Dutch intelligence agencies revealed detailed information on Monday (March 9) about a “large-scale global” hacking campaign targeting users of social media platforms Signal and WhatsApp by Russian government hackers. The Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service of the Netherlands (AIVD) accused the “Russian state actor” of using phishing and social engineering techniques to take control of accounts on these two messaging applications, especially targeting government and military officials worldwide as well as media journalists.
In the case of Signal, hackers posed as customer service teams and sent direct messages to targets, warning of suspicious activities, “potential data leaks,” or attempts to access users’ private data. If the target user falls for the scam, the hackers would ask for the verification code sent via SMS (requested by the hackers from Signal) and the target user’s PIN code.
The report stated that hackers would use the verification code and PIN code to register a new device and link it to a new phone number, impersonating the target user and potentially accessing their contacts. Additionally, the target user’s account would be locked but can be re-registered with a new phone number.
The report pointed out: “Since Signal stores chat logs on the local device, victims can regain access to these logs after re-registering. This may lead victims to believe everything is normal. Dutch service agencies want to emphasize that this assumption by users may be incorrect.”
Usually, after adding a new device to a Signal account, the new device cannot access previous messages. Signal has not responded to this issue but posted a series of messages on social media on Monday, providing users with self-protection advice, including recommending users not to share SMS verification codes and PIN codes.
Signal noted that a Signal SMS verification code is only required during the first registration. “The Signal support team will never proactively contact you through in-app messages, SMS, or social media to request a verification code or PIN. If anyone requests any verification code related to Signal, it must be a scam,” said the official Signal account reminding users.
Dutch intelligence agencies indicated that Russian hackers also attempted to lure users into scanning malicious QR codes or clicking on malicious links on both applications.
For example, attackers may send victims QR codes or links, enticing them to join chat groups, but in reality, these QR codes or links would link the attacker’s device to the victim’s account. In the case of WhatsApp, hackers abused the “linked devices” feature, which allows users to access WhatsApp through auxiliary devices like laptops or tablets. Unlike Signal, if hackers successfully deceive the target, they could potentially read past chat logs. Sometimes, due to victims not choosing to log out of the account, this could indirectly grant hackers access.
Meta spokesman Zade Alsawah stated that WhatsApp advises users against sharing their six-digit security code with anyone and provides a help center page to assist users in identifying suspicious messages and a page on the “linked devices” feature.
Dutch Minister of Internal Affairs and Defense Department Vice Admiral Peter Reesink said in a statement, “Even though instant messaging applications like Signal and WhatsApp provide end-to-end encryption options, they should not be used as channels to transmit confidential, secret, or sensitive information.”
The Dutch Ministry of Internal Affairs and Defense did not respond to further requests for information concerning this hacking operation. The Russian Embassy in Washington did not respond to requests for comments.