What happened
State-linked hackers have been observed targeting Signal messaging accounts belonging to military officials, diplomats, politicians, and journalists in a coordinated espionage campaign. Germany’s Federal Office for Information Security (BSI) and Federal Office for the Protection of the Constitution (BfV) issued a joint advisory describing two social engineering methods used to gain access to Signal accounts. In one approach, attackers pose as “Signal Support” or a fake security chatbot within the app, claiming suspicious activity and asking users to provide a verification PIN; if shared, the code allows attackers to register the victim’s phone number on a device they control. In another method, attackers send a seemingly legitimate “device linking” QR code that, when scanned, authorizes a tablet or computer to link to the account, allowing covert access to messages without immediately locking out the original user.
Who is affected
High-profile individuals including military personnel, diplomats, politicians, and investigative journalists across Europe are being targeted by the campaign, with their Signal accounts at risk of unauthorized access.
Why CISOs should care
This activity demonstrates how threat actors can bypass secure communications platforms through social engineering and account hijacking techniques, which can expose private communications, contact lists, and potentially sensitive operational information.
3 practical actions
- Monitor for unauthorized account linking. Detect and alert on new device associations in secure messaging platforms.
- Educate users on phishing tactics. Inform high-risk users about social engineering targeting secure communication apps.
- Restrict support channel interactions. Validate any in-app support requests through out-of-band processes.