Russian intelligence-affiliated parties are posing as customer support services on commercial messaging applications such as Signal to compromise accounts and conduct phishing attacks, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) warned last Friday. The campaign is not sophisticated technically, but it is ruthlessly effective. That's the real lesson here.
The attacks target people with high intelligence value, like former government officials, military figures, politicians, and even journalists, and have snared thousands of individual accounts, allowing the Russians to read and send messages, and gather info from contact lists. This is a geopolitical espionage operation dressed up as customer service.
The mechanics of the attack are straightforward. The attackers send messages advising users of 'suspicious activity' related to their accounts and urge clicking a link to conduct a verification process. The sense of urgency is manufactured to bypass critical thinking. Once victims click, the baddies connect their accounts to the victim's, or completely take over the account if the user is daft enough to submit credentials or a 2FA code.
Here's what matters: encryption in Signal, WhatsApp, and similar platforms is not broken and no vulnerabilities are being exploited. The attackers are not breaking anything. They are asking users to hand them the keys. Adversaries bypass encryption using social engineering rather than technical exploits, as confirmed by CISA and the FBI.
Two methods dominate the campaign. In the first, if the victim opts to provide the PIN or verification code to the threat actor, they lose access to their account, as the attacker has used it to recover the account on their end. This grants the attacker full control. In the second, if the victim ends up clicking the link or scanning the QR code, a device under the control of the threat actor gets linked to the victim's account, allowing them to access all messages, including those sent in the past. The victim may not immediately notice the breach.
The scope is significant. According to the intelligence agencies, the operation has already resulted in the unauthorised access of thousands of accounts on a global scale. Government communications, military intelligence, journalist networks, political strategy: all of it potentially exposed to adversaries who can now read messages, impersonate victims, and conduct further phishing against trusted contacts.
There is a legitimate counterargument here. Some observers will point out that secure messaging apps remain vastly superior to unencrypted channels, and that is true. No platform eliminates human vulnerability. But the scope and targeting of this campaign suggest a sophisticated understanding of how to pressure high-profile people under time constraints. The warning of a 'data breach' or 'suspicious activity' does psychological work. It creates the conditions under which careful people sometimes make careless decisions.
The practical defence is unglamorous. Users are advised to never share their SMS code or verification PIN with anyone, regardless of the request's urgency, exercise caution when receiving unexpected messages from unknown contacts, check links before clicking them, and periodically review linked devices and remove those that appear suspicious. Signal Support will never initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN. If anyone asks for any Signal-related code, it is a scam.
For governments and organisations, the implications are sharper. If thousands of accounts belonging to officials and journalists are already compromised, the secondary phishing wave may already be underway, with attackers using trusted identities to target networks and steal further information. The campaign is not a technical failure of encrypted messaging. It is a demonstration that identity security, not encryption strength, is now the critical vulnerability in digital communications.
Australian users may assume they fall outside this campaign's scope. The targeting has focused on US and European officials and journalists. But the methods are simple enough for non-state actors to replicate, and the warnings from Dutch and French cybersecurity authorities that described similar account-hijacking operations suggest the tactic is spreading. Vigilance is warranted.