Russian-backed hackers are targeting Signal and WhatsApp accounts worldwide belonging to government and military personnel, Dutch intelligence agencies have warned.
The Netherlands’ military intelligence service (MIVD) and domestic security agency (AIVD) said the social engineering operation is targeting officials, civil servants and members of the armed forces, and may also target journalists and others of interest to Russia.
Dutch government staff have already been compromised, the agencies said.
Russian campaigns
The hacks follow previous Russian espionage campaigns that Western governments say have targeted NATO governments, researchers and defence companies.
The hackers use social-engineering methods to hack the accounts, whose end-to-end encryption has not been penetrated, Dutch officials said.
“It is not the case that Signal or WhatsApp as a whole have been compromised,” said AIVD director-general Simone Smit in a statement.
“Individual user accounts are being targeted.”
The advisory did not estimate how many accounts had been hacked or implicate a specific hacking group.
Attackers typically impersonate a technical support service, asking for verification codes or PIN numbers.
Sensitive information
The codes are then used to add a device to the user’s account, enabling the attackers full access to the user’s conversations.
In some cases, victims have been tricked into scanning a malicious QR code or following a link that connects a hacker’s device to the account through the apps’ “linked devices” feature, giving access to chats and message history.
Google security researchers warned last year that the widespread use of Signal by soldiers, politicians and journalists in Ukraine made it a prominent target for Russian espionage operations.
In one case cited by researchers, Russian military hackers used captured battlefield devices to penetrate accounts.
Ben Clarke, SOC manager at CybaVerse, said the use of apps such as Signal and WhatsApp by government and military personnel is often informal, meaning it is unlikely to have been audited.
Informal use
“With internal systems, user access and activity can be monitored, and if unauthorised access does occur, it can be quickly detected,” he said.
“While successful social engineering can be used to access any system, third party consumer-oriented platforms like Signal and WhatsApp are ultimately not developed with state-level usage in mind, and they lack the protocols and stringency that more bespoke systems are designed around.”
He said WhatsApp was previously used to spread malware such as SORVEPOTEL, which was designed to propagate via contacts on the app, potentially causing significant damage.
