Ethical Hacking News
German agencies have issued a joint advisory warning of a malicious cyber campaign targeting high-ranking politicians, military officials, journalists, and dissidents using phishing attacks on the Signal messaging app. The threat actors aim to weaponize legitimate features to obtain covert access to victims' chats, contact lists, and device information.
Germany's Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI) have issued a warning about a malicious cyber campaign targeting high-ranking targets in politics, military, diplomacy, and investigative journalists using phishing attacks on Signal messaging app. The threat actors aim to obtain unauthorized access to messenger accounts, compromising entire networks, by masquerading as "Signal Support" or a support chatbot and requesting PINs via SMS. Victims who comply may have their account accessed, allowing attackers to capture incoming messages and send messages posing as the victim, including their chats and contact lists. The attack can also be extended to WhatsApp due to similarities in device linking and PIN features used for two-step verification. Similar attacks have been reported by Russia-aligned threat clusters, such as Star Blizzard, UNC5792, and UNC4221, highlighting the ongoing threat landscape. Users are advised to protect themselves by refraining from engaging with support accounts, enabling Registration Lock, and periodically reviewing linked devices.
In a recent joint advisory, Germany's Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI) have issued a warning about a malicious cyber campaign undertaken by a likely state-sponsored threat actor. The campaign involves carrying out phishing attacks over the Signal messaging app, targeting high-ranking targets in politics, the military, and diplomacy, as well as investigative journalists in Germany and Europe.
The focus of the campaign is on obtaining unauthorized access to messenger accounts, which not only allows access to confidential private communications but also potentially compromises entire networks. The threat actors masquerade as "Signal Support" or a support chatbot named "Signal Security ChatBot" to initiate direct contact with prospective targets, urging them to provide a PIN or verification code received via SMS, or risk facing data loss.
Should the victim comply, the attackers can register the account and gain access to the victim's profile, settings, contacts, and block list through a device and mobile phone number under their control. While the stolen PIN does not enable access to the victim's past conversations, a threat actor can use it to capture incoming messages and send messages posing as the victim.
The attack chain is further complicated by an alternative infection sequence that takes advantage of the device linking option to trick victims into scanning a QR code, thereby granting the attackers access to the victim's account, including their messages for the last 45 days, on a device managed by them. In this case, however, the targeted individuals continue to have access to their account, little realizing that their chats and contact lists are now also exposed to the threat actors.
The security authorities warned that while the current focus of the campaign appears to be Signal, the attack can also be extended to WhatsApp since it also incorporates similar device linking and PIN features as part of two-step verification. Successful access to messenger accounts not only allows confidential individual communications to be viewed, but also potentially compromises entire networks via group chats.
While it's not known who is behind the activity, similar attacks have been orchestrated by multiple Russia-aligned threat clusters tracked as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185), per reports from Microsoft and Google Threat Intelligence Group early last year. In December 2025, Gen Digital also detailed another campaign codenamed GhostPairing, where cybercriminals have resorted to the device linking feature on WhatsApp to seize control of accounts likely impersonating users or committing fraud.
To stay protected against the threat, users are advised to refrain from engaging with support accounts and entering their Signal PIN as a text message. A crucial line of defense is to enable Registration Lock, which prevents unauthorized users from registering a phone number on another device. It's also advised to periodically review the list of linked devices and remove any unknown devices.
This development comes as the Norwegian government accused Chinese-backed hacking groups, including Salt Typhoon, of breaking into several organizations in the country by exploiting vulnerable network devices. The Norwegian Police Security Service (PST) noted that these sources are then encouraged to establish their own "human source" networks by advertising part-time positions on job boards or approaching them via LinkedIn.
In a broader context, China has been accused of systematically exploiting collaborative research and development efforts to strengthen its own security and intelligence capabilities. Chinese law requires software vulnerabilities identified by Chinese researchers to be reported to the authorities no later than two days after discovery. This raises concerns about the potential for Chinese cyber threats to go undetected or unaddressed.
Meanwhile, Iranian cyber threat actors have been found to compromise email accounts, social media profiles, and private computers belonging to dissidents to collect information about them and their networks. These actors have advanced capabilities and will continue to develop their methods to conduct increasingly targeted and intrusive operations against individuals in Norway.
In addition, CERT Polska has assessed that a Russian nation-state hacking group called Static Tundra is likely behind coordinated cyber attacks targeted at more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) supplying heat to almost half a million customers in the country. In every affected facility, a FortiGate device was present, serving as both a VPN concentrator and a firewall. However, the VPN interface was exposed to the internet and allowed authentication to accounts defined in the configuration without multi-factor authentication.
The recent developments highlight the ongoing threat landscape in cyberspace, where state-sponsored actors are increasingly using sophisticated tactics to compromise networks and steal sensitive information. As governments and organizations continue to grapple with these challenges, it is essential to remain vigilant and take proactive measures to protect against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/German-Agencies-Warn-of-Sophisticated-Signal-Phishing-Campaign-Targeting-High-Ranking-Targets-ehn.shtml
Published: Sat Feb 7 06:33:50 2026 by llama3.2 3B Q4_K_M
