- Dutch intelligence warns Russia-linked hackers targeting Signal and WhatsApp accounts.
- Attack uses malicious QR codes to link attacker-controlled devices.
- Victims include government officials, military personnel and journalists.
- Agencies urge users to review linked devices and enable registration locks.
Evil QR codes automatically redirect the accounts of victims to accounts controlled by attackers and send all messages in real time - without breaking the encryption of apps.
On Monday, March 9, Russian supported hackers have coordinated a worldwide cyber spy campaign to hack Signal and Whatsapp accounts of government officials, military officers and journalists as well as two Dutch intelligence services alerted.
In a joint statement General Intelligence and Security Service (AIVD) and the Dutch Military Intelligence and Security Service (MIVD) said that the hackers had most likely already accessed sensitive information, and that confirmed targets and victims had included workers of the Dutch government.
The hackers are convincing users in the initiations to provide security verification code and PIN to enable the attackers to access personal accounts and group chats. The agencies assured that it was the encrypted apps that were quick with the officials to exchange confidential or classified information, and thus, it was the best place that malicious actors attempted to exploit, in order to steal sensitive information.
The Did it Happen: QR Codes, Connected Devices and Untraceable Real-Time Tracking.
The main type of attack is based on the usage of a legitimate feature in Signal and WhatsApp known as a linked device as the possibility of a single account running on multiple phones and on a computer at the same time.
White hat attackers have come up with the malicious codes in the form of the QR, scanning which quietly removes an attacker-controlled device to the account of a victim. Each further message is then relayed to the attacker in real time too and the underlying encryption of the app is not compromised.
Also Read: Alibaba Built an AI to Write Code; It Taught Itself to Mine Crypto Instead
It may take weeks and months to realise that the breach is taking place because there are no centralised alert systems within either platform that a newly linked device is present.
The phishing spam that has been circulating these malicious QR codes have been masqueraded as authentic Signal security messages, invitations to join a group, instructions to pair devices on the Signal site, or apps that are utilized by the Ukrainian military.
Germany Warned First: Two Vectors of attack, One objective - Takeover of accounts.
The Dutch warning is in line with similar warnings issued by the domestic intelligence agency in Germany the BfV, and the Federal Office of Information Security that claimed that the campaign was aimed at military officials, diplomats, and investigative journalists across Europe.
The German officials discovered two vectors of attack: the dangerous QR code mechanism of silently linking to an account and a social engineering approach where the hackers will pose as a "Signal Security Support" and pressurize their targets to give up their 6-digit security PIN, effectively disabling them and handing over their account to the attacker.
Both agencies emphasized that there can be no valid Signal and WhatsApp support that will ask in a direct message to provide a PIN or a confirmation code.
Ukraine to Europe: Artillery Fire, Tapped Phones and the Organisers of the Operation.
The military interest of Russia in Signal is dated back to at least 2023. In a single identified incident, as reported by the Google Threat Intelligence Group, the hacked Signal account was being used to deliver information on the battlefield which then was used by Russia to conduct an artillery attack on a Ukrainian army brigade killing dozens of people.
Severed devices have also been used to connect Signal accounts of soldiers to infrastructure controlled by Russians to monitor them constantly. The campaign teams are supported by multiple Russia-linked threat networks: UNC5792, UNC4221, APT44 (also called Sandworm, a subdivision of the GRU military intelligence, Russia), and Star Blizzard which is a part of the FSB domestic intelligence service of Russia.
The AIVD and MIVD requested any high-risk users to frequently verify their linked devices list as soon as possible, disabling all unidentified connections, and turning on registration lock, which needs the use of a PIN to re-register an account with a new device.
