The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have issued warnings about ongoing phishing campaigns targeting commercial messaging applications, including Signal and WhatsApp. The attacks, linked to Russian intelligence-aligned threat actors, aim to compromise accounts of individuals with high intelligence value.
FBI Director Kash Patel stated that the campaign targets “current and former U.S. government officials, military personnel, political figures, and journalists.” Globally, thousands of accounts have reportedly been accessed without authorization. Once compromised, attackers can view messages, access contact lists, send messages impersonating the victim, and launch secondary phishing attacks using trusted relationships.
These campaigns rely entirely on social engineering rather than exploiting platform vulnerabilities. Threat actors typically impersonate support services, such as a fake “Signal Support Bot,” sending messages designed to create urgency—claiming suspicious logins or unrecognized devices. Victims are tricked into sharing verification codes, PINs, or scanning malicious QR codes.
The attacks differ depending on the victim’s response:
- Providing the verification PIN or code allows attackers to recover the account. Past messages remain inaccessible, but new messages can be read and sent under the victim’s identity.
- Clicking a malicious link or scanning a QR code links a device controlled by the attacker to the victim’s account, granting access to all messages, including past communications, while the victim may retain account access unless removed manually.
Prior threat intelligence from Microsoft and Google Threat Intelligence Group links similar campaigns to Russia-aligned clusters, including Star Blizzard, UNC5792 (UAC-0195), and UNC4221 (UAC-0185). Similar warnings have been issued by France’s ANSSI Cyber Crisis Coordination Center (C4), as well as cybersecurity agencies in Germany and the Netherlands.
To mitigate the risk, users are strongly advised to:
- Never share SMS verification codes or PINs.
- Be cautious with unexpected messages from unknown contacts.
- Verify links before clicking and scan QR codes carefully.
- Regularly review and remove suspicious linked devices.
Signal emphasized that verification codes are only required during initial registration and that legitimate support will never request codes via in-app messages, SMS, or social media. Any such requests should be treated as scams.
This alert underscores the growing threat of targeted phishing campaigns exploiting human trust, rather than technical vulnerabilities, to gain access to sensitive communications.
