FBI/CISA: Signal phishing spree
FBI and CISA warned of a Russian‑linked phishing campaign that uses Signal to target high‑value individuals—an encrypted‑messenger tactic designed to bypass email controls and pivot into privileged cloud or geospatial accounts. Agencies emphasized mobile/messaging forensics and stronger IAM anomaly detection as the attack vector evolves. (cryptika.com)
CISA and the FBI published a joint public service announcement on March 20, 2026 stating cyber actors associated with Russian Intelligence Services have achieved unauthorized access to “thousands” of commercial messaging application accounts and listed current and former U.S. government officials, military personnel, political figures, and journalists as primary targets. (ic3.gov) The advisory lays out two exploitation schemes: attackers impersonate CMA support to trick targets into providing verification codes or account PINs, or they send links/QR codes that add an attacker-controlled “linked device,” producing either full account takeover or persistent linked‑device access. (ic3.gov) U.S. reporting noted that prior messaging-account operations have been associated with Russia-aligned clusters tracked as Star Blizzard, UNC5792 (aka UAC‑0195), and UNC4221 (aka UAC‑0185), though the March 20 PSA did not attribute a single named group. (thehackernews.com) Germany’s Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) issued a joint advisory on February 6, 2026 warning of phishing via Signal that uses fake support chats and device‑linking to steal PINs. (bsi.bund.de) The Netherlands’ AIVD and MIVD confirmed on March 9, 2026 that Russian state hackers are conducting a “large‑scale global” campaign to access Signal and WhatsApp accounts belonging to dignitaries, military personnel, and civil servants. (english.aivd.nl) CISA’s November 24, 2025 alert previously documented the same TTPs—malicious device‑linking QR codes, spoofed apps, and zero‑click/spyware delivery—to compromise messaging apps, and the March 20 PSA reiterates that these methods bypass end‑to‑end encryption by compromising individual accounts. (cisa.gov) The PSA instructs targets to “stop all interaction” and never share verification codes or PINs, and U.S. cyber partners have concurrently pushed digital‑forensics and protective‑monitoring guidance that mandates stronger logging, observability, and forensic readiness for mobile endpoints to detect anomalous linked‑device activity. (ic3.gov 1) (ic3.gov 2)
