German intelligence and security agencies have issued a high-priority warning regarding a sophisticated cyber espionage campaign targeting military officials, diplomats, and investigative journalists across Europe.
The Bundesamt für Verfassungsschutz (BfV) and the Federal Office for Information Security (BSI) identified the attackers as likely state-sponsored actors utilizing social engineering to compromise accounts on the encrypted messaging app Signal.
Unlike traditional hacks that use malware or software vulnerabilities, this campaign abuses legitimate features of the Signal application to take over accounts.
The agencies report that the operation specifically focuses on high-value targets in politics and defense sectors to conduct espionage and potentially disrupt trusted communication networks.
Technical Breakdown of the Attack
The advisory describes two distinct methods used by the threat actors to bypass encryption and authentication protections.
Variant 1: The Fake Support Bot
In the first method, attackers pose as “Signal Security Support” or a “Signal ChatBot.” They send direct messages to targets claiming there has been a security breach or data leak on the user’s device.
The message creates urgency, warning the user that they must verify their account immediately to prevent data loss. The attackers then request the user’s six-digit Security PIN or SMS verification code.
If the victim shares this code, the attackers can register the victim’s phone number on a device they control. This effectively locks the legitimate user out of their account and grants the attacker full control to send and receive messages.
Variant 2: Device Linking via QR Codes
The second technique involves tricking users into linking an attacker’s device to their own account.
Attackers contact the target under a plausible pretext and persuade them to scan a QR code.
While the user believes they are verifying a login or accessing a secure document, they are actually authorizing the attacker’s device (such as a tablet) to sync with their Signal account.
Once linked, the attacker gains continuous access to the victim’s message history (up to the last 45 days) and contact lists.
Crucially, this method allows the spy to read new incoming and outgoing messages in real-time without the victim losing access, making the intrusion much harder to detect.
Impact and Mitigation
Security officials warn that a successful breach compromises not just the individual but entire networks.
Attackers can extract sensitive chat histories, map out contact structures, and impersonate the victim in group chats to spread disinformation.
The BSI advises all high-risk users to immediately check their “Linked Devices” list in Signal settings and remove any unrecognised connections.
Additionally, users should enable the “Registration Lock” feature, which requires a PIN to re-register a phone number, preventing account takeovers even if SMS codes are intercepted.
Officials emphasized that legitimate Signal support will never ask for a PIN or verification code via direct message.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
