FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks

Threat actors affiliated with Russian Intelligence Services are conducting phishing campaigns to compromise commercial messaging applications (CMAs) like WhatsApp and Signal to seize control of accounts belonging to individuals with high intelligence value, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) said Friday.

“The campaign targets individuals of high intelligence value, including current and former U.S. government officials, military personnel, political figures, and journalists,” FBI Director Kash Patel said in a post on X. “Globally, this effort has resulted in unauthorized access to thousands of individual accounts. After gaining access, the actors can view messages and contact lists, send messages as the victim, and conduct additional phishing from a trusted identity.”

CISA and the FBI said the activity has resulted in the compromise of thousands of individual CMA accounts. It’s worth noting that the attacks are designed to break into the targeted accounts and do not exploit any security vulnerability or weakness to crack the platforms’ encryption protections.

While the agencies did not attribute the activity to a specific threat actor, prior reports from Microsoft and Google Threat Intelligence Group have linked such campaigns to multiple Russia-aligned threat clusters tracked as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185).

In a similar alert, the Cyber Crisis Coordination Center (C4), part of the National Cybersecurity Agency of France (ANSSI), warned of a surge in attack campaigns targeting instant messaging accounts associated with government officials, journalists, and business leaders.

“These attacks – when successful – can allow malicious actors to access conversation histories, or even take control of their victims’ messaging accounts and send messages while impersonating them,” C4 said.

The end goal of the campaign is to enable the threat actors to gain unauthorized access to victims’ accounts, enabling them to view messages and contact lists, send messages on their behalf, and even conduct secondary phishing against other targets by abusing trusted relationships.

As recently alerted by cybersecurity agencies from Germany and the Netherlands, the attack involves the adversary posing as “Signal Support” to approach targets and urge them to click on a link (or alternatively scan a QR code) or provide the PIN or verification code. In both cases, the social engineering scheme allows the threat actors to gain access to the victim’s CMA account.

However, the campaign has two different outcomes for the victim depending on the method used –

• If the victim opts to provide the PIN or verification code to the threat actor, they lose access to their account, as the attacker has used it to recover the account on their end. While the threat actor cannot access past messages, the method can be used to monitor fresh messages and send messages to others by impersonating the victim.
• If the victim ends up clicking the link or scanning the QR code, a device under the control of the threat actor gets linked to the victim’s account, allowing them to access all messages, including those sent in the past. In this scenario, the victim continues to have access to the CMA account unless they are explicitly removed from the app settings.