Government officials and employees, military members, and journalists the world over are being advised by the Dutch Ministry of Defence that Russian state-backed hackers are engaged in a broad campaign targeting their WhatsApp and Signal accounts. The newly uncovered phishing campaign, as revealed by the Dutch intelligence and security services MIVD and AIVD, spearphishes targets with an assortment of types of fake messages in a bid to get the victim to divulge their authentication information.
The Russian hackers are reportedly targeting these two services because of their good reputation for end-to-end encrypted privacy and thus broad uptake by government agencies and journalists communicating with vulnerable sources. Though the services advise that classified and confidential information should not be shared over them regardless of that reputation, they nevertheless appear to be common convenience tools for governments for this purpose.
Russian phishing campaign cleverly manipulates app security features
The Ministry of Defence warns that the phishing campaign has at least several known approaches, but a common feature is that it does not exploit any vulnerabilities in any way. Instead, the Russian hackers are managing to weaponize legitimate security features in a very effective manner.
In all cases, the hackers attempt to get users to divulge their PIN codes and security verification. One common approach on Signal is to pose as a support chatbot, and on WhatsApp to pretend to be a member of the official support team. With this method the attacker will make first contact and usually warn the user of a data leak and suspicious activity detected in their account. It then asks the user to verify their identity, and if they get a response to this the attacker will ask for the user PIN and an SMS verification code. This is enough information for the hacker to take full control of the victim account, including those protected by Signal’s Registration Lock.
The victim will be locked out of the account, but will be able to make a new account with the same number as the attacker will have already switched it over to a phone number that they control. They may go through this process and not realize anything is wrong, as chat history is saved locally to the device and will be restored upon creation of a new account with the same number. The Dutch officials warn that simply re-establishing a locked-out account with the same number that appears to have been restored to normal is thus not an indication that everything is OK.
Another approach that has been repeatedly spotted during the phishing campaign is simply posing as some known entity or trusted contact and sending the user a malicious QR code or link that usually purports to be an invitation to a chat group. Once it is used the link or code links the hacker’s device to the victim’s account, giving them access to their messages and chats. In some cases it may also allow them to send messages under the victim’s name.
Phishing campaign highlights continued need for employee security training
The Russian phishing campaign can be spotted via some poor English grammar and a somewhat unprofessional tone to the communications, not to mention the fact that Signal and WhatsApp staff never ask for verification codes via messages. However, the fact that these attacks are landing to the point of requiring a government warning indicates there is still more work to be done in phishing awareness and general security hygiene.
Lydia Atienza, Principal Threat Intelligence Researcher at Outpost24, notes that nothing seen in this phishing campaign is anything new: “Based on the techniques described in the advisory issued by Dutch intelligence agencies, there is little evidence of particularly novel tradecraft. The methods resemble the same social-engineering tactics long used by financially motivated cybercriminals to compromise messaging accounts. This serves as a reminder that state-linked actors do not always rely on highly sophisticated exploits. In many cases, the same techniques commonly seen in cybercrime can be just as effective in espionage campaigns.”
Even if they do not believe they have been targeted or have not had any suspicious communications lately, Signal users can check for potentially compromised contacts in group chats by looking to see if members appear twice under the same or a slightly different name. It is best to contact the organization’s IT security department if applicable, and to directly contact the person in question about it rather than messaging them through Signal. The threat actors also sometimes change the name of the compromised account to “Deleted account” to remain in group chats while evading this sort of suspicion based on duplicate names. A warning of this is when the group receives a message about this name change; if an account is truly deleted there should not be a group-wide message notification about it.
Individuals who do suspect compromise can check the list of devices that have access to their messaging account via the “Profile” icon in Signal or the “Linked Devices” menu in WhatsApp. Unfamiliar devices can be removed from there. Users might also consider changing their settings to automatically block unknown contacts or those that are not already in the contact list. Hiding one’s telephone number also reduces the potential follow-up damage an invader can do.
As mentioned, Signal and WhatsApp staff also do not ask for PINs in messages. Further, any area where one might legitimately enter a PIN in the app should be obscured by asterisks when it is typed. Generally speaking if it is appearing in plaintext, it shouldn’t be there.
