Security News Hackers Linked to State Actors Target Signal Messages of Military Officials and Journalists

[Brownie2019]

Content source

https://cybersecuritynews.com/hackers-state-actors-target-signal-messages-of-military-officials/

Germany’s top security agencies issued an urgent warning yesterday regarding a sophisticated cyber espionage campaign targeting high-ranking officials and journalists across Europe.
The Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) revealed that state-sponsored hackers are hijacking Signal accounts to spy on private communications.
The joint advisory, released February 6, identifies the primary targets as military personnel, diplomats, politicians, and investigative journalists.
Unlike traditional hacks that use malware or exploit software bugs, this campaign relies entirely on “social engineering”, tricking victims into using legitimate features against themselves.
The “Fake Support” Trap
The first attack method involves hackers posing as “Signal Support” or a “Signal Security ChatBot.”
They contact targets directly within the app, claiming suspicious activity or a data leak has occurred on the victim’s device.
To “fix” the problem, the fake support bot asks the user to verify their identity by sending a PIN code.
If a victim shares this six-digit code, the hackers immediately register the victim’s phone number on a new device they control.
This locks the legitimate user out of their own account while giving the attackers complete control to impersonate the victim in future chats.
The Silent QR Code Spy
The second method is more subtle and allows hackers to spy on chats without locking the user out.
Attackers use a plausible pretext, such as a request to join a group or verify a device, to trick the victim into scanning a QR code.
Technically, this QR code is a “device linking” request. When a victim scans it, they inadvertently authorize the hacker’s tablet or computer to link to their account.
Once connected, the attacker can silently read all new messages and view chat history from the past 45 days.
This access often persists for weeks because the victim’s phone usually continues to work, masking the intrusion.
Authorities believe a “state-controlled cyber actor” is behind the campaign, given the specific focus on high-value intelligence targets rather than financial theft.
The goal appears to be espionage, involving the mapping of social networks and the interception of sensitive political and military discussions.
Because the attacks use valid Signal features rather than viruses, they bypass most antivirus software.
Security officials urge all users to check their “Linked Devices” list in Signal settings immediately and never to share verification PINs with anyone, even accounts claiming to be support staff.

 

[Bot]

What you quoted matches a real (and very plausible) attack pattern: it’s social engineering that abuses legitimate “account registration” and “linked devices” features rather than exploiting Signal with malware.

Multiple outlets reported on February 6, 2026 that Germany’s BSI and BfV issued a joint warning about this kind of Signal-focused phishing against high-value targets (politics, military, journalism). The same reporting also notes the campaign can be adapted to other messengers with similar features.
(Direct access to the BfV PDF advisory was blocked from my side by the publisher, but the described techniques line up with Signal’s own support documentation on how linked devices and PIN/Registration Lock work.)

Two important clarifications (to avoid confusion)

• The “six-digit code” is typically the SMS registration/verification code sent when someone tries to register your number on a new device. You should never share it.
• Your Signal PIN is not that SMS code. It’s the PIN you set in Signal (numeric or alphanumeric) and it can be used as a Registration Lock. Signal cannot recover/reset it for you, and if you forget it while Registration Lock is enabled, you can be locked out for up to 7 days.

Why the “linked devices QR” trick is dangerous
If you scan a QR code that is actually a device-link request, you may be authorizing an attacker’s desktop/tablet as a linked device. Signal confirms linked devices can synchronize chats and “last 45 days of media” during setup (and there’s also an option to transfer message history during linking), so this can expose ongoing conversations and potentially some amount of recent history depending on what gets synced/transferred.

Practical defenses (low effort, high value)

• Assume any in-app “Signal Support / Security bot” message is a scam. Signal explicitly states support will not contact you first and won’t contact you inside the app.
• Enable Registration Lock (and choose a strong PIN you can actually keep safe).
• Check Signal → Settings → Linked Devices and remove anything you don’t recognize. (Signal also notes linked devices unlink after 30 days of inactivity, but you should not rely on that as a control.)
• Never share your SMS verification code, Signal PIN, or any “security code” with anyone—no matter how urgent they make it sound.
• Don’t scan QR codes sent to you in chats or shown to you as a “verification” step unless you initiated the linking and you’re looking at the QR code on your own computer/iPad.
• Keep Signal and your OS updated, and slow down when a message tries to create urgency (that urgency is part of the manipulation).

If you suspect you already scanned a QR code / linked an attacker device

• Immediately unlink unknown devices in Linked Devices.
• Consider notifying sensitive contacts out-of-band (phone call, known email) that your account may have been observed/impersonated.
• Review any recent messages you “sent” that you don’t recognize (impersonation is often part of the follow-on).

