Russian state hackers are engaged in a large-scale global cyber campaign to gain access to Signal and WhatsApp accounts belonging to dignitaries, military personnel and civil servants. The Dutch intelligence and security services MIVD and AIVD can confirm that targets and victims of the campaign include Dutch government employees. The Dutch services also believe that other persons of interest to the Russian government, such as journalists, may possibly be targeted by this campaign.
The Russian campaign is focused on persuading users to divulge their security verification- and pincodes, allowing the hackers to gain access to the users’ Signal or WhatsApp accounts. The most frequently observed method used by the Russian hackers is to masquerade as a Signal Support chatbot in order to induce their targets to divulge their codes. The hackers can then use these codes to take over the user’s account. Another method used by the Russian actors takes advantage of the ‘linked devices’ function within Signal and WhatsApp.
Once an account has been successfully compromised, the hackers can read incoming messages, including messages in the victim’s chat groups. The Russian hackers likely gained access to sensitive information through this campaign.
End-to-end encryption
In the opinion of the Dutch services, Russia’s keen interest in Signal can be attributed to the good reputation of the app. Signal is renowned as a reliable and independent communication channel which offers end-to-end encryption. This makes it an attractive channel for use within governments wishing to protect their internal communication. It also makes it the ideal place for malicious actors to try to capture sensitive information.
“Despite their end-to-end encryption option, messaging apps such as Signal and WhatsApp should not be used as channels for classified, confidential or sensitive information,” states Director of the MIVD, vice-admiral Peter Reesink.
Individual accounts
An interesting aspect of this Russian campaign is that it does not exploit any technical vulnerabilities of the messaging services. The attackers instead make malicious use of legitimate security features of the apps. Director-General of the AIVD Simone Smit states, “It is not the case that Signal or WhatsApp as a whole have been compromised. Individual user accounts are being targeted.”
To increase resilience against this Russian campaign, MIVD and AIVD have published a Cyber Advisory explaining how to identify and respond to attacks. The advisory also give instructions for Signal users on how to identify potentially compromised contacts.
All Signal users can personally check whether there are any potentially compromised contacts in their group chats. If you see any people who appear twice in the list of members (under the same or a slightly different name), this may be evidence of either a compromised account or a new account created by a victim.
If you suspect this to be the case, report this to the information security department of your organisation. Together you can try to verify (preferably using a channel other than Signal or WhatsApp, such as an email or a telephone call) whether it is correct that the account in question appears twice in the chat group contact list. Should this not be the case, ask the group administrator to remove both accounts from the group chat, after which the legitimate account holder can request to rejoin the group.
Please remain vigilant for group members who are not recognised by the rest of the group. The actor may occasionally change the display name of a compromised account to remain unnoticed in chat groups, for example to names such as 'Deleted account'. If a member’s display name changes, the group will receive a notification. When the change is the legitimate transition to 'Deleted account', no notification is sent.
Actor-controlled accounts can also gain entry to the group via an obtained Group Link, of which the group always receives a notification. In all such unauthorised scenarios, ask the group administrator to remove the offending accounts from the chat.
If there is any indication that the group administrator themselves may have been compromised, it is advisable to exit the group and create a new one.