Signal & WhatsApp Phishing Campaign by Russian Spies Targets Government Sources and Journalists

The Dutch Ministry of Defence is warning that a likely state-backed Russian group is trawling Signal and WhatsApp with a phishing campaign targeting a broad range of government sources and sometimes journalists. The campaign is not making use of any novel vulnerabilities, but has been able to use old tricks to good effect.

The phishing campaign appears to be successful enough that Dutch intelligence services MIVD and AIVD are issuing a warning about its approaches, which are things that are ideally already covered in anti-phishing training. The attackers do not do any real hacking or exploitation of vulnerabilities, instead relying on victims to voluntarily enter their authentication information.

Phishing training may still be missing some fundamentals, even as AI raises the threat level

Looking at the examples of phishing campaign messages the Ministry of Defence presents, it seems obvious (at least to someone in cybersecurity) that they should not be engaged with. Aside from presenting with rather Russian-sounding English grammar, WhatsApp and Signal (as well as nearly all serious messaging apps) do not contact users via direct message asking for their authentication information. And if the user were to go so far as to start typing a PIN number in, the fact that it is not masked should also be a very visible red flag.

Phishing training for employees should have been covering all of these things for quite some time now, but the apparent success of this campaign points to it still falling short even in organizations known to be highly targeted. A successful compromise by this phishing campaign would also create evidence for others to catch, such as the compromised user appearing twice in group chats or having their username suddenly appear as “Deleted.” And a compromised user might notice that new linked devices they are not familiar with have been authorized in their account.

All-in-all this is not the level of sophistication you expect from state-backed hacking groups, especially in the era of AI assistance, but it appears they are meeting some targets with only the level of effort that is necessary.

Phishing campaign attempts to abuse automatic trust

To be fair to victims, there is at least one somewhat sophisticated component to the phishing campaign. Once account compromise is achieved, the attacker can very quickly register the account to a new phone number. If the victim creates a new account using the previous phone number, they will be let back in with access to their prior message history (since that is saved on the local device and tied to that number). They might thus assume that the hack was actually just some sort of glitch.

The report confirms that the phishing campaign is not exploiting any new or known vulnerabilities in the messaging platforms, simply tricking targets via old-fashioned social engineering. They tend to either pose as platform security (either a live agent or a chatbot), or as someone the targets knows or is familiar with (soliciting them to join a group chat via a malicious link or QR code).

One final note is that handing over personal information in this way will compromise an account that has Signal’s Registration Lock applied to it. Both apps actively caution users that classified and other sensitive information should not be shared even though they have robust end-to-end encryption.