Sources

• 
  [] Messengerdienste - Verfassungsschutz warnt vor Phishing-Angriffen auf Politik und Militär bei Signal und Co.
  [] Germany warns of Signal account hijacking targeting senior figures
  [] Attack via Signal: BfV and BSI warn politicians, military personnel, diplomats
  [] https://support.signal.org/hc/en-us/articles/6746004451610-Contact-Us
  [] https://support.signal.org/hc/en-us/articles/360007320551-Linked-Devices
  [] https://support.signal.org/hc/en-us/articles/360007059792-Signal-PIN

 

[Divergent]

Technical Analysis & Remediation

Attack Vectors & Methodology
The campaign employs two distinct vectors, both abusing legitimate Signal features to bypass end-to-end encryption (E2EE) protections at the endpoint level.

Vector A
Account Takeover (The "Support" Trap)

Mechanism
Attackers impersonate "Signal Support" or a "Signal Security ChatBot".

Pretext
Victims receive messages claiming a "data leak" or "suspicious activity" occurred.

Execution
The user is coerced into providing their 6-digit SMS verification code or Registration PIN.

Impact
Attackers register the victim's number on a new device. This triggers a "Registration Lock" event, effectively locking the legitimate user out of their own account while attackers impersonate them.

Vector B
Surveillance (The QR Link)

Mechanism
"Device Linking" abuse.

Pretext
Requests to "verify device" or "join a secure group" by scanning a QR code.

Execution
The QR code is actually a Signal Desktop/iPad linking request. Scanning it authorizes the attacker's device to sync with the victim's account.

Impact
Persistent, silent access. Attackers can view the past 45 days of chat history and read all real-time incoming messages without locking the victim out.

MITRE ATT&CK Mapping

T1566.003 (Phishing via Service)
Impersonating Signal Support.

T1111 (Two-Factor Authentication Interception) Stealing SMS/PIN codes.

T1098.005 (Account Manipulation: Device Registration) Linking rogue devices via QR code.

T1598.003 (Phishing for Information)
Eliciting PINs under duress.

Vulnerability clarification
While CVE-2026-25228 (Signal K Server) was disclosed recently, it affects marine data software and is unrelated to this campaign. This operation relies entirely on human error, bypassing antivirus and EDR solutions.

Remediation - THE ENTERPRISE TRACK (SOC/IR Focus)

Phase 1: Identification & Containment

Audit Linked Devices
Immediate mandate for all high-value targets (HVT) to check Settings > Linked Devices.

Indicator
Any unknown device, particularly "iPad" or "Desktop" instances added recently.

Kill Switch
If a compromise is suspected, users must immediately tap "Edit" -> "Delete" (or "Unlink") on all unrecognized devices.

Alerting
Broadcast internal comms: "Signal Support will NEVER contact you inside the app. Signal does not have a 'ChatBot'."

Phase 2: Eradication

Reset Registration PIN
Go to Settings > Account > Change your PIN. This prevents attackers from re-registering the number if they still hold the SMS code.

Registration Lock
Enable Settings > Account > Registration Lock. This requires the PIN to re-register the number, blocking SIM-swappers or attackers with just the SMS code.

Phase 3: Recovery & Governance

Graph Analysis
If a device was linked, assume the adversary has scraped the victim's entire contact list and group memberships. Initiate a counter-intelligence assessment of the exposed network graph.

Policy Update
Prohibit the scanning of QR codes sent via digital channels (email/chat) for "verification" purposes.

Remediation - THE HOME USER TRACK

Priority 1: Immediate Safety Check

Open Signal on your phone now.

Tap your profile icon (top left) > Linked Devices.

Action
If you see any device you don't recognize (e.g., "Windows PC" when you only own a Mac), tap it and select Unlink or Remove.

Priority 2: Secure Your Identity

Enable Registration Lock:

Go to Settings > Account.

Turn ON "Registration Lock".

This acts as a "second password." Even if a hacker steals your SMS code, they cannot hijack your account without this PIN.

Priority 3: The "Support" Rule

Block & Report
If you receive a message from "Signal Security ChatBot" or anyone asking for a PIN, it is a scam.

Signal (the company) will never message you inside the app to ask for codes or PINs.

Hardening & References

Baseline Hardening
(CIS/NIST)

Safety Numbers
Verify Safety Numbers (the cryptographic keys) out-of-band (e.g., via a voice call) for sensitive contacts.

Screen Lock
Enable Signal's built-in Screen Lock (Settings > Privacy) to prevent physical access if the device is seized.

Disappearing Messages
Set a default timer (e.g., 1 week or 4 weeks) for all new chats to limit the "blast radius" if a device is linked by an adversary.

References

BfV/BSI Joint Advisory
(Germany), Feb 6, 2026.

CyberSecurityNews

BfV & BSI Joint Advisory

 

[Halp2001]

Thanks for bringing the news, because it helps to see that what looks “local” is actually part of a much broader board. In the end, these campaigns are like funhouse mirrors at a fair: they seem local, but they reflect a much larger stage .