German Authorities Warn of Signal Phishing Campaign Targeting Politicians and Journalists

State-Sponsored Phishing Campaign Without Malware

Germany's Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI) have jointly issued a security warning about an active phishing campaign using the Signal messaging platform. The campaign targets high-ranking government officials, military personnel, diplomats, and investigative journalists across Germany and Europe.

Attack Methodology

Notably, this campaign does not exploit any vulnerability in Signal or deploy malware. Instead, threat actors weaponize Signal's legitimate features:

First Attack Chain: PIN Spoofing

1. Attackers masquerade as "Signal Support" or a fake "Signal Security ChatBot"
2. Victims are pressured to share their Signal PIN or SMS verification codes
3. Attackers register the victim's account from their own device
4. Access is gained to profile, settings, contacts, and block lists
5. Incoming messages can be intercepted and sent on behalf of the victim
6. While past conversations remain encrypted, future communications are exposed

Alternative Attack Chain: Device Linking Hijacking

1. Victims are tricked into scanning a malicious QR code
2. Attackers gain device linking access to the victim's account
3. Attackers can read messages from the last 45 days
4. Victims remain unaware their account is compromised
5. Group chats and contact lists are exposed

Extended Risk to WhatsApp

Authorities warn that the same tactics can be applied to WhatsApp, which features similar device linking and two-step verification mechanisms.

Intelligence Context

While the specific threat actor remains unidentified, similar phishing campaigns have been attributed to:

- Star Blizzard (Russia-linked)
- UNC5792 (aka UAC-0195)
- UNC4221 (aka UAC-0185)

The campaign represents a significant shift in state-sponsored phishing tactics, moving away from malware deployment toward stealth-focused account takeover.

Protective Measures

Users are advised to:

- Avoid engaging with unsolicited support account requests
- Never share PINs, verification codes, or QR codes with unknown contacts
- Verify device-linking requests through official Signal/WhatsApp channels
- Monitor account activity for suspicious sign-ins or device connections
- Be especially cautious of communications claiming account issues

TL;DR

- Target: High-value individuals (politicians, military, diplomats, journalists) in Germany and Europe
- Method: No malware required — exploits Signal/WhatsApp PIN and device-linking features
- Impact: Account takeover enabling message interception and impersonation
- Risk Extension: Same techniques applicable to WhatsApp
- Attribution: Likely state-sponsored; similar to past Russian campaigns

Sources: BfV/BSI Joint Security Alert (German) | Star Blizzard Tactics Shift | Signal Device Linking Exploitation