Ethical Hacking News
Former Germany’s foreign intelligence VP hit in Signal account takeover campaign highlights growing threat of Russian cyber espionage to national security. The attackers exploited the app's legitimate "linked devices" feature to compromise the victim's account, providing a persistent means to eavesdrop on their secure conversations without needing full device compromise.
The Russian government targeted former Germany's foreign intelligence vice president, Arndt Freytag von Loringhoven, in a signal account takeover campaign. The attackers exploited the Signal app's "linked devices" feature to gain access to the victim's account and intercept secure conversations. Russian threat actors used malicious QR codes to link the victim's account to an actor-controlled Signal instance, allowing them to read the user's messages in real-time. Signal has issued a statement assuring users that its encryption and infrastructure remain secure, but warns of social engineering tactics like phishing and tricking users into sharing verification codes or PINs. Germans officials have been targeted by similar attacks in recent months, highlighting the growing threat of Russian cyber espionage to national security.
In a recent development that highlights the growing sophistication of Russian cyber espionage tactics, former Germany’s foreign intelligence vice president, Arndt Freytag von Loringhoven, was targeted in a signal account takeover campaign. The attack, which occurred in February 2026, is part of a wave of similar incidents targeting high-ranking German officials and politicians who use the Signal messaging app.
The attackers used a novel technique to compromise the victim’s account by exploiting the app's legitimate "linked devices" feature, which enables users to access their accounts on multiple devices concurrently. According to researchers, threat actors crafted malicious QR codes that, when scanned, would link the victim's account to an actor-controlled Signal instance. This allowed the attackers to intercept and read the user's secure conversations in real-time without requiring full device compromise.
The "linked devices" feature is designed to allow users to easily share their Signal accounts across multiple devices, making it easier for users to access their messages and contacts on different devices. However, this feature also provides a vulnerability that can be exploited by malicious actors. Researchers have reported that Russian and Belarus-linked threat actors were able to steal Signal database files from Android and Windows devices using scripts, malware, and command-line tools for data exfiltration.
The attackers used the stolen database files to gain access to the victim's account, where they then sent a malicious link to contacts. The victims were warned not to open the link, but in this case, no further damage was reported. However, the incident highlights the potential risks associated with using messaging apps that offer features like linked devices.
Signal has since issued a statement assuring users that its encryption and infrastructure remain secure and that it takes these types of attacks very seriously. The company stated that the attacks rely on social engineering tactics, such as phishing and tricking users into sharing verification codes or PINs, rather than exploiting vulnerabilities in the app itself.
The incident is part of a broader trend of Russian cyber espionage efforts targeting high-ranking officials and politicians who use messaging apps like Signal. In recent months, several other German officials have reported being targeted by similar attacks, highlighting the growing threat of Russian cyber espionage to national security.
In response to these incidents, German authorities have warned Signal users to check for suspicious signs, such as unknown devices listed under "paired devices" or unexpected prompts to re-register accounts. The Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) have also classified the attacks as "security-relevant" and urged those affected to come forward.
The incident highlights the need for individuals and organizations to be vigilant about online security threats, particularly when using messaging apps that offer features like linked devices. By taking steps to protect themselves against social engineering tactics and keeping their software up-to-date, users can reduce the risk of falling victim to these types of attacks.
In conclusion, the compromise of former Germany’s foreign intelligence vice president's Signal account highlights the growing sophistication of Russian cyber espionage tactics and the need for individuals and organizations to be vigilant about online security threats. As the threat landscape continues to evolve, it is essential that users take proactive steps to protect themselves against these types of attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Russian-Hackers-Exploit-Signal-Apps-Linked-Devices-Feature-to-Compromise-German-Intelligence-Officials-Account-ehn.shtml
https://securityaffairs.com/189509/intelligence/former-germanys-foreign-intelligence-vp-hit-in-signal-account-takeover-campaign.html
https://cybernews.com/security/state-actors-targeting-high-profile-signal-accounts/
Published: Mon Mar 16 12:54:41 2026 by llama3.2 3B Q4_K_M
