Russian Intelligence Phishing Targets Signal and WhatsApp Users

The FBI and CISA recently issued a public service announcement regarding a campaign attributed to Russian Intelligence Services (RIS) targeting users of end-to-end encrypted (E2EE) messaging applications. According to BleepingComputer, these state-sponsored actors are using sophisticated Phishing techniques to gain unauthorized access to accounts on platforms such as Signal and WhatsApp. The campaign primarily focuses on individuals within government, military, and diplomatic sectors, as well as non-governmental organizations (NGOs) and journalists.

Technical Analysis: Detecting Signal Account Takeover Attempts

The APT groups involved, which often include entities like APT28, utilize a variety of TTP patterns to bypass the security features inherent in E2EE applications. While the encryption protocols themselves remain resilient, the threat actors target the authentication and device-linking mechanisms. One common method involves sending messages that appear to be from technical support or a known contact, urging the user to click a link or provide a verification code.

Once the attacker obtains the SMS verification code or tricks the user into scanning a malicious QR code, they can link a new device to the victim’s account. This allows the attacker to monitor incoming messages and, in some cases, view past message history if backups are not secured. These Russian intelligence Signal phishing TTPs demonstrate a shift toward targeting the endpoint and the user’s session rather than the transport layer of the application.

Credential Harvesting and Session Hijacking

The primary goal of these operations is intelligence collection. By compromising a single account, the RIS can map out social graphs and perform Lateral Movement within a community of interest. For example, a compromised account of a high-ranking official can be used to send further phishing lures to subordinates, leveraging the established trust between colleagues. This form of Russian intelligence phishing against government officials is particularly effective because Signal is often used for sensitive discussions that users might not conduct over official, monitored channels.

The actors also utilize C2 infrastructure to manage the harvested session tokens. By maintaining an active session on a secondary device, the attackers can stay persistent without alerting the user, provided the user does not regularly audit their linked devices. This persistence is a hallmark of the MITRE ATT&CK framework’s resource development and initial access stages.

Mitigation and Defense Strategies

To defend against these campaigns, organizations must move beyond traditional EDR solutions and focus on user identity protection and application-level security settings.

1. Enable Registration Lock: Users should enable the Registration Lock feature in Signal or Two-Step Verification in WhatsApp. This adds a PIN requirement when re-registering the phone number on a new device, preventing attackers from hijacking the account with only an SMS code.
2. Audit Linked Devices: Regularly check the Linked Devices section in the application settings. Any unrecognized device should be removed immediately. This is a vital step in identifying unauthorized access.
3. Use Disappearing Messages: For highly sensitive discussions, the use of disappearing messages reduces the window of opportunity for an attacker to exfiltrate historical data if a compromise occurs.
4. Verify Contacts Out-of-Band: If a contact sends an unusual request or a link, verify their identity through a different communication channel, such as a phone call or a separate messaging app.

Defenders should also monitor for IoC data related to known Russian infrastructure. While specific IP addresses change frequently, the behavior of requesting verification codes at unusual hours can be a signal of malicious activity. Incorporating these observations into a SIEM or alerting SOC analysts can help in the early detection of targeted campaigns.