Security News Intelligence confirms Russian state hackers targeting Dutch Signal and WhatsApp accounts

[Brownie2019]

Content source

https://nltimes.nl/2026/03/09/intelligence-confirms-russian-state-hackers-targeting-dutch-signal-whatsapp-accounts

The Netherlands’ intelligence agencies have confirmed Monday that Russian state hackers are attempting to access chat apps Signal and WhatsApp accounts worldwide, including those of Dutch government officials, military personnel, and other individuals of interest such as journalists. Signal is reportedly particularly targeted because of its strong reputation as a secure communication platform used by governments.
The Dutch General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD) said the hackers attempt to obtain verification and PIN codes by impersonating Signal support chatbots.
Once access is gained, attackers can read messages sent to the account and participate in chat groups without the user’s knowledge. Hackers also exploit features that allow devices to be linked to accounts, which can enable remote surveillance.
AIVD Director-General Simone Smit emphasized that the threat targets individual accounts rather than technical vulnerabilities in the messaging platforms themselves. “It is not that Signal or WhatsApp as applications are compromised. The threat is directed at accounts of individual users,” she said in a statement.
Vice Admiral Peter Reesink, director of the MIVD, warned that despite end-to-end encryption, chat apps like Signal and WhatsApp are not suitable for classified or sensitive information. To protect against Russian hacking attempts, the AIVD and MIVD issued a cyber advisory for users.
The advisory recommends that users check group chats for suspicious or duplicate accounts, verify any unusual accounts by email or phone, and report concerns to their organization’s IT security team. Compromised accounts should be removed from group chats.
It also warns that attackers may rename hijacked accounts—for example, to “Deleted account”—to avoid detection. Non-legitimate accounts entering a group via a captured group link should be removed by the group administrator.
If a group administrator appears compromised, members are advised to leave the group and set up a new one.

 

[ForgottenSeer 123960]

Executive Summary

Confirmed Facts
Russian state actors are actively conducting a social engineering campaign targeting Dutch dignitaries, military, and journalists to hijack Signal and WhatsApp accounts. Telemetry indicates no technical vulnerabilities are exploited; instead, threat actors impersonate support chatbots to extract verification and PIN codes.

Assessment
The campaign relies entirely on manipulating human behavior and abusing legitimate application features, making the underlying end-to-end encryption of the platforms irrelevant to the attack's success.

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1566.002
Phishing: Spearphishing Link / Social Engineering

T1539
Steal Session Credentials (verification codes/PINs)

T1098
Account Manipulation (renaming hijacked accounts)

T1136.003
Cloud Account (Abusing application linking features)

CVE Profile
N/A [CISA KEV Status: Inactive].
The attack exploits human trust rather than software flaws.

Constraint
The structure resembles a pure credential and session harvesting operation. While hard IOCs are absent, the telemetry confirms attackers modify account display names to strings such as "Deleted account" to evade detection in group chats. The actors also weaponize the "linked devices" functionality to enable remote surveillance.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Issue immediate organizational communication prohibiting the transmission of classified or sensitive information over commercial messaging apps (Signal, WhatsApp).

DETECT (DE) – Monitoring & Analysis

Command
Audit all enterprise-managed group chats for unauthorized duplicate members or accounts displaying anomalous naming conventions like "Deleted account".

RESPOND (RS) – Mitigation & Containment

Command
Direct group administrators to immediately remove unrecognized accounts or accounts that join via a stolen group link.

Command
If a group administrator account is suspected of compromise, disband the group immediately and re-establish a new channel.

RECOVER (RC) – Restoration & Trust

Command
Verify the identity of potentially compromised users via out-of-band communication (e.g., standard email or a normal cellular call).

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Mandate targeted security awareness training focusing on chatbot impersonation and multi-factor authentication (MFA) code security.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect any unrecognized sessions immediately by navigating to the "linked devices" menu in your Signal or WhatsApp application settings.

Command
Never share verification codes or PINs with anyone, including accounts claiming to be official support.

Priority 2: Identity

Command
Verify duplicate contacts in your chat groups by calling them on a standard phone line to confirm their account status.

Priority 3: Persistence

Command
Check your chat groups for dormant users that have recently changed their display name to "Deleted account". Remove them if you hold administrative privileges.

Hardening & References

Baseline
CIS Benchmarks for Mobile Device Management (MDM).

Framework
NIST CSF 2.0 (PR.AT-1: Awareness and Training; PR.AA-1: Identity Management).

Style Note
Application-level encryption, such as E(m,k) utilized in end-to-end messaging, secures data in transit. However, it provides zero protection against endpoint compromise or authorized session hijacking facilitated by social engineering.

Source

General Intelligence and Security Service (AIVD) - Netherlands

NL Times - Intelligence confirms Russian state hackers targeting Dutch Signal and WhatsApp accounts