The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) said on Friday that threat actors linked to Russian intelligence services are running phishing campaigns to compromise commercial messaging applications (CMAs) such as WhatsApp and Signal to gain control of the accounts of individuals with high intelligence value.
“The campaign targets individuals with high intelligence value, including current and former US government officials, military personnel, political figures, and journalists,” FBI Director Kash Patel said in a post on X.
CISA and the FBI said that the activity resulted in the compromise of thousands of individual CMA accounts. It is worth noting that the attacks are designed to break into targeted accounts and do not exploit any security vulnerabilities or weaknesses to break into the encryption protections of the platform.
Although the agencies have not attributed this activity to any specific threat actor, prior reports from Microsoft and Google Threat Intelligence Group have linked such campaigns to several Russia-aligned threat groups such as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185).
In a similar warning, the Cyber Crisis Coordination Center (C4), part of France’s National Cyber Security Agency (ANSSI), warned of an increase in attack campaigns targeting instant messaging accounts linked to government officials, journalists and business leaders.
C4 said, “These attacks – if successful – could allow malicious actors to access conversation histories, or even take control of their victims’ messaging accounts and send messages impersonating them.”
The ultimate goal of the campaign is to enable threat actors to gain unauthorized access to victims’ accounts, allow them to view messages and contact lists, send messages on their behalf, and even abuse trusted relationships to conduct secondary phishing against other targets.
As recently alerted by the cybersecurity agencies of Germany and the Netherlands, the attack involves posing as “Signal Support” to the adversary to reach the target and urging them to click on a link (or alternatively scan a QR code) or provide a PIN or verification code. In both cases, the social engineering scheme allows the threat actors to gain access to the victim’s CMA account.
However, the campaign has two different outcomes for the victim depending on the method used –
- If the victim chooses to provide the PIN or verification code to the threat attacker, they lose access to their account, as the attacker has used it to recover their account. While the threat actor cannot access past messages, this method can be used to monitor fresh messages and send messages to others impersonating the victim.
- If the victim clicks the link or scans the QR code, a device under the control of the threat actor connects to the victim’s account, allowing them to access all messages, including those sent in the past. In this scenario, the victim continues to have access to the CMA account until they are explicitly removed from the app settings.
For better protection from the threat, users are advised to never share their SMS code or verification PIN with anyone, exercise caution when receiving unexpected messages from unknown contacts, check links before clicking on them, and periodically review linked devices and remove those that appear suspicious.
“Like all phishing, these attacks rely on social engineering. Attackers impersonate trusted contacts or services (such as a non-existent ‘Signal Support Bot’) to trick victims into handing over their login credentials or other information,” Signal said in a post on X earlier this month.
“To help prevent this, remember that your Signal SMS verification code is only required if you’re signing up for the Signal app for the first time. We also want to emphasize that Signal Support will never initiate contact via in-app messages, SMS, or social media asking for your verification code or PIN. If anyone asks for a Signal-related code, it’s a scam.”
