal to take control of the accounts of high-level intelligence officials, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) said on Friday.
“This operation targeted high-level intelligence officials, including current and former US government officials, military personnel, politicians, and journalists,” FBI Director Kash Patel said in a statement to X. “Globally, this effort resulted in unauthorized access to thousands of individual accounts. Once accessed, actors could view messages and contact lists, post victims as additional crimes, and send messages as additional victims.”
CISA and the FBI said the operation led to the compromise of thousands of individual CMA accounts. It is worth noting that the attack is designed to penetrate targeted accounts and does not exploit any security vulnerabilities or weaknesses to crack the platform’s encryption protection.
Although the agencies did not say whether the activity was related to a specific threat actor, previous reports from Microsoft and the Google Threat Intelligence Group have linked such campaigns to several Russian threat clusters tracked as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185).
In the same warning, the Cyber Crisis Coordination Center (C4), part of the National Cybersecurity Agency of France (ANSSI), warned of the increase in attack campaigns targeting instant messaging accounts related to government officials, journalists, and business leaders.
“This attack – if successful – could allow malicious actors to access chat histories, or take control of their victims’ messaging accounts and send messages while doing so,” C4 said.
The ultimate goal of the campaign is to allow threat actors to gain unauthorized access to victims’ accounts, enabling them to view messages and contact lists, send messages on their behalf, and even commit phishing against other targets by abusing trusted relationships.
As recently warned by cybersecurity organizations from Germany and the Netherlands, the attack involves an adversary masquerading as “Signal Support” to approach targets and urge them to click on a link (or scan a QR code) or provide a PIN or verification code. In both cases, the social engineering program allows malicious actors to gain access to the victim’s CMA account.
However, the campaign has two different effects on the victim depending on the method used –
- If a victim chooses to provide a PIN or verification code to a threatening actor, they lose access to their account, as the attacker used it to recover the account eventually. Although a threat actor cannot access past messages, the technique can be used to monitor new messages and send messages to others by pretending to be the victim.
- When a victim ends up clicking a link or scanning a QR code, a device controlled by the threat actor is connected to the victim’s account, allowing him to access all messages, including those sent in the past. In this case, the victim continues to access the CMA account unless explicitly excluded in the application settings.
In order to be better protected from threats, users are advised to never share their SMS code or verification PIN with anyone, be alert when receiving unexpected messages from unknown contacts, check links before clicking on them, and periodically review connected devices and remove those that appear suspicious.
“This attack, like all phishing crimes, relies on social engineering. Attackers pose as trusted contacts or services (such as ‘Signal Support Bot’) to trick victims into providing their login credentials or other information,” Signal said in a post on X earlier this month.
“To help prevent this, remember that your Signal SMS verification code is only required when you sign up for the Signal app. We also want to emphasize that Signal Support will *not* initiate contact via in-app messaging, SMS, or social media to ask for your verification code or PIN. If anyone asks for any code related to Signal, it’s a scam.”
