Spies warn: Russian state actors crack Signal and WhatsApp accounts

The security of messenger services like Signal and WhatsApp is largely based on their strong end-to-end encryption. This now makes them the target of a “large-scale global” espionage campaign, warn the Dutch intelligence services MIVD and AIVD, which are responsible for military and domestic security and counter-espionage, respectively. Russian state actors are currently attempting worldwide to gain access to the accounts of high-ranking dignitaries, military personnel, and government officials.

According to the information from the two intelligence agencies, journalists and other individuals of strategic interest to the Russian state are also in the crosshairs of the operation. This makes it clear that the most secure encryption is of little use if access to the end device or the user account itself is compromised.

Social engineering instead of software exploits

According to the MIVD and AIVD, the attackers are not using technical vulnerabilities or zero-day exploits in the messenger software. Instead, they rely on manipulative social engineering to use the apps' legitimate functions against users, they say. A frequently observed method is deception via fake support chatbots. The state threat actors, for example, pose as official Signal support and try to trick victims into revealing verification or PIN codes. As soon as a user discloses such information, the attackers can take over the account on their own device.

Another tactic is said to be the misuse of the function for linked devices. The attackers secretly connect another device to the existing account. This allows them to read all incoming and outgoing messages in real-time without the victim noticing the remote access immediately.

The consequences of a successful takeover can be severe. The perpetrators read private chats and gain access to all group conversations in which the victim is a member. In these channels, the Russian actors suspect sensitive information, which is often shared carelessly due to the high trust in the app's security. To counteract the threat, the Dutch authorities have published a guide to make users aware of suspicious signs.

Prevention and identification of suspicious accounts

The intelligence services advise immediately informing the responsible IT security departments of any suspected irregularities. The identity of suspicious accounts should be verified via alternative communication channels such as email or telephone. If a suspicion is confirmed, the affected accounts must be immediately removed by the group administrator. If the administrator himself appears to be compromised, the only safest option is to leave the existing group and open a new, secure communication channel.

The espionage activities are taking place against the backdrop of increased internet censorship in Russia since the beginning of the Ukraine invasion. Services such as WhatsApp and Signal are already officially blocked in Russia. Recently, Telegram has also come under increased pressure. Russian authorities are investigating its founder Pavel Durov as part of criminal proceedings. They accuse him of supporting terrorist activities, as the messenger is allegedly used as a tool in numerous criminal offenses. Durov himself left Russia years ago to escape the growing influence of the state on his platform.

The simultaneous persecution of platform operators domestically and targeted attacks on foreign user accounts illustrate the Kremlin's dual strategy: it aims to secure control over the digital information space both defensively and offensively.

(vbr)