Global cyberattack: WhatsApp and Signal targeted by Russian hackers

Encrypted messaging applications have become leading tools for sensitive communications. Used by journalists, politicians, and international organizations, they are often perceived as secure spaces against interception.

However, this trust could be tested. Indeed, Dutch intelligence services recently published an alert concerning a vast digital espionage campaign targeting Signal and WhatsApp users.

According to their analysis, the operation is being carried out by hackers linked to Russia and is targeting several categories of sensitive profiles in different countries, with particularly sophisticated manipulation techniques…

A Global Phishing Campaign

According to the Dutch intelligence agencies MIVD and AIVD, the hackers are relying on phishing strategies in order to Compromising accounts. Among the identified targets are politicians, military personnel, civil servants, and journalists. Cybercriminals reportedly use various methods to deceive their victims, one of the most common being to impersonate an official support service, reminiscent of bank fraud targeting individuals. In some cases, victims receive a message from a fake chatbot called "Signal Security Support," supposedly alerting them to suspicious activity on their account. Under pressure from this alert, users are tricked into handing over sensitive information, such as their PIN, a verification code received via SMS, or other authentication credentials. Once this data is obtained, hackers can bypass security mechanisms, including two-factor authentication, and register the account on their own devices. Attackers can then view messages, join group chats, and even send messages while impersonating the victim… A feature misused to spy on conversations: In other cases, hackers exploit the “linked devices” system. This option normally allows users to connect a computer or tablet to an account to access messages from multiple devices. Hackers misuse this feature by sending a link or QR code that looks like a harmless invitation. When the victim opens or scans it, a device controlled by the attacker is discreetly added to the account. The result is particularly discreet: the attacker can read messages in real time and access the conversation history without disrupting normal use of the application. The user can therefore continue to use their account without suspecting the presence of a spying device. This approach makes the attack very difficult to detect, especially since the conversation history remains stored locally on the phone. Recommendations for greater caution... In response to these attacks, intelligence services recommend several best practices. Indeed, users are advised to regularly check the list of devices linked to their account and to immediately remove any unknown device. Experts also remind users to never share a code received by SMS or a PIN, even if the request appears to come from an official support service. The messages from the affected applications are clear: these codes are only requested during registration or for certain security procedures. Finally, Dutch authorities recommend that political leaders and sensitive organizations avoid transmitting strategic information via these applications, which, it should be noted, are not designed to handle this type of confidential data.