Germany’s Federal Office for the Protection of the Constitution (BfV), and the Federal Office for Information Security (BSI) have both released a blistering warning. For example, they are sounding the alarm on a new, dangerous cyber campaign that employs advanced phishing attacks via in the Signal messaging app. We assess that state-sponsored threat actors are currently leading the charge in this campaign. In particular, it addresses senior leaders in public office, the military and investigative reporting across Germany and Europe.
The cybercriminals have figured out a new way through device linking functionality on WhatsApp to violently hijack accounts. Victims then get messages from their attackers pretending to be “Signal Support” or a chatbot called “Signal Security ChatBot.” These scams often require victims to provide a one-time PIN or verification code they received via SMS. Without this agreement they risk the loss of their data.
Phishing Tactics Unveiled
The attack chain exhibits two primary sequences. The latter primarily uses social engineering tactics, which is when victims are manipulated into revealing their verification codes. The second series takes advantage of the cross-device linking feature within WhatsApp. With just a little social engineering to get victims to scan an attackers’ QR code, an attacker can hijack the victim’s account.
Once they acquire access, these hackers can then claim the victim’s account as their own so to speak. This move allows them to see all private messages sent in the last 45 days. It allows them to access their direct messages, personal profile information, settings menu, contacts list, and block list. Such unauthorized access poses significant risks.
“Unauthorized access to messenger accounts not only allows access to confidential private communications but also potentially compromises entire networks.” – BfV and BSI
The BfV and BSI even sent out a joint statement their alarm about this threat. They raised the alarm when infiltrators are able to access messenger accounts, leading to significant compromises of confidentiality and network security.
State-Sponsored Threat Actors
Recent reports indicate that multiple Russia-aligned threat clusters have deployed these types of phishing attacks. These ensembles, which are made up of genetically identical microorganisms, consist of Star Blizzard, UNC5792 (also known as UAC-0195), and UNC4221 (often referred to as UAC-0185). Recent congressional hearings have made it clear that cyber threats are no longer limited to rogue hackers. What’s more, these have escalated to planned and trained mobs, with some likely receiving state backing.
Secondly, intelligence activities are not unique to Russia. That’s why China’s approach has raised eyebrows. Its coordinated hijacking of joint R&D is reinvigorating its defensive and sleuthing tech acumen. Chinese law mandates that researchers report discovered software vulnerabilities to the appropriate authorities in under 48 hours. This mandate clears the way for the mass misuse of such information.
Norwegian authorities have similarly warned of Chinese-backed hacking groups such as Salt Typhoon breaching multiple organizations. The Norwegian Police Security Service (PST) recently issued a similar warning, noting that Chinese intelligence services are currently seeking to recruit Norwegian citizens. In fact, their primary aim is access to classified data.
Broader Implications for National Security
The stakes of these cyberattacks go well beyond privacy. They undermine the integrity of our national security systems and risk undermining vital diplomatic relationships. The BfV and BSI have illustrated how strategically these attacks are targeted — at purple, so to speak targets. They use this to particularly go after people in the political, military, and diplomatic space.
“The focus is on high-ranking targets in politics, the military, and diplomacy, as well as investigative journalists in Germany and Europe,” – the agencies
As these threats continue to innovate, it is essential for those in key positions to be evermore conscious and careful regarding good cybersecurity practices. The risk of this type of data breach not only puts personal data at risk but can take down entire networks through collective messaging.
