Phishing attempts Russian hackers have WhatsApp accounts in their sights
The attackers disguise themselves as support and want to hijack accounts of prominent targets: Dutch services believe Russian actors are behind attacks on Signal and WhatsApp.
No time? blue News summarizes for you
- Dutch intelligence services attribute a global phishing campaign against Signal and WhatsApp accounts of politicians, civil servants, military personnel and journalists to Russian state actors.
- The attackers take over accounts either through fake support chats or by tricking victims into scanning a QR code to link an additional device to the account.
- Hackers can read contact lists as well as current and sometimes older chat histories without those affected often noticing the access immediately.
According to Dutch intelligence services, a wave of attacks on journalists and politicians via the messaging services Signal and WhatsApp can be traced back to Russian state actors. A corresponding assessment by the military intelligence service MIVD and the civilian AIVD has been made available to various media.
The paper states that available information shows "that Russian state actors worldwide are attempting to compromise the Signal and WhatsApp accounts of dignitaries, civil servants and military personnel on a large scale".
The victims of the campaign would include Dutch government employees. It is also likely that other persons of interest are also among the targets of the campaign, such as journalists. The hackers have probably succeeded in gaining access to sensitive information, the news agency Reuters quotes from a statement by the services.
Two ways of compromise
The assessment by the Dutch services is the first time that the current wave of phishing on messenger services has been publicly attributed to Russia. The German Federal Office for Information Security (BSI) had already warned of such attacks on Signal around a month ago and suspected "probably state-controlled cyber actors" behind them, without naming them more precisely.
At the time, the authorities outlined two ways in which the perpetrators could gain access to their victims' Signal accounts through so-called phishing. In the first variant, the attackers pretend to be "Signal Support" in a chat with the victims. They urge them to disclose a security PIN or a verification code. Using this data, they can take over the user account and access contact lists and all future chats.
In the second variant, the hackers persuade their victims to scan a QR code and use it to connect an existing Signal account with another cell phone or tablet. In this case, the attackers can also capture all chat messages from the past 45 days. According to the authorities, those affected often do not immediately notice that their communication is being monitored.
The Netherlands already has experience
Another new aspect of the Dutch authorities' assessment is that WhatsApp chats are also said to be affected by the attack. In its security warning, the BSI had reported a focus on Signal and only described a similar approach to WhatsApp as "conceivable". According to the MIVD and AIVD services, the attackers on WhatsApp primarily use the "Connected Devices" function to gain access to chat groups.
The two Dutch services are regarded as experienced and reliable in international intelligence circles when it comes to investigating Russian offensive cyber operations. In recent years, they have foiled an espionage attack by the Russian military intelligence service GRU on the Organization for the Prohibition of Chemical Weapons (OPCW) in The Hague and uncovered the GRU's attempt to infiltrate an agent at the International Criminal Court there.
