Russian hackers use phishing to get access to message backups, Dutch spy agencies say
Russian state hackers are using phishing attacks to steal backup recovery keys and gain access to stored message histories in encrypted messaging apps, Dutch spy agencies said Monday. The method allows attackers to reach private chats, photos, and documents once protected by encryption.
The Dutch Military Intelligence and Security Service (MIVD) and General Intelligence and Security Service (AIVD) said the campaign is ongoing and widespread. It targets Western and Ukrainian officials, military personnel, journalists, and others of intelligence interest. The agencies confirmed findings shared by U.S. security services in a June 26 warning.
Officials said Signal, a widely used encrypted messaging app that offers end-to-end secure communication, is a key target. The agencies said the operation is part of a broader Russian espionage campaign that remains large-scale and successful.
The hackers previously tried to break into accounts by stealing verification codes. They have now shifted to a new approach: phishing messages designed to obtain “Backup Recovery-keys.”
The messages are sent under the name “Signal Support” and are designed to create urgency. Users are tricked into sharing recovery keys. Once obtained, the keys allow attackers to access stored backups.
Those backups can include messages, photos, and documents. With a valid recovery key, attackers can download full message histories, including media and files from the past 45 days. The same access can also enable full account takeover.
The agencies said the shift reflects an evolution in tactics following earlier warnings issued on March 9, when Russian actors were already attempting to access messaging accounts at scale.
Officials said the platform is targeted because of its reputation for security. It is widely used by governments and journalists and is considered highly secure due to end-to-end encryption.
MIVD Director Vice Admiral Peter Reesink said encrypted messaging apps are not suitable for confidential communication despite their security features. AIVD Director-General Simone Smit said attackers continuously adapt their methods to deceive users.
The agencies stressed the messaging app itself has not been compromised. Instead, individual accounts are being targeted through phishing.
They warned users to be cautious of messages claiming to come from “Signal Support,” noting that official support never asks for codes or recovery keys.
