Russian-Linked Campaign Compromises Signal Accounts of Senior German Officials

What happened

German intelligence services are investigating a cyberattack campaign that has compromised Signal accounts belonging to senior German officials, including Bundestag President Julia Klöckner of the CDU, with suspicions pointing to Russian involvement.

The attack method was social engineering rather than a technical exploit in Signal itself. Attackers posed as Signal technical support staff and contacted targets asking for their PIN codes. Victims who responded gave attackers the access needed to link a second device to the account, gaining visibility into messages, documents, and photographs shared through the app. The case is considered particularly sensitive because Klöckner is suspected of using Signal to communicate with CDU leadership and Chancellor Friedrich Merz.

According to Der Spiegel and the German news agency DPA, Education Minister Karin Prien and Infrastructure Minister Verena Hubertz are also suspected victims of similar attacks. Reports indicate that MPs from the Social Democrats and the Left Party were targeted as well. The Federal Office for the Protection of the Constitution sent a letter to parliamentary groups warning that messages exchanged via Signal within parliament may currently be readable by attackers. Identified victims have been informed and have deactivated compromised devices. The Federal Office for Communications Security has published guidance on identifying Signal compromise and avoiding further exposure.

The Federal Prosecutor’s Office had warned in February of a broad cyber espionage campaign targeting politicians, military personnel, and journalists, with indications pointing to Moscow as the coordinator. The German government is reported to share the assessment that Russia is behind the current attacks. Similar warnings have been distributed to employees of German public media.

Who is affected

Senior German government officials, parliamentarians across multiple parties, and public media employees have been identified as targets. The confirmed and suspected victims span the executive and legislative branches, indicating a broad targeting scope rather than a narrowly focused operation. The warning issued to parliamentary groups suggests the number of compromised or at-risk accounts may extend beyond confirmed cases.

Why CISOs should care

Signal’s encryption was not broken. The attack worked by obtaining the PIN needed to register a linked device, turning a social engineering failure into full access to an encrypted communications channel. No amount of end-to-end encryption protects against an attacker who convinces a user to hand over their account credentials directly.

For security leaders advising executives or managing government-adjacent communications environments, this campaign is a clear demonstration that secure messaging platforms require secure user behavior to remain secure. The targeting of multiple officials across parties and branches also reflects a systematic, patient approach consistent with state-sponsored intelligence collection rather than opportunistic phishing.

3 practical actions

1. Brief all senior staff and executives on Signal account security and the linked device attack vector: Ensure that anyone using Signal for sensitive communications understands that Signal support will never ask for a PIN, that registration lock should be enabled on all accounts, and that unsolicited contact claiming to be from Signal technical support should be treated as a phishing attempt.
2. Enable Signal Registration Lock across all high-value accounts immediately: Registration Lock adds a second layer of protection by requiring a separate PIN before a new device can be linked to an account. This single control directly mitigates the attack method used in this campaign.
3. Establish a defined process for reporting and responding to suspected messaging app compromise: The German response included deactivating compromised devices and notifying affected individuals. Organizations should have a pre-defined playbook for suspected Signal, WhatsApp, or other encrypted messaging app compromise, including device isolation, account re-registration, and assessment of what communications may have been exposed.

Also in the news today:

• • China-Linked APT GopherWhisper Abuses Legitimate Services in Government Attacks
  • Surveillance Vendors Exploiting Telecom Infrastructure to Track Targets’ Locations
  • American Utility Firm Itron Discloses Breach of Internal IT Network
  • Nessus Agent Vulnerability on Windows Enables Arbitrary Code Execution with SYSTEM Privileges
  • Litecoin Zero-Day Vulnerability Exploited in DoS Attack, Disrupts Major Mining Pools
  • CISA Warns of Multiple SimpleHelp Vulnerabilities Exploited in Attacks
  • 153,000 Electricity and Gas Contracts Exposed in Breach Linked to Iberdrola Partner