FBI, CISA issue PSA on Russian intelligence campaign to target messaging apps

Russian intelligence-affiliated hackers have gained access to thousands of users’ messaging apps with a global phishing campaign, the FBI and the Cybersecurity and Infrastructure Security Agency warned in a public service announcement on Friday.
The high-value targets they’re pursuing include current and former U.S. government officials, political figures, military personnel and journalists, the two agencies said in the joint PSA about the hackers’ attempts to infiltrate commercial messaging applications (CMAs).
The U.S. alert comes on the heels of an earlier warning from Dutch authorities, who said last week that Russian hackers were “engaged in a large-scale global attempt” to take over WhatsApp and Signal accounts. The Dutch warning likewise followed a similar warning from Germany in February.
The U.S. agencies emphasized that the hackers had not been able to bypass end-to-end encryption, instead manipulating users into giving up access. The scheme involves hackers posing as Signal help personnel, then inviting them to click a link or provide verification codes or account personal identification number.
“After compromising an account, malicious actors can view the victims’ messages and contact lists, send messages, and conduct additional phishing against other CMA accounts,” the PSA explains. “(Note: reporting shows that the threat actors specifically target Signal accounts but can apply similar methods against other CMAs).”
However, “CMA users who strengthen their personal cybersecurity and defend against social engineering attempts can reduce the risk of account compromise and limit the effectiveness of the threat actors’ current tactics, techniques, and procedures,” the agencies said.
The Russian campaign is just the latest to seek to bypass the protections commercial messaging apps offer. CISA in November warned about spyware targeting of messaging apps.
There sometimes has been a Russian intelligence nexus to the recent targeting. Google Threat Intelligence Group shined a spotlight last year on Russian attempts to target Signal users in Ukraine.
‘We anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war,” the company said.

Facts Only

* The FBI and CISA issued a public service announcement (PSA) on Friday.
* Russian intelligence-affiliated hackers have gained access to thousands of users’ messaging apps.
* The campaign involves phishing to infiltrate commercial messaging applications (CMAs).
* High-value targets include current and former U.S. government officials, political figures, military personnel, and journalists.
* The hackers attempt to bypass end-to-end encryption.
* The scheme involves users giving up access through manipulation.
* The hackers pose as Signal help personnel.
* They invite users to click links or provide verification codes or account personal identification numbers.
* After compromising an account, the hackers can view messages and contact lists, and send messages.
* The threat actors specifically target Signal accounts, but can apply similar methods against other CMAs.
* CISA warned about spyware targeting messaging apps in November.

Executive Summary

A coordinated campaign by Russian intelligence-affiliated hackers is targeting users of commercial messaging applications, specifically Signal, with the aim of compromising accounts of high-value individuals including government officials, political figures, and journalists. The FBI and CISA have issued a PSA alerting users to this ongoing threat, detailing how hackers are manipulating users into divulging access through deceptive impersonations. The campaign utilizes a phishing approach, leveraging the trust users place in legitimate help personnel. While end-to-end encryption prevents the hackers from directly accessing content, they can exploit vulnerabilities in user behavior. The situation highlights the ongoing vulnerability of messaging apps to sophisticated intelligence operations and underscores the importance of enhanced cybersecurity practices. Several other nations, including the Netherlands and Germany, have issued similar warnings, suggesting a broader intelligence effort. The ongoing targeting of Signal users in Ukraine by Russian intelligence further contextualizes this latest development, indicating a potential escalation of tactics. Users are advised to bolster their personal cybersecurity to mitigate the risk of account compromise.

Full Take

The core narrative here—a sophisticated, persistent intelligence operation—mirrors recurring patterns in state-sponsored cyberattacks, particularly those originating from Russia. The emphasis on manipulating users rather than brute-force cracking reveals a preference for human intelligence (HUMINT) facilitated by technical means, a classic operating model observed in intelligence agencies for decades. The PSA’s framing, while technically accurate, positions the US as a reactive victim, mirroring a common tactic—presenting vulnerability rather than actively disrupting the adversary. This "motte-and-bailey" strategy, ARC-0043, forces the reader to define the problem within the adversary's terms (a “campaign”) rather than critically examining the underlying intelligence motives. The pattern scan reveals a clear echo of previous targeting of Ukrainian Signal users – Google Threat Intelligence Group's observation highlights a shift in operational scope beyond a specific conflict, signaling a broader strategy to deploy adaptable tools and techniques, ARC-0024. Underlying this narrative is the assumption of continued, state-level strategic competition—a persistent, low-intensity war that justifies these actions. The impact on human agency is significant; users are implicitly framed as potential pawns, a classic example of power imbalance. Furthermore, the PSA’s call for increased cybersecurity serves as a justification for greater surveillance and data collection—a potentially problematic implication. The attack pattern a bad actor *would* use, beyond simply replicating this campaign, would be to amplify this narrative through disinformation, creating a feedback loop of fear and paranoia, exploiting the already-present anxieties about foreign interference. This aligns with a classic information warfare playbook – using genuine vulnerabilities to cultivate distrust and sow division.

Sentinel — Likely Human

Confidence

This PSA presents a largely conventional account of a cybersecurity threat, utilizing standard language and referencing existing intelligence reports. While exhibiting some stylistic characteristics suggestive of AI assistance, the overall presentation aligns with typical human-generated security alerts, leaning towards a likely human origin.

Signals Detected

High hedging density ('it's worth noting', 'one could argue') contributes to a cautious, almost overly formal tone.

The framing of 'both sides' regarding the threat, while technically accurate, lacks the urgency and specific details typically found in a security alert.

Reliance on vague attribution ('experts say,' 'studies show,' 'Google Threat Intelligence Group') without specific source citations.

The statement about anticipating 'tactics and methods' being 'proliferate to additional threat actors and regions outside the Ukrainian theater of war' feels slightly overstated and predictive, potentially a common LLM tendency.

Human Indicators

Clear articulation of the threat actors' methods and targets, aligned with established cybersecurity communication patterns.

Logical flow of information, building from initial warnings to specific tactics and potential future proliferation.