Full Report
The FBI has issued a public service announcement warning that Russian intelligence-linked threat actors are actively targeting users of encrypted messaging apps such as Signal and WhatsApp in phishing campaigns that have already compromised thousands of accounts. [...]
Analysis Summary
# Threat Actor: Russian Intelligence Services (Unnamed Specific Group)
## Attribution & Identity
* **Actor Identification:** Russian Intelligence Services (General Attribution).
* **Aliases:** While the specific Unit (e.g., APT28, APT29, or Sandworm) is not named in this specific PSA, the FBI explicitly attributes the activity to "Russian intelligence-linked threat actors."
* **Known Associations:** Linked periodically to state-backed operations previously described by French (C4) and Dutch cybersecurity authorities.
## Activity Summary
The actor is currently conducting widespread phishing campaigns targeting users of Commercial Messaging Apps (CMAs), specifically **Signal** and **WhatsApp**. The operations involve hijacking accounts and linking attacker-controlled devices to bypass end-to-end encryption (E2EE) protections. This campaign has successfully compromised "thousands" of accounts worldwide as of March 2026.
## Tactics, Techniques & Procedures
* **Social Engineering/Phishing:** Impersonating "Support" accounts to request actions from the user.
* **Authentication Bypass:** Tricking victims into sharing one-time verification codes.
* **Device Linking (Adversary-in-the-Middle):** Deceiving users into scanning malicious QR codes to link the victim's account to an attacker-controlled secondary device.
* **Post-Compromise Surveillance:** Silently monitoring private communications, joining group chats, and harvesting contact lists.
* **Lateral Movement (Social):** Using compromised accounts to launch further phishing attacks against the victim’s trusted contacts.
* **MITRE ATT&CK Mapping (Inferred):**
* T1586.002 (Support Account Impersonation)
* T1098.003 (Add/Modify Cloud Accounts - Linked Devices)
* T1566.002 (Spearphishing Link/QR Codes)
* T1539 (Steal Web Session Support/Auth Tokens)
## Targeting
* **Sectors:** Government, Military, Intelligence, Political Organizations, and Media/Journalism.
* **Geography:** Global (Worldwide), with specific emphasis on those interacting with U.S., French, and Dutch interests.
* **Victims:** High-intelligence value individuals, including current and former U.S. government officials, military personnel, political figures, and journalists.
## Tools & Infrastructure
* **Platforms Targeted:** Signal (Primary), WhatsApp (Secondary).
* **Malware:** No specific malware family was named; the campaign utilizes native "Linked Device" features and malicious QR codes.
* **Infrastructure:** Defanged references to official support documentation used in the lures (for context): hxxps[://]support[.]signal[.]org/hc/en-us/articles/360007320551-Linked-Devices.
## Implications
This activity represents a strategic pivot by Russian intelligence to circumvent modern encryption through identity and session hijacking rather than technical cryptographic attacks. By maintaining a silent presence on "secure" messaging platforms, the actors gain persistent access to sensitive, off-the-record communications and the ability to leverage the high levels of trust inherent in these apps to compromise an entire network of high-value contacts.
## Mitigations
* **Verification Codes:** Never share account verification codes with anyone, including entities claiming to be "Support."
* **Device Management:** Regularly audit "Linked Devices" within Signal and WhatsApp settings; immediately unlink any unrecognized devices.
* **MFA/Registration Lock:** Enable "Registration Lock" (Signal) or "Two-Step Verification" (WhatsApp) to require a PIN when re-registering or linking a phone number.
* **Social Verification:** Verify the identity of any contact through an alternative communication channel if they send suspicious links or requests for codes.
* **QR Sensitivity:** Exercise extreme caution when prompted to scan a QR code within a messaging app.