German Authorities Warn of Signal Phishing Campaign Targeting Politicians and Journalists

State-Sponsored Phishing Campaign Without Malware

Germany's Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI) have jointly issued a security warning about an active phishing campaign using the Signal messaging platform. The campaign targets high-ranking government officials, military personnel, diplomats, and investigative journalists across Germany and Europe.

Attack Methodology

Notably, this campaign does not exploit any vulnerability in Signal or deploy malware. Instead, threat actors weaponize Signal's legitimate features.

First Attack Chain: PIN Spoofing

1. Attackers masquerade as "Signal Support" or a fake "Signal Security ChatBot"
2. Victims are pressured to share their Signal PIN or SMS verification codes
3. Attackers register the victim's account from their own device
4. Access is gained to profile, settings, contacts, and block lists
5. Incoming messages can be intercepted and sent on behalf of the victim
6. Past conversations remain encrypted but future communications are exposed

Alternative Attack Chain: Device Linking Hijacking

1. Victims are tricked into scanning a malicious QR code
2. Attackers gain device linking access to the victim's account
3. Attackers can read messages from the last 45 days
4. Victims remain unaware their account is compromised
5. Group chats and contact lists are exposed

Extended Risk to WhatsApp

Authorities warn that the same tactics can be applied to WhatsApp, which features similar device linking and two-step verification mechanisms. Access to messenger accounts enables viewing of confidential communications and potentially compromises entire networks via group chats.

Intelligence Context

While the specific threat actor remains unidentified, similar phishing campaigns have been attributed to Russia-aligned threat clusters including Star Blizzard, UNC5792, and UNC4221. The campaign represents a significant shift in state-sponsored phishing tactics, moving away from malware deployment toward stealth-focused account takeover.

Protective Measures

Users are advised to avoid engaging with unsolicited support account requests, never share PINs or verification codes with unknown contacts, verify device-linking requests through official channels, and monitor account activity for suspicious sign-ins.

TL;DR

- High-value targets: politicians, military, diplomats, journalists in Germany and Europe
- No malware required: exploits Signal/WhatsApp PIN and device-linking features
- Account takeover enables message interception and impersonation
- Same techniques applicable to WhatsApp
- Likely state-sponsored; similar to past Russian campaigns

Source: The Hacker News