A global campaign by Russian nation state operatives to access targets’ encrypted messaging apps has been uncovered by Dutch intelligence.
Published on March 9, a joint missive from the Dutch domestic (AIVD) and military intelligence (MIVD) services warned that some of the country’s government employees had already been victimized in the campaign.
It claimed that military personnel, civil servants, journalists and “other persons of interest” may also be on the target list.
The “large-scale” campaign is focused on hacking individual Signal and WhatsApp accounts. Because these are end-to-end encrypted services, they’re often favored by privacy and security-conscious users.
“Despite their end-to-end encryption option, messaging apps such as Signal and WhatsApp should not be used as channels for classified, confidential or sensitive information,” warned MIVD director, vice-admiral Peter Reesink.
The attacks take several forms. The most common involves adversaries impersonating a ‘Signal Support chatbot’ in unsolicited messages.
According to screenshots posted by Signal, users receive a message from the fake bot claiming suspicious activity on their account and requesting that they enter their SMS verification code or Signal PIN.
“We also want to emphasize that Signal Support will *never* initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN,” Signal clarified in a series of social media posts. “If anyone asks for any Signal related code, it is a scam. We make this clear when users receive their SMS code during initial signup.”
Another method used by the Russian threat actors takes advantage of the “linked devices” function within Signal and WhatsApp. These attacks start with persuading the victim to scan a QR code or click on a link.
Russian hackers were observed using similar techniques to spy on Ukrainian military and government officials last year.
How to Spot a Russian Hacker
AIVD and MIVD have produced a handy guide to help keep high-value users of the messaging apps safe from such account hijacking attempts.
They urged Signal users to check if contacts appear twice in their list of group members, which could indicate malicious activity.
If out-of-band verification proves inconclusive, group admins should be contacted to remove both identical-looking accounts so that the real one can request to rejoin the group, the AIVD/MIVD said.
They also warned that nefarious actors may try to change the display name of a compromised account (e.g. to 'Deleted account') to remain unnoticed in chat groups. If members receive a notification of this change, it’s likely to be a malicious act, the report claimed.
Ben Clarke, SOC manager at CybaVerse, said informal use of platforms like WhatsApp means they’re unlikely to have been audited by corporate IT security teams.
“Third party consumer-oriented platforms like Signal and WhatsApp are ultimately not developed with state-level usage in mind, and they lack the protocols and stringency that more bespoke systems are designed around,” he continued.
“Attacking these third-party channels can be especially lucrative for state actors, who are able to dedicate the time and resources into crafting spear phishing campaigns that are tailored and highly relevant to small groups and specific individuals.”
Image credit: miss.cabul / Shutterstock.com