German officials targeted in Signal phishing attacks, traces point to Russia

Nation

24 March, 07:42 PM

A series of attacks targeting Signal users, including journalists, politicians and security officials, has been observed in Germany in recent weeks, investigative outlet CORRECTIV reported on March 24.

The investigation uncovered digital evidence pointing to Russia’s involvement in the campaign, as well as links to previous attacks in Ukraine and Moldova.

The phishing attacks targeting German politicians, officials and journalists involved a profile named Signal Support warning of an alleged threat to an account and asking users to enter a PIN code sent to them. As a result, attackers gained control of the account, allowing them to access contacts and read incoming messages.

One of the victims was Arndt Freytag von Loringhoven, a former vice president of Germany’s BND intelligence service.

After taking over the official’s account, the attackers sent a link to what appeared to be an invitation to a WhatsApp channel. The site was hosted on servers of the Russian hosting provider Aeza. As CORRECTIV reported, the provider was used in 2024 for state propaganda campaigns.

The project noted that the company and its founders have been sanctioned by the United States and the United Kingdom, but not yet by the EU. This is significant because network analysis shows that data traffic from the phishing sites also passed through a German partner of Aeza, the investigators said.

Similar attacks carried out via Aeza servers were also recorded in previous years in Ukraine and Moldova.

A specialized phishing tool, Defisher, was also used. Archived versions of several of the analyzed sites show a user interface with a Russian-language input form.

According to CORRECTIV, the Defisher phishing tool was advertised on Russian hacker forums as early as 2024 for $690 (just under 600 euros). Further digital traces suggest the seller may be “a young person living in Moscow.”

According to IT specialists, hackers linked to the Russian state began integrating Defisher into their operations about a year ago, although CORRECTIV noted it could not independently confirm this.

On March 20, the FBI said hackers linked to Russian intelligence services carried out large-scale attacks on users of commercial messaging apps, including Signal and WhatsApp.

On March 9, the Dutch intelligence service said “Russian state hackers” were behind attacks on officials, military personnel and journalists worldwide via popular messaging platforms.

Інші новини

Все новости