Executive Summary

Germany’s Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI) have issued a critical warning regarding a highly targeted phishing campaign exploiting the Signal messaging platform. This campaign is not based on exploiting software vulnerabilities but rather leverages advanced social engineering techniques to compromise the accounts of politicians, military personnel, and journalists. Attackers impersonate official support entities within Signal, coercing victims into divulging sensitive authentication credentials or performing actions that enable unauthorized account access. The campaign’s sophistication, focus on high-value targets, and potential for lateral movement within sensitive communication networks underscore the urgent need for heightened vigilance and robust countermeasures.

Threat Actor Profile

While definitive attribution remains pending, the tactics, techniques, and procedures (TTPs) observed in this campaign closely align with those previously documented in operations by Russia-aligned advanced persistent threat (APT) groups. Notably, Star Blizzard (also known as SEABORGIUM or TA446), UNC5792 (also tracked as UAC-0195), and UNC4221 (UAC-0185) have all demonstrated a propensity for leveraging social engineering and account takeover via messaging platforms. These groups are known for targeting government, military, and media sectors across Europe, with a particular focus on entities involved in NATO operations and policy. Their operations are characterized by persistent reconnaissance, tailored phishing lures, and exploitation of trust relationships within targeted organizations. The current campaign’s use of Signal and its device-linking features is consistent with these actors’ evolving toolsets and operational methodologies.

Technical Analysis of Malware/TTPs

The attack chain is predicated on the abuse of legitimate Signal features rather than the deployment of malware or exploitation of software vulnerabilities. The initial vector involves direct contact with the victim via Signal, where the attacker masquerades as “Signal Support” or a similarly authoritative entity, such as “Signal Security ChatBot.” The attacker’s message typically asserts an urgent need for account verification, warning of potential data loss or account suspension.

Victims are manipulated into providing their Signal PIN or the one-time SMS verification code used for account registration. In some cases, attackers employ a device-linking variant, sending a QR code and instructing the victim to scan it using the legitimate device-linking feature within Signal. This action grants the attacker persistent access to the victim’s account, including up to 45 days of message history, without alerting the victim to the compromise.

Once access is obtained, the attacker can intercept all incoming messages, send messages as the victim, and access sensitive contact lists and group chats. The attacker may also modify account settings, including the block list, to prevent detection or remediation. Notably, the attack does not require the installation of malicious payloads or exploitation of CVEs; it is entirely dependent on the manipulation of user behavior and the abuse of Signal’s authentication and device management features.

The campaign’s TTPs map to several MITRE ATT&CK techniques, including T1566.001 (Phishing: Spearphishing via Service), T1078 (Valid Accounts), T1204 (User Execution), and T1556 (Modify Authentication Process). The absence of malware or exploit code complicates detection and response, as traditional endpoint security solutions may not register any anomalous activity.

Exploitation in the Wild

The campaign has been observed actively targeting high-value individuals within Germany and, by extension, across Europe. The primary targets include members of parliament, senior military officers, diplomats, and investigative journalists. Attackers initiate contact using Signal’s direct messaging capabilities, often leveraging publicly available information to craft convincing lures. In several documented cases, victims received messages from accounts purporting to be Signal Support, requesting urgent action to “secure” their account.

Upon successful compromise, attackers have demonstrated the ability to move laterally within group chats, potentially exposing entire communication networks. The device-linking variant is particularly insidious, as it allows attackers to maintain covert access for extended periods, harvesting sensitive information and monitoring ongoing conversations. There have been reports of similar techniques being adapted for use against WhatsApp, which shares comparable device-linking and PIN-based authentication features.

The campaign’s operational tempo and targeting suggest a well-resourced adversary with a clear understanding of the political and media landscape in Europe. The use of Signal—a platform favored for its end-to-end encryption and perceived security—indicates a deliberate effort to undermine trust in secure communications among high-profile users.

Victimology and Targeting

The victim profile is highly selective, focusing on individuals with access to sensitive governmental, military, or journalistic information. In Germany, members of the Bundestag, senior defense officials, and prominent investigative journalists have been specifically targeted. The campaign has also extended to diplomatic personnel and individuals involved in policy-making or intelligence analysis.

Geographically, while Germany is the epicenter, there is evidence of spillover into other European countries, particularly those aligned with NATO or engaged in policy discussions related to Russia and Ukraine. The attackers’ ability to tailor lures based on the victim’s role and public profile increases the likelihood of successful compromise and subsequent information leakage.

The targeting of journalists is particularly concerning, as it raises the risk of source exposure and the compromise of sensitive investigations. The attackers’ focus on group chats and contact networks further amplifies the potential impact, enabling the compromise of entire communication clusters through a single successful phishing attempt.

Mitigation and Countermeasures

Given the nature of the attack, technical controls must be complemented by robust user education and operational discipline. Organizations and individuals should never share Signal PINs or SMS verification codes with any party, regardless of purported authority. Signal does not request such information via direct message, and any such request should be treated as malicious.

Enabling Registration Lock within Signal is strongly recommended, as it adds an additional layer of authentication and prevents unauthorized re-registration of the account. Users should regularly review the list of linked devices within Signal and immediately remove any unfamiliar entries. Any unsolicited message claiming to be from Signal Support or requesting authentication credentials should be reported to organizational security teams and to Signal directly.

Security awareness training should emphasize the risks associated with social engineering and the specific tactics employed in this campaign. Incident response plans should be updated to include procedures for detecting and remediating account takeovers on secure messaging platforms. Organizations may also consider implementing additional monitoring of public-facing profiles to identify potential targeting and preemptively warn at-risk individuals.

For organizations using WhatsApp or other messaging platforms with similar features, analogous precautions should be implemented, as attackers are likely to adapt these techniques across multiple platforms.

References

The following sources provide additional technical detail and context for the ongoing campaign:

• The Hacker News: German Agencies Warn of Signal Phishing Targeting Politicians, Military, Journalists

• BleepingComputer: Germany warns of Signal account hijacking targeting senior figures

• HelpNetSecurity: State-backed phishing attacks targeting military officials, journalists via Signal

• Microsoft Threat Intelligence: Star Blizzard/SEABORGIUM

• Google TAG: Russian APT Social Engineering

• Gen Digital: GhostPairing WhatsApp Device Linking Abuse

About Rescana

Rescana is a leader in third-party risk management, providing organizations with a comprehensive platform to identify, assess, and mitigate cyber risks across their extended supply chain and digital ecosystem. Our advanced threat intelligence and risk analytics empower security teams to proactively defend against emerging threats and ensure operational resilience. For more information or to discuss how Rescana can support your organization’s cybersecurity objectives, please contact us at ops@rescana.com.