Dutch intelligence warns that Russian state hackers are targeting Signal and WhatsApp users with phishing attacks designed to hijack accounts and silently monitor encrypted conversations.

Continue reading
Dutch intelligence services published an advisory describing a global, state-level phishing campaign that targeted user accounts on encrypted messaging platforms. The operation opportunistically abused legitimate account workflows—verification codes and device linking —rather than exploiting software vulnerabilities.
The immediate tactical goal was to obtain persistent access to private conversations of high-value persons (government officials, military staff, civil servants, and journalists). The strategic objective, consistent with classic signals intelligence tradecraft, was to collect confidential messaging content and contact networks for long-term intelligence exploitation.
This report reframes the advisory as an actionable CTI product: it explains attacker tradecraft, maps observable behaviors to detection controls, provides MITRE ATT&CK mappings, and provides a prioritized, practical runbook for detection, containment, and user remediation.
The campaign relies on social engineering tailored to endpoint authentication flows. Attackers impersonate trusted services or contacts, request one-time verification codes or Signal PINs, or ask victims to scan QR codes that link to a device. Once an attacker registers or links a device, they can read messages in real time while the primary device remains functional — meaning cryptographic protections remain intact, but the endpoint is effectively compromised.
What makes the campaign high value is twofold. First, the chosen platforms are widely used by the exact populations whose private messages are intelligence-relevant. Second, the technique scales: phishing messages and automated impersonation flows can be delivered at low cost, while the intelligence payoff per successful compromise is very high.
Attackers use two complementary techniques. The first is verification-code phishing: a targeted message claims an account needs verification or protection and asks the recipient to forward an SMS or in-app code. With that code, the attacker registers the account on a controlled device. The second is device-linking abuse: the victim is tricked into scanning a QR code that pairs their account with an attackers device. Both techniques bypass end-to-end encryption by controlling one of the endpoints.
Both approaches depend on convincing, time-pressure messaging and plausible impersonation (fake support bots, spoofed contacts). There is no evidence of bespoke malware or platform exploitation in the advisory — the weakness exploited is operational security (OPSEC) and authentication flow design.
Reconnaissance begins with identifying targets likely to use encrypted messaging for sensitive communication. The actor crafts socially credible lures based on the target’s role and recent events, then initiates contact using SMS, in-app message or email. During engagement, the attacker pressures for immediate action (share code, scan QR), collects the authentication material, and links or registers the account to their device. With persistent access established, the actor executes collection: harvesting messages, group membership, contacts, and shared files. Finally, they use that intelligence for follow-on operations—exfiltration, influence, or targeting additional contacts revealed in the compromised threads.
Investigators should collect timestamps of suspicious messages, screenshots of linked device lists, and any forwarded verification codes. Preserve logs and export conversation metadata where permitted.
Use this mapping to align detections and SOC playbooks with common enterprise frameworks.
Monitor for authentication and device events: enable logging on perimeter services that integrate with mobile/SMS gateways, identity providers, and any MDM. Correlate sudden re-registration events with user location and device fingerprint changes. Build detection rules that flag:
Instrument chat clients (where enterprise deployments permit) to export metadata about linked devices. If full logging is not possible, rely on endpoint EDR signals: look for new installations of companion apps or SSH/TLS sessions from novel device fingerprints.
Provide users with a simple checklist and a one-click “report suspicious message” workflow to reduce friction when reporting possible phishing.
At the org level, mandate and enforce the following:
For government or media orgs, provide hardened, centrally managed devices for sensitive staff that prohibit ad-hoc device linking without IT approval.
If multiple high-value accounts show similar compromise patterns, treat it as a coordinated campaign: collect indicators across victims to identify common delivery infrastructure, message templates, or timestamps. Share sanitized indicators with trusted partners and with platform vendors for defensive measures. Where feasible, coordinate with mobile carriers to investigate SIM/SMS forwarding anomalies that could facilitate verification code interception.
This campaign demonstrates a durable adversary tradecraft pattern: exploit human workflows, not cryptography.
The detection surface is therefore behavioral and operational rather than signature-based. Effective defense relies on combining rapid user education, enforcement of registration protections, and correlation of authentication/device telemetry at the SOC level.
Prioritize high-value accounts for additional protections (managed devices, registration locks, pre-approved communication channels) and ensure incident playbooks are practiced and measured.

Backdoor.Daxin, the kernel-mode rootkit Symantec once called the most advanced tool ever tied to a China-linked espionage actor, has been found running again