11 March 2026: Noise about Signal

Welcome to a new edition of my irregular digital security newsletter, where this time I write about Signal (and WhatsApp and Telegram) phishing.

I am currently looking for work, contract (including part-time gigs) or permanent. I have done a lot of different things in cybersecurity, but these days describe myself as a threat whisperer: someone with a deep understanding of the technical details of digital threats (and the skills to do research) who can also communicate information on threats to others: in presentations or blog posts, to sales, marketing or leadership and to at-risk groups and people. Reach out if you'd like to have my resume or have some work for me.

Martijn
martijn@lapsedordinary.net
martijngrooten.37

Noise about Signal

This week, the AIVD, the general intelligence service of the Netherlands, released a short report on a phishing campaign on Signal and WhatsApp which it says targeted “dignitaries, civil servants and military personnel”. This follows a similar report from German Intelligence published last month.

Pro-tip for the Germans: if you want your report to go viral, make sure you publish an English version of it. Also, make sure you blame the Russians, as Dutch intelligence did (accurately, I think), which also said that “other persons of interest to the Russian government, such as journalists, may possibly be targeted by this campaign”.

This wasn’t the first time we learned about this ‘campaign’: a year ago, Google’s Threat Intelligence Group wrote about Signal accounts of military personnel being targeted. I wrote ‘campaign’ in quotes as Google already said there were two separate groups doing this, both linked to Russia; it is possible there may be more (see below). One of the groups was first written about by CERT-UA, the national CERT of Ukraine.

How do they take over accounts?

There are two separate ways of doing this.

The first involves an adversary setting up Signal on a new device (this could be a virtual machine of some kind, which makes it scale better) using the target’s phone number and then sending the target a message asking for the confirmation code they get sent through SMS (they make the message look like it comes from Signal Support and say the code is needed for security). This code is then used to register the account on the new device.

If the target hasn’t set up a registration lock, this is enough to take over the account. (Which is why setting up a registration lock is vital.) Depending on the follow-up actions taken by the adversary, this may permanently lock someone out of their account. Re-registering the account with the original phone number creates a new Signal account, while the now compromised old one continues to be active.

Now the good news here is that because Signal doesn’t store the chat history on its servers, the adversary won’t be able to see the chat history if they take over an account. And if they send a message to an existing contact, this contact will see that the safety number has changed.

However, it is fair to say most people ignore these notifications, so the account can be (and in many real cases has been) used to send messages to contacts that look like they come from trusted people. It is not hard to imagine how this can be damaging.

The second method is by sending the person a QR-code that they need to scan in order to be added to some Signal group. Rather than add the account to a group though, it will add an adversary-controlled device to the account, just like you can add your laptop (and table and maybe another computer) to your account so you can access your account from all of these devices.

This method does require a bit more social engineering and clicking through warnings, but once successful nothing changes for the target. They will be able to continue using their account and only if they check for linked devices in the settings will they know a new device has been added. In this scenario too the adversary will not be able to see past messages. 

Because military personnel in Ukraine have been targeted by this, and Signal messages (assumed to be private) could contain (implicit) location information, it is likely people have been killed because of this.

Is it just Signal?

No. The AIVD already mentions WhatsApp and Google mentioned Telegram being targeted too (Telegram is widely used in many parts of the world, including Ukraine). I have researched one of the actors and did indeed find targeting of all three platforms.

It should be noted that in the case of Telegram, because it’s not end-to-end encrypted, except for private chaps where encryption is turned on, an account takeover gives the adversary access to the full chat history.

In the case of WhatsApp and Telegram, sometimes the phishing involves a website where they need to ‘login with their account', for example to vote in some kind of competition, with the code supposedly needed to verify them.

These websites didn’t look very well developed and the whole campaign seemed kind of sloppy, certainly not the work of Russia’s most advanced government-linked threat actors (of which they have several). But it doesn’t need to be: this kind of attack doesn’t require much technical sophistication and the most difficult part may often be obtaining the target’s phone number.

So first Ukraine and now the EU?

Not so fast. First, Ukraine continues to be widely targeted by this kind of phishing. Secondly, Cyberhub-AM reported last year they saw one of the groups targeting high-profile victims in Armenia (a country where Russia has strong interests), where these kinds of attacks continue as well. In my research I also found likely targeting of Moldova, which in September last year was holding parliamentary elections in which Russia had significant interest.

Now there is known targeting of Germany and the Netherlands, while there have also been reports from the United States.

Given the ease with which this kind of attack is executed, it doesn’t have to be all linked to Russia, or even to government actors. The phishing messages don’t always say who they are operated by and depending on how they are run, the attack doesn’t need to involve artifacts such as domain names or IP addresses that can be used to link them to each other and then to a specific actor.

I did ask some civil society contacts in other parts of the world (outside Russia’s prime area of interest) and they hadn’t seen any such messages in their communities, but it's certainly possible that other actors (including cyber criminals) are using the same methods to take over accounts.

It should be noted that WhatsApp and Telegram account takeover attacks are fairly common, often criminal in nature and sometimes involve compromising the place from which the SMS messages are being sent (which, if no registration lock was set, completely takes away the need for social engineering). In a limited case, this was also used to take over a Signal account.

Is Signal broken?

No, as Signal was quick to point out: Signal itself wasn’t compromised and the same is true for WhatsApp and Telegram. It also reminds everyone that Signal (like WhatsApp) never initiates contact via in-app messages.

But it does show that the privacy-focused design choices that Signal (rightly) made have some security implications.

The first is that no security product is going to be able to flag these messages as suspicious. Your organization’s security team isn’t able to see the messages to warn you against them and if you don’t tell them what happened, they will never know. (I suspect that after reading the German report, the AIVD asked around and learned some people in Dutch intelligence had been targeted too.)

The second is that if an account has been taken over, you probably can’t get it back, even if Signal had a support channel you could reach out to, which they don’t. (It isn’t always clear how Signal works under the hood, but I suspect the introduction of usernames made this even more complicated.)

And the third is that if people in your organization use Signal for work, there is no way your security team can enforce how it is being used, such as setting disappearing messages with a short duration or not linking secondary devices to the account. You will have to rely on people doing the right things. And that probably involves some training and a lot of reminding.

A final note on setting disappearing messages: they don't help against these kinds of attacks, but there are many scenarios in which they do make a real difference, including the very real but often overlooked scenario of an adversary grabbing the phone from your hands.

Thanks in particular to Digital Security Lab Ukraine for their insights. They are great people doing super important work in the country.

Non-security things

A book I read

I was a bit skeptical about reading a book on Islam by a white British guy, but firstly James McDougall’s Worlds of Islam is about Muslims and Muslim communities throughout the ages rather than about the religion itself and secondly, it is a really good and very balanced book. His outsider view means he writes about communities throughout the Muslim world and their often different and sometimes related histories, from the Arabic peninsula to Central Asia (where I was when I read this) and from West Africa to Indonesia.

The book is well researched and written with love for the people he wrote about – a love they truly deserve. It also reminds the reader that most of what the Muslim world has been dealing with in the past two centuries is colonialism and its aftermath. Regardless of your feelings on the religion itself, it is clear that in the more recent history of the Muslims, the bad guys usually are the colonizers, whether from ‘the West’ or from Russia.  

A song I loved

I took a break from music blogging as I was traveling but have now resumed. Yesterday, on the 150th birthday of the telephone (“Mr. Watson, come here, I want to see you”), I wrote about a song by San Francisco indiepop band The Telephone Numbers that I’ve liked for quite a while and that I thought appropriate for the day.