The German Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) have jointly warned of a targeted phishing campaign conducted via the Signal messaging platform. This campaign focuses on high-ranking individuals in politics, military, diplomacy, and investigative journalism within Germany and Europe. Unlike typical cyberattacks, this campaign does not rely on malware or exploiting vulnerabilities in Signal’s codebase. Instead, attackers masquerade as official Signal support entities, such as "Signal Support" or a chatbot named "Signal Security ChatBot," to socially engineer victims into revealing their Signal PINs or verification codes sent via SMS. By obtaining these codes, attackers can register the victim’s phone number on a device under their control, gaining access to the victim’s profile, contacts, block lists, and the ability to intercept incoming messages and send messages impersonating the victim. Although the stolen PIN does not grant access to past conversations, attackers can monitor ongoing communications and disrupt the victim’s account access. An alternative attack vector involves tricking victims into scanning a malicious QR code via Signal’s device linking feature, which grants attackers access to the victim’s account, including messages from the past 45 days, without the victim losing access. This stealthy approach allows attackers to maintain persistent surveillance. The advisory also highlights that WhatsApp is vulnerable to similar attacks due to analogous device linking and two-step verification features. The campaign is attributed to likely state-sponsored actors, with Russia-aligned groups such as Star Blizzard, UNC5792, and UNC4221 suspected based on historical patterns. The attackers’ goal is cyber espionage, compromising confidential communications and potentially entire networks through group chats. The advisory recommends users avoid sharing PINs or verification codes, enable Registration Lock to prevent unauthorized device registration, and regularly audit linked devices to detect unauthorized access. This campaign underscores the evolving threat landscape where legitimate platform features are weaponized for espionage without traditional malware deployment.

This phishing campaign poses a severe threat to European organizations, particularly those involved in governance, defense, diplomacy, and investigative journalism. Successful account compromises can lead to unauthorized access to sensitive and confidential communications, undermining operational security and privacy. The ability to impersonate victims and intercept ongoing messages can facilitate misinformation, manipulation, and further social engineering attacks within trusted networks. Group chats, often used for coordination among officials and journalists, become vectors for broader network compromise, potentially exposing entire organizational communications. The stealthy nature of the QR code-based attack allows attackers to maintain prolonged surveillance without alerting victims, increasing the risk of data exfiltration and espionage. Given the targeting of high-profile individuals, the campaign could disrupt political processes, diplomatic relations, and journalistic integrity across Europe. The potential extension of these tactics to WhatsApp, widely used across Europe, broadens the threat surface significantly. The campaign also risks damaging trust in secure messaging platforms, which are critical for confidential communications in sensitive sectors.

European organizations and individuals targeted by this campaign should implement several specific measures beyond generic advice: 1) Enable Signal’s Registration Lock feature, which requires the PIN to register the phone number on a new device, significantly reducing the risk of unauthorized account takeover. 2) Educate high-profile users to never share their Signal PIN or SMS verification codes with anyone, including purported support contacts, and to be skeptical of unsolicited messages claiming to be from Signal support. 3) Regularly review and audit the list of linked devices in Signal to detect and remove any unauthorized devices promptly. 4) Implement organizational policies restricting the use of personal messaging apps for official communications or supplementing them with enterprise-grade secure communication platforms with enhanced monitoring and control. 5) Encourage the use of multi-factor authentication where possible and monitor for unusual account activity indicative of compromise. 6) Conduct targeted phishing awareness training tailored to the tactics used in this campaign, emphasizing social engineering via messaging apps. 7) Coordinate with national cybersecurity authorities to receive timely threat intelligence updates and incident response support. 8) For WhatsApp users, apply similar precautions regarding device linking and two-step verification to mitigate the risk of account takeover. 9) Consider deploying endpoint detection solutions capable of identifying suspicious QR code scanning or device linking activities. 10) Establish incident response plans specifically addressing messaging app compromises to minimize operational disruption.