NCSC warns of messaging app targeting
The NCSC and international partners have issued an alert regarding increased targeting of high-risk individuals by state-sponsored threat actors via messaging apps like WhatsApp and Signal. Attackers utilize social engineering, phishing links, and malicious QR codes to steal account recovery codes, link unauthorized devices, and intercept sensitive communications.
Authors: NCSC
Source:
NCSC
Key Takeaways
- State-sponsored actors, including Russia-based groups, APT31, Star Blizzard, and IRGC, are actively targeting messaging apps like WhatsApp and Signal.
- High-risk individuals, such as government officials and those with access to sensitive information, are the primary targets.
- Attackers use social engineering, malicious links, and QR codes to steal login codes or link unauthorized devices to victim accounts.
- Users are strongly advised to enable two-step verification, use passkeys, and regularly review linked devices and group chat members.
Affected Systems
- Signal
- Messenger
- Mobile Devices
Attack Chain
Threat actors target high-risk individuals using social engineering tactics on messaging platforms like WhatsApp, Signal, and Messenger. They attempt to trick victims into sharing login or account recovery codes, or phish them using malicious links and QR codes. Once successful, attackers link their own devices to the victim's account, join group chats undetected, or impersonate known contacts to access sensitive information.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules or queries are provided in the article.
Detection Engineering Assessment
EDR Visibility: None — The attacks occur within encrypted messaging applications on mobile devices, which are typically outside the scope of traditional endpoint detection and response tools. Network Visibility: None — Traffic from WhatsApp and Signal is end-to-end encrypted, preventing network-level inspection of message content or malicious links. Detection Difficulty: Very Hard — The activity relies on social engineering and abuse of native app features (like device linking) within end-to-end encrypted personal messaging apps, leaving almost no telemetry for enterprise defenders.
Required Log Sources
- Mobile Device Management (MDM) logs
- Application audit logs (if enterprise managed)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Monitor for unusual device linking events or new devices added to enterprise-managed communication accounts. | Application audit logs / MDM logs | Persistence | Medium |
Control Gaps
- Lack of visibility into personal messaging apps
- Inability to inspect E2EE traffic
Key Behavioral Indicators
- Unexpected new linked devices in messaging app settings
- Unrecognized participants in group chats
- Requests for verification codes from known contacts
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Enable two-step verification (Registration Lock) on all messaging apps.
- Enable passkeys for WhatsApp and Signal.
- Review and remove any unrecognized linked devices in app settings.
Infrastructure Hardening
- Enforce the use of corporately provided messaging services for work communications.
- Implement Mobile Device Management (MDM) policies to restrict unauthorized app usage on corporate devices.
User Protection
- Use disappearing messages on personal accounts to limit data exposure.
- Regularly review group chat members and verify unrecognized participants.
Security Awareness
- Train high-risk individuals on the dangers of sharing verification codes.
- Educate users on identifying impersonation attempts and malicious QR codes.
- Advise users not to share sensitive information over personal messaging apps.
MITRE ATT&CK Mapping
- T1566.002 - Phishing: Spearphishing Link
- T1078 - Valid Accounts
- T1098 - Account Manipulation
- T1589 - Gather Victim Identity Information