Russian hackers use phishing to get access to message backups, Dutch spy agencies say
Russian state hackers are using phishing attacks to steal backup recovery keys and gain access to stored message histories in encrypted messaging apps, Dutch spy agencies said Monday. The method allows attackers to reach private chats, photos, and documents once protected by encryption.
The Dutch Military Intelligence and Security Service (MIVD) and General Intelligence and Security Service (AIVD) said the campaign is ongoing and widespread. It targets Western and Ukrainian officials, military personnel, journalists, and others of intelligence interest.
Officials said Signal, a widely used encrypted messaging app that offers end-to-end secure communication, is a key target. The agencies said the operation is part of a broader Russian espionage campaign that remains large-scale and successful.
The hackers previously tried to break into accounts by stealing verification codes. They have now shifted to a new approach: phishing messages designed to obtain backup recovery keys.
The messages are sent under the name “Signal Support” and are designed to create urgency. Users are tricked into sharing recovery keys. Once obtained, the keys allow attackers to access stored backups.
With a valid recovery key, attackers can download full message histories, including media and files from the past 45 days. The same access can also enable full account takeover.
Officials said the platform is targeted because of its reputation. It is widely used by governments and journalists and is considered highly secure due to end-to-end encryption.
MIVD Director Vice Admiral Peter Reesink warned that, despite their security features, encrypted messaging apps are not suitable for confidential communication. AIVD Director-General Simone Smit said attackers continuously adapt their methods to deceive users.
The agencies stressed the messaging app itself has not been compromised. Instead, individual accounts are being targeted through phishing.
