Dutch intelligence agencies have accused Russia of orchestrating a widespread cyber campaign targeting Signal and WhatsApp users globally, with a particular focus on high-profile individuals including government officials, military personnel, and journalists. The AIVD, the Netherlands’ General Intelligence and Security Service, and the MIVD, the military intelligence service, jointly announced Monday that Dutch government employees have already had their accounts compromised as part of the operation.
The campaign relies on phishing techniques, with Russian hackers posing as “Signal support” accounts to trick users into divulging one-time authentication codes, according to the AIVD and MIVD. These codes are then used to hijack accounts, allowing the hackers to access messages and group chats. The intelligence agencies emphasized that the scheme does not exploit technical vulnerabilities within the messaging apps themselves, but rather abuses legitimate security features.
“An interesting aspect of this Russian campaign is that it does not exploit any technical vulnerabilities of the messaging services,” the AIVD stated. “The attackers instead make malicious use of legitimate security features of the apps.”
Signal acknowledged the threat, confirming that it had detected attempts to gain access to user data and sharing a screenshot of a phishing message purporting to be from a non-existent “Signal Support Bot.” The message falsely claimed suspicious activity on the user’s account.
The targeting of Signal is notable given its reputation as a secure messaging platform, widely used by governments and the Ukrainian military due to its end-to-end encryption. However, Dutch intelligence officials cautioned that even encrypted messaging apps are not suitable for transmitting classified, confidential, or sensitive information. “Chat applications such as Signal and WhatsApp, even though they have end-to-end encryption, are not channels for classified, confidential or sensitive information,” said MIVD director Vice-Admiral Peter Reesink.
Similar warnings were issued by Germany in February, reporting attempted phishing attacks targeting Signal users within the German military and political spheres. Google also identified Russian actors attempting to phish Signal accounts associated with the Ukrainian military last year, anticipating the tactic’s wider deployment.
The Russian Ministry of Foreign Affairs has not responded to requests for comment regarding the allegations. The Dutch intelligence services believe that targets extend beyond the Netherlands, likely including other individuals of interest to the Russian government, such as journalists. The campaign’s success in compromising accounts has already granted attackers access to sensitive information, according to the AIVD and MIVD.
