The MIVD and AIVD warn of an active Russian hacking campaign targeting Signal and WhatsApp accounts of Dutch government employees, military personnel, and dignitaries. The attackers are not exploiting technical vulnerabilities in the apps themselves, but rather legitimate security features. Journalists may also be targeted.

The MIVD and AIVD confirm that Dutch government employees have been targeted and, in some cases, have also fallen victim. The most commonly observed attack method is for hackers to pose as an official Signal support chatbot. Through these fake messages, they try to obtain victims’ verification codes and PINs. With these codes, they can take over accounts. However, it does not stop there. The attackers also exploit the so-called ‘linked devices’ feature within Signal and WhatsApp, which allows devices to be linked to an account. As a result, victims often do not notice that their account is being read remotely.

Once an account has been taken over, the Russians can read incoming messages. Chat groups in which the victim participates are also vulnerable to eavesdropping in this way.

No leak in Signal or WhatsApp, but in accounts

“Despite having end-to-end encryption, chat applications such as Signal and WhatsApp are not channels for classified, confidential, or sensitive information,” emphasizes MIVD director Vice Admiral Peter Reesink.

The AIVD points out that the attacks are unrelated to any vulnerabilities in Signal or WhatsApp as platforms. “It is not the case that Signal or WhatsApp as a whole have been compromised; the threat is to individual users’ accounts,” says AIVD Director-General Simone Smit.

Signal is widely used by governments worldwide because of its reputation as a reliable, independent, end-to-end encrypted communication platform. This makes it an attractive target for attackers. Sensitive information is expected to be found there.

The MIVD and AIVD have published a Cyber Advisory with practical recommendations for action. Signal users can check for themselves whether a contact may have been compromised by seeing if someone appears twice in a chat group, sometimes with a slightly different name. Another suspicious sign is a group member named ‘Deleted account’ who did not trigger a notification when the name was changed, or an unknown member who joined via a group link. In all these cases, the AIVD advises contacting your organization’s information security department.

