German Agencies Warn of State-Sponsored Signal Phishing Campaign Targeting High-Value Individuals

Sophisticated Social Engineering Attack on Secure Communications

Germany's Federal Office for the Protection of the Constitution (Bundesamt für Verfassungsschutz or BfV) and Federal Office for Information Security (BSI) have issued a joint security advisory warning of an ongoing state-sponsored phishing campaign targeting high-profile individuals through the Signal messaging app. The attack focuses on politicians, military personnel, diplomats, and investigative journalists across Germany and Europe.

Attack Methodology: No Malware, No Exploits

Unlike traditional cyber attacks, this campaign does not rely on malware distribution or vulnerability exploitation. Instead, threat actors weaponize Signal's legitimate features to gain unauthorized access to victims' accounts. According to the official advisory, attackers impersonate Signal support staff or automated support chatbots to manipulate targets into surrendering account credentials.

Primary Attack Vector: PIN and SMS Code Phishing

The attack unfolds through the following sequence:

1. Initial Contact: Attackers, masquerading as "Signal Support" or "Signal Security ChatBot," initiate direct contact with the target
2. Urgency Creation: Victims receive warnings about potential data loss and are urged to provide their Signal PIN or SMS verification code
3. Account Takeover: Once provided, attackers register the account on a device under their control
4. Access Scope: While past message history is not compromised, attackers gain access to:

- User profile and settings
- Complete contact lists
- Block lists
- All incoming messages
- Ability to send messages impersonating the victim

1. Cover-Up: The legitimate account owner loses access and is instructed by the attacker (still posing as support) to register a new account

Secondary Attack Vector: QR Code Device Linking

A more insidious variant exploits Signal's device linking feature:

1. Victims are tricked into scanning a malicious QR code
2. This grants attackers access to:

- The victim's current account
- Message history from the last 45 days
- Real-time access to ongoing conversations

1. Critical Difference: Unlike the PIN-based attack, victims retain account access, remaining unaware that their communications are being monitored

Broader Threat Landscape: WhatsApp at Risk

German authorities warn that this attack methodology is not limited to Signal. WhatsApp, which implements similar device linking and two-step verification features, is equally vulnerable to these social engineering tactics.

Attribution and Historical Context

While German authorities have not officially attributed the campaign, similar attacks have been documented by major security vendors:

- Star Blizzard (Russia-aligned): Microsoft identified this threat actor shifting tactics to target Signal accounts
- UNC5792 (UAC-0195) and UNC4221 (UAC-0185): Google Threat Intelligence Group documented these groups exploiting Signal's linked device feature
- GhostPairing Campaign: Gen Digital revealed a similar WhatsApp account takeover campaign in December 2025

Impact and Strategic Value

The BfV and BSI emphasized the severe consequences of successful account compromise:

"Unauthorized access to messenger accounts not only allows access to confidential private communications but also potentially compromises entire networks."

Group chat infiltration is particularly concerning, as attackers can:

- Monitor sensitive discussions involving multiple high-value targets
- Map organizational relationships and communication patterns
- Identify additional targets for future attacks
- Exfiltrate classified or sensitive information discussed in professional groups

Defense Measures and Recommendations

German security authorities recommend the following protective measures:

Immediate Actions

1. Never Share Your Signal PIN: Legitimate Signal support will never request your PIN via direct message
2. Ignore Support Contacts: Signal does not provide support through in-app messaging
3. Enable Registration Lock: This feature prevents unauthorized account registration on new devices

- Navigate to Signal Settings → Account → Registration Lock
- Ensure it is activated

1. Regular Device Audits: Periodically review linked devices and remove any unknown entries

- Signal Settings → Linked Devices
- Remove any devices you don't recognize

Additional Security Layers

- Verify Unexpected Messages: If contacted by "support," independently verify through official Signal channels
- QR Code Caution: Only scan QR codes from devices you physically control
- Security Awareness Training: Organizations with high-value personnel should conduct targeted training on this threat

Broader Geopolitical Context: Norwegian and Polish Warnings

The Signal phishing campaign is part of a broader pattern of state-sponsored cyber operations targeting European nations:

Norwegian Attribution

The Norwegian Police Security Service (PST) issued concurrent warnings about:

- Chinese Intelligence Operations: Salt Typhoon and other groups exploiting vulnerable network devices
- Recruitment Attempts: Chinese intelligence systematically recruiting Norwegian nationals to establish "human source" networks
- Research Exploitation: China leveraging collaborative R&D to strengthen security and intelligence capabilities
- Iranian Targeting: Cyber threat actors compromising email accounts and social media profiles of dissidents

PST noted that Chinese law mandates that researchers report software vulnerabilities to authorities within two days of discovery, providing state actors with early access to exploitable flaws.

Polish Infrastructure Attacks

CERT Polska attributed coordinated attacks on critical infrastructure to the Russian group Static Tundra, affecting:

- More than 30 wind and photovoltaic farms
- Manufacturing sector facilities
- A major combined heat and power plant serving nearly 500,000 customers

The attacks exploited internet-exposed FortiGate devices with weak authentication configurations.

Technical Analysis: Why Signal Features Enable This Attack

Signal's security model prioritizes user privacy and end-to-end encryption but includes features that, when exploited through social engineering, create attack opportunities:

1. PIN-Based Account Recovery: Designed for legitimate account recovery, this feature becomes an attack vector when users are tricked into revealing PINs
2. Device Linking: Intended for multi-device convenience, this allows attackers persistent access when users scan malicious QR codes
3. No In-Band Verification: Signal lacks an official support channel within the app, but users may not realize that all support contacts are illegitimate

TL;DR

- German security agencies warn of state-sponsored phishing targeting Signal users in politics, military, diplomacy, and journalism
- Attackers impersonate Signal support to steal PINs/verification codes or trick users into scanning malicious QR codes
- No malware or exploits used—purely social engineering leveraging legitimate Signal features
- Successful compromise grants access to contacts, incoming messages, and ability to impersonate victims
- WhatsApp users face identical risks due to similar device linking and PIN features
- Enable Registration Lock and regularly audit linked devices to protect accounts
- Similar attacks attributed to Russia-aligned groups (Star Blizzard, UNC5792, UNC4221) and cybercriminal operations

Source: The Hacker News