Germany warns of state-linked phishing campaign targeting journalists, government officials

German authorities are warning that a suspected state-controlled threat actor is using messaging apps such as Signal to target senior political, military and diplomatic figures, as well as investigative journalists, across Europe.

In a joint advisory issued late last week, Germany’s domestic intelligence agency (BfV) and federal cybersecurity office (BSI) said attackers are attempting to gain access to private messaging accounts in order to monitor confidential communications and potentially compromise broader networks.

Officials said the campaign relies on social engineering rather than malware or software vulnerabilities, exploiting legitimate security features built into messaging platforms. The current activity is focused on Signal, authorities said, but similar methods could be used against other messaging platforms with comparable features, including WhatsApp.

Germany has not attributed this campaign to a specific threat actor but said the techniques used in the latest attacks could be replicated by both state-backed hackers and cybercriminals.

“Given the high-profile target set, current known cases are likely attributable to a state-controlled cyber actor,” the advisory said.

Primary attack methods

Authorities identified two main attack variants. In one of them, the hackers impersonate official support teams or automated chatbots and contact targets directly through messaging apps. The messages often begin with an urgent security warning that claims private data could be lost without immediate action.

Victims are then asked to share account security PINs or SMS verification codes, allowing attackers to register the account on a device they control and take over communications.

In another variant, attackers abuse legitimate device-linking features that allow users to connect messaging accounts to additional devices. Victims are persuaded to scan a QR code, which instead links the victim’s account to a device controlled by the attacker, enabling ongoing access to contact lists, recent message history and future communications.

Popular espionage tool

Security researchers have previously warned that Signal’s widespread adoption among military personnel, government officials, journalists and activists has made it a high-value target for espionage operations.

Ukrainian state officials said Russian state-backed hackers were targeting Signal messenger accounts — including those used by Ukrainian military personnel and government officials — in an effort to access sensitive information that could aid Moscow’s war effort.

Researchers at Google also discovered a campaign in which the notorious Russian threat actor Sandworm assisted Russian military forces in linking Signal accounts from captured battlefield devices to their own systems for further exploitation.

Signal did not respond to a request for comment.