Germany’s Federal Office for the Protection of the Constitution (aka Bundesamt für Verfassungsschutz or BfV) and the Federal Office for Information Security (BSI) have issued a joint advisory warning of a malicious cyber campaign carried out by a likely state-sponsored threat actor. Specifically, the campaign relies on phishing attacks conducted through the Signal messaging app.
“The focus is on high-ranking targets in politics, the military, and diplomacy, as well as investigative journalists in Germany and Europe,” the agencies said. “Unauthorized access to messenger accounts not only allows access to confidential private communications but also potentially compromises entire networks.”
Notably, the campaign does not distribute malware or exploit any security vulnerability in the privacy-focused messaging platform. Instead, the attackers deliberately abuse Signal’s legitimate features to gain covert access to a victim’s chats and contact lists.
The attack chain unfolds as follows: threat actors impersonate “Signal Support” or a support chatbot named “Signal Security ChatBot” to directly contact prospective targets. During these interactions, they pressure victims to provide a PIN or SMS-based verification code, warning that failure to comply may result in data loss.
If a victim complies, the attackers register the account on a device and phone number under their control. As a result, they gain access to the victim’s profile, settings, contacts, and block list. Although the stolen PIN does not unlock past conversations, it allows the threat actor to intercept incoming messages and send messages while posing as the victim.
At this stage, the attacker—still masquerading as the support chatbot—instructs the locked-out user to register a new Signal account, further cementing control over the original one.
Alternative QR Code–Based Attack Chain
In parallel, threat actors also employ an alternative attack sequence that abuses Signal’s device-linking feature. In this scenario, they trick victims into scanning a malicious QR code, which grants attackers access to the account on a device they manage. Through this method, attackers can view messages from the last 45 days.
Crucially, targeted individuals retain access to their accounts in this case and often remain unaware that attackers have exposed their chats and contact lists.
Meanwhile, security authorities cautioned that although the campaign currently targets Signal, attackers can easily adapt the same techniques for WhatsApp. Both platforms use similar device-linking and PIN-based two-step verification features.
“Successful access to messenger accounts not only allows confidential individual communications to be viewed, but also potentially compromises entire networks via group chats,” BfV and BSI said.
Suspected Threat Actors and Related Campaigns
Although investigators have not publicly identified the perpetrators, multiple Russia-aligned threat clusters have conducted similar attacks in the past. These groups include Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185), according to reports from Microsoft and Google Threat Intelligence Group published early last year.
In addition, Gen Digital disclosed another campaign in December 2025, codenamed GhostPairing. In that operation, cybercriminals exploited WhatsApp’s device-linking feature to seize control of accounts, likely for impersonation or fraud.
To reduce exposure to this threat, users should avoid engaging with support accounts and should never submit their Signal PIN via text message. Most importantly, enabling Registration Lock provides a critical safeguard, as it prevents unauthorized users from registering a phone number on another device. Users should also regularly review linked devices and promptly remove any unfamiliar ones.
Broader Espionage Concerns Across Europe
Separately, the Norwegian government accused Chinese-backed hacking groups, including Salt Typhoon, of breaching multiple organizations by exploiting vulnerable network devices. At the same time, officials accused Russia of closely monitoring military targets and allied activities, while Iran continues to track dissidents.
The Norwegian Police Security Service (PST) stated that Chinese intelligence services actively attempt to recruit Norwegian nationals to access classified information. According to PST, these recruits then build their own “human source” networks by advertising part-time roles on job boards or approaching individuals via LinkedIn.
Furthermore, PST warned that China is “systematically” exploiting collaborative research and development initiatives to strengthen its security and intelligence capabilities. Chinese law, notably, requires researchers to report discovered software vulnerabilities to authorities within two days.
“Iranian cyber threat actors compromise email accounts, social media profiles, and private computers belonging to dissidents to collect information about them and their networks,” PST said. “These actors have advanced capabilities and will continue to develop their methods to conduct increasingly targeted and intrusive operations against individuals in Norway.”
Infrastructure Attacks Linked to Russian Hackers
Finally, the disclosure follows a separate advisory from CERT Polska, which concluded that a Russian nation-state hacking group known as Static Tundra likely orchestrated coordinated cyber attacks. These attacks targeted more than 30 wind and photovoltaic farms, a manufacturing-sector company, and a large combined heat and power (CHP) plant supplying heat to nearly half a million customers.
“In each affected facility, a FortiGate device was present, serving as both a VPN concentrator and a firewall,” it said. “In every case, the VPN interface was exposed to the internet and allowed authentication to accounts defined in the configuration without multi-factor authentication.”
Source: TheHackerNews
Read more at Impreza News
