The German Federal Office for the Protection of the Constitution (also known as the Bundesamt für Verfassungsschutz or BfV) and the Federal Office for Information Security (BSI) have issued a joint advisory warning about a malicious cyber campaign carried out by a likely state-sponsored threat actor, including carrying out phishing attacks against the Signal messaging app.
“The focus is on investigative journalists in Germany and Europe, as well as high-level political, military and diplomatic targets,” the agency said. “Unauthorized access to your Messenger account can not only grant access to sensitive private communications, but can put your entire network at risk.”
What’s notable about this campaign is that it does not involve distributing malware or exploiting security vulnerabilities in privacy-focused messaging platforms. Rather, the end goal is to use its legitimate capabilities as a weapon to gain covert access to the victim’s chats and their contact list.
The attack chain is as follows: The attackers pose as support chatbots named “Signal Support” or “Signal Security ChatBot” and initiate direct contact with potential targets, prompting them to provide a PIN or verification code received via SMS or face the risk of data loss.
If the victim complies, the attacker can register an account and gain access to the victim’s profile, settings, contacts, and blocklists through a controlled device or mobile number. Although a stolen PIN does not provide access to a victim’s past conversations, a threat actor could use it to capture incoming messages and send messages impersonating the victim.
Once a target user loses access to their account, the attacker poses as a support chatbot and instructs them to register a new account.
There is also another infection sequence that leverages the link option on the device to trick the victim into scanning a QR code, thereby granting access to the victim’s account (including messages from the past 45 days) on the attacker-controlled device.
However, in this case, targeted individuals still have access to their accounts, but little do they realize that their chats and contact lists are also exposed to threat actors.
Security officials warned that while Signal appears to be the focus of the current attack, the attack could extend to WhatsApp as it also includes similar device link and PIN functionality as part of two-factor authentication.
“Successful access to a messenger account not only allows the viewing of sensitive personal communications, but also the possibility of compromising the entire network via group chats,” the BfV and BSI said.
It’s unclear who is behind this activity, but a Microsoft and Google Threat Intelligence Group report early last year said similar attacks were orchestrated by multiple Russian-aligned threat clusters tracked as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185).
In December 2025, Gen Digital also detailed another campaign codenamed GhostPairing. In this campaign, cybercriminals can use WhatsApp’s device linking feature to take control of your account and impersonate you or commit fraud.
To stay protected from threats, we recommend that users don’t access their support account or enter their Signal PIN as a text message. A key line of defense is to enable a registration lock that prevents unauthorized users from registering your phone number on another device. We also recommend that you regularly check the list of linked devices and remove unknown devices.
The development comes as Norway’s government accuses Chinese-backed hacking groups, including Salt Typhoon, of exploiting vulnerable network equipment to infiltrate multiple organizations in the country, while Russia closely monitors military targets and the activities of its allies, and accuses Iran of monitoring dissidents.
The Norwegian Police Security Service (PST) said that Chinese intelligence services are trying to recruit Norwegian nationals to gain access to sensitive data, noting that it is encouraging these sources to build their own network of “human sources” by advertising part-time jobs on job boards or approaching them via LinkedIn.
The agency also warned that China is “systematically” using joint research and development efforts to strengthen its security and intelligence capabilities. Note that Chinese law requires software vulnerabilities identified by Chinese researchers to be reported to authorities within two days of discovery.
“Iranian cyberattackers are compromising dissident email accounts, social media profiles, and personal computers and gathering information about dissidents and their networks,” PST said. “These threat actors are highly capable and will continue to develop techniques to carry out increasingly targeted and intrusive operations against individuals in Norway.”
The disclosure follows a recommendation from CERT Polska, which assessed that a Russian state hacking group called Static Tundra was likely behind a coordinated cyber attack targeting more than 30 wind and solar farms, private companies in the manufacturing sector, and large combined heat and power plants (CHPs) that provide heat to about 500,000 customers in the country.
“Each affected facility had a FortiGate device that acted as both a VPN concentrator and firewall,” the report said. “In both cases, the VPN interface was exposed to the Internet and allowed authentication to accounts defined in the configuration without multi-factor authentication.”
Source link
