![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiMsZnvgdoACYJn8WjDy_Lpvpy1iqvGpj-vb4hYfYTLujLp_5dm8WZKjl64LYwY4-MON0-1k8-F2K3KDu0QG7isYjhaMvre0E0vrqJCSP49r2j374JPbV6WvkTG8lwqwrxquX-3xrReaA3G-NQGvskSnlOtM1XRj1J3MdPuCK9lXC6vf8ZkrCizN6ohcLC/s1600/signal-whatsapp.jpg\")
Russian Intelligence Services are conducting phishing campaigns targeting commercial messaging applications (CMAs) like WhatsApp and Signal, aiming to compromise accounts of individuals with high intelligence value, according to a joint statement by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released on Friday.
The campaign specifically focuses on high-profile individuals such as U.S. government officials, military personnel, political figures, and journalists, with FBI Director Kash Patel highlighting that the attackers have gained unauthorized access to thousands of accounts, enabling them to view messages, contact lists, and conduct further phishing activities under a trusted guise.
Both CISA and the FBI emphasized that the attacks do not exploit any security vulnerabilities but rather rely on social engineering tactics to infiltrate targeted accounts, resulting in the compromise of numerous CMA accounts.
Although no specific threat actor was attributed to the campaign, previous reports from Microsoft and Google Threat Intelligence Group have linked similar activities to Russia-aligned threat clusters identified as Star Blizzard, UNC5792 (UAC-0195), and UNC4221 (UAC-0185).
Additionally, the Cyber Crisis Coordination Center (C4) of France’s National Cybersecurity Agency (ANSSI) has issued a warning regarding a surge in attack campaigns targeting instant messaging accounts associated with government officials, journalists, and business leaders.
Successful attacks could enable malicious actors to access conversation histories, take control of victims’ accounts, and send messages on their behalf, further perpetuating the threat landscape.
As highlighted by cybersecurity agencies in Germany and the Netherlands, the modus operandi of the attack involves posing as “Signal Support” to prompt targets to click on links or provide verification codes, ultimately granting the threat actors access to the victims’ CMA accounts.
- Providing the verification code to the attacker results in losing access to the account, allowing the threat actor to send messages on the victim’s behalf.
- Clicking on the link or scanning the QR code links the victim’s account to the attacker’s device, granting access to all messages and potentially compromising past conversations.
To mitigate the threat, users are advised to refrain from sharing SMS codes or verification PINs, exercise caution when receiving messages from unknown sources, verify links before clicking, and regularly review linked devices for suspicious activity.
Signal reiterated the importance of vigilance against social engineering tactics, emphasizing that Signal Support will never solicit verification codes from users via in-app messages, SMS, or social media.
