German Agencies Warn of Signal Phishing Targeting Politicians, Military, Journalists

German intelligence agencies have issued a stark warning about a sophisticated phishing campaign targeting high-profile individuals through the Signal messaging app. The Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI) revealed that a likely state-sponsored threat actor is exploiting Signal's legitimate features to compromise accounts belonging to politicians, military personnel, diplomats, and investigative journalists across Germany and Europe.

Unlike traditional malware-based attacks, this campaign weaponizes Signal's built-in functionality to gain covert access to victims' communications. The attackers masquerade as "Signal Support" or a chatbot called "Signal Security ChatBot," initiating contact with targets and requesting PIN codes or verification codes received via SMS. Compliance with these requests allows the threat actors to register the victim's account on their own devices, granting access to profiles, settings, contacts, and block lists.

The Attack Chain

The phishing operation employs two distinct methods to compromise Signal accounts. In the first approach, victims receive messages from fake support accounts claiming their data will be lost unless they provide a PIN or verification code. Once provided, the attackers can register the account on their controlled device, intercepting incoming messages and sending messages while posing as the victim. The legitimate user is then instructed to register for a new account, effectively losing access to their original account.

The second method exploits Signal's device linking feature. Victims are tricked into scanning a QR code that grants the attackers access to their account, including messages from the past 45 days. Unlike the first method, the targeted individuals retain access to their account but remain unaware that their chats and contact lists are simultaneously exposed to the threat actors.

Beyond Signal: WhatsApp Also at Risk

German authorities warn that while the current campaign focuses on Signal, the attack methodology can be extended to WhatsApp due to similar device linking and PIN features incorporated into both platforms' two-step verification systems. This cross-platform vulnerability significantly expands the potential victim pool and underscores the need for vigilance across all messaging applications.

Attribution and Similar Campaigns

While the identity of the threat actor remains unknown, German agencies note that similar attacks have been attributed to Russia-aligned groups including Star Blizzard, UNC5792 (UAC-0195), and UNC4221 (UAC-0185), according to reports from Microsoft and Google Threat Intelligence Group. The campaign bears similarities to other recent phishing operations, including Gen Digital's "GhostPairing" campaign that exploited WhatsApp's device linking feature for account takeover and potential fraud.

Protective Measures

To defend against these sophisticated attacks, users are advised to:

• Never engage with unsolicited support accounts or provide PIN codes via text message
• Enable Registration Lock to prevent unauthorized registration of phone numbers on other devices
• Regularly review and remove unknown linked devices from account settings
• Exercise extreme caution with QR codes and verification requests

The warning comes amid broader concerns about state-sponsored cyber operations targeting European infrastructure and individuals. Norwegian authorities recently accused Chinese-backed hacking groups, including Salt Typhoon, of breaching organizations through vulnerable network devices, while also highlighting Russian and Iranian cyber activities targeting military, allied activities, and dissidents.

This coordinated advisory from Germany's top security agencies underscores the evolving nature of cyber threats, where attackers increasingly exploit legitimate application features rather than relying on traditional malware or vulnerability exploitation. The campaign demonstrates how social engineering tactics combined with legitimate platform functionality can create powerful attack vectors against high-value targets.