FBI Warns: Russian Hackers Launch Massive Phishing Attack on WhatsApp and Signal Users

Attack Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) jointly warned that threat actors linked to Russian intelligence are carrying out a massive phishing operation targeting users of encrypted messaging apps (CMAs) such as Signal and WhatsApp.

1.1 Incident Background

The warning states that the campaign focuses on high‑value targets, including current and former U.S. government officials, military personnel, politicians, and journalists.

U.S. government officials (current and former)

Military personnel

Political figures

Journalists

1.2 Attack Methodology

Rather than breaking the end‑to‑end encryption of Signal or WhatsApp, the attackers rely on social engineering to persuade victims to hand over access credentials.

Impersonate “Signal Support” and send a fake help request that includes a link or QR code.

Ask the victim to provide an SMS verification code or PIN.

Conduct a trust‑chain attack by using the compromised account to send secondary phishing messages to the victim’s contacts.

Two Possible Outcomes

2.1 Victim Provides Verification Code/PIN

The attacker immediately restores the account on another device.

The victim loses access to the account.

The attacker can monitor new messages and send messages as the victim.

Historical messages remain unreadable because of platform encryption.

2.2 Victim Clicks Link or Scans QR Code

The attacker’s device becomes linked to the victim’s account.

The attacker gains access to all messages, including historical ones.

The victim often does not notice the intrusion because the app continues to function normally.

The intrusion is typically discovered only when the victim checks the list of linked devices in the app settings.

Threat Actor Analysis

While the FBI and CISA did not name specific groups, Microsoft and Google threat‑intelligence teams have previously associated similar activity with the following Russia‑linked actors:

Star Blizzard – long‑term sleeper group targeting high‑value victims.

UNC5792 (UAC‑0195) – exploits Signal’s device‑linking feature.

UNC4221 (UAC‑0185) – frequently targets government officials.

Similar alerts have also been issued by cybersecurity agencies in Germany and the Netherlands.

Defense Recommendations

Signal Support will never contact you via in‑app messages, SMS, or social media to request a verification code or PIN. Any such request is a scam.

Practical Measures

Never disclose SMS verification codes or PINs to anyone.

Be cautious of unexpected messages from unknown contacts.

Inspect URLs carefully before clicking any links.

Regularly review the “linked devices” list and remove suspicious entries.

Enable two‑factor authentication where supported.

Red Team Perspective

The red team rates the operation highly because it bypasses cryptographic defenses entirely by tricking users into surrendering their keys – the essence of social engineering: “people are always the weakest link.”

Blue Team Perspective

The blue team’s response includes timely alerts and clear user education, but ultimately, preventing phishing relies on users’ security awareness; technical controls alone cannot stop a victim who willingly opens the door.

References

CISA official alert

FBI Director Kash Patel’s social‑media statement

German BSI warning

Dutch National Cyber Security Centre warning