Germany Officially Attributes Phishing Campaign Targeting Politicians' Signal Accounts to Russia

Executive Summary

The German government has formally accused the Russian state of orchestrating a large-scale phishing campaign targeting the Signal messenger accounts of hundreds of politicians and senior officials. A government source explicitly stated, "The federal government is assuming that the phishing campaign...was presumably run from Russia." The attack aimed to compromise accounts to access sensitive communications, contacts, and group memberships, and potentially to impersonate the victims. The targets were extensive, including members of the German Parliament (Bundestag), civil servants, diplomats, and journalists. German prosecutors have initiated a formal investigation on suspicion of espionage. This event represents a serious escalation in cyber hostilities and is part of a pattern of increased Russian-attributed cyber operations against Germany since 2022.

Threat Overview

This incident is a classic example of a state-sponsored information gathering and espionage operation conducted through digital means. The choice of target and method suggests a clear intelligence objective.

• Who: An unnamed, but Russian state-sponsored threat actor, as asserted by the German government.
• What: A targeted phishing campaign designed to hijack Signal messenger accounts. The attackers sent messages masquerading as official Signal support, tricking users into revealing information that would allow an account takeover.
• Whom: The targets were high-value individuals within the German political and administrative apparatus, including Members of Parliament (up to 300 accounts may have been compromised), the speaker of parliament, diplomats, and journalists.
• Why: The primary motive is espionage. By gaining access to these accounts, the attackers could monitor private conversations, identify sensitive contacts, understand political strategies, and potentially gather blackmail material or spread disinformation by impersonating the account owners.
• When: The campaign was active recently and has reportedly been stopped as of April 25, 2026.

Konstantin von Notz, a senior member of Germany's intelligence oversight committee, highlighted the severity of the attack, expressing concern over the guaranteed integrity of parliamentary communications.

Technical Analysis

The attack vector was social engineering delivered via the Signal platform itself, a method that leverages the trust users have in the application.

Attack Method: Phishing for Account Takeover

1. Initial Contact: The attackers sent messages to targets on Signal. These messages were crafted to look like official communications from Signal's support team.
2. The Lure: The message likely contained a false warning or a prompt requiring user action, such as 're-verifying your account' or 'securing your profile'.
3. The Hook: The message would trick the user into either clicking a link to a malicious website or providing their phone number and potentially a verification code sent to their device. In Signal's case, an attacker might try to trick a user into re-registering their number on a device the attacker controls, and then socially engineer the user into providing the registration code.
4. The Takeover: Once the attacker has the user's phone number and the Signal registration PIN or a new registration code, they can register the victim's Signal account on their own device. This would disconnect the legitimate user and give the attacker full access to the account's profile, contact list, and group memberships. While past message history is end-to-end encrypted and not stored on Signal's servers (and thus not accessible), all future communications and the victim's social graph would be compromised.

MITRE ATT&CK TTPs:

• T1566.002 - Spearphishing Link: Although the medium is Signal, the principle of sending a targeted link to compromise a user is the same.
• T1598.003 - Spearphishing via Service: Using a trusted service (Signal) to send the phishing message.
• T1586.002 - Hijack Accounts: Email Accounts: The goal is account hijacking, in this case for a messaging service rather than email, but the tactic is analogous.
• T1534 - Internal Spearphishing: Once an account is compromised, it could be used to send further trusted phishing messages to contacts.
• T1591.002 - Gather Victim Org Information: Software: The attackers clearly identified that their targets use Signal, a key piece of reconnaissance.

Impact Assessment

The potential impact of this campaign is substantial, even if no classified information was directly exposed.

• Intelligence Gathering: Attackers could gain deep insight into political decision-making, internal party discussions, and diplomatic strategies.
• Compromise of Trust: The attack erodes trust in secure communication platforms, which are vital for government officials and journalists.
• Disinformation and Impersonation: A compromised account could be used to send false information to high-level contacts, potentially influencing policy or creating chaos.
• Blackmail: Information from private chats, even if not classified, could be used to blackmail or discredit individuals.
• Network Exposure: Gaining access to a politician's contact list reveals their network of trusted associates, who then become future targets.

This attack demonstrates that even with end-to-end encryption, the human element remains a vulnerability. The security of a system is often dependent on the user's ability to recognize and resist social engineering.

IOCs — Directly from Articles

No specific Indicators of Compromise (such as attacker phone numbers or phishing domains) were provided in the source articles.

Cyber Observables — Hunting Hints

Detecting this type of activity is difficult as it occurs within a closed, encrypted platform. The primary defense is user awareness. However, organizations can provide guidance:

Detection & Response

Detection is almost entirely reliant on the user.

Detection:

• User Reporting: The most effective detection method is a well-informed user base that can recognize and report suspicious messages. Organizations should have a clear, simple process for users to report such incidents to their security team.
• Device Alerts: Signal provides in-app notifications when a new device is linked to an account. Users must be trained to treat these alerts with extreme suspicion if they did not initiate the action.

Response:

1. Immediate Disconnect: If a user suspects their account is compromised, they should immediately go to Signal Settings > Linked Devices, identify the unrecognized device, and remove it.
2. Re-secure Account: Users should enable a Registration Lock PIN in Signal settings. This requires the PIN to be entered when re-registering the phone number, preventing an attacker from taking over the account even if they manage to intercept a verification code.
3. Notify Contacts: Inform contacts and groups about the potential compromise to prevent the attacker from impersonating the user and spreading the attack.

Mitigation

Mitigation is centered on user education and hardening account settings.

1. Enable Registration Lock: This is the single most important mitigation. All users, especially high-risk individuals, must be instructed to set a strong, unique Registration Lock PIN within their Signal settings. (M1032 - Multi-factor Authentication)
2. User Training: Conduct mandatory training that specifically covers social engineering tactics on messaging platforms. Emphasize that Signal support will never ask for codes, PINs, or personal information via a chat message. (M1017 - User Training)
3. Verify Contacts: Train users to be skeptical of unusual requests, even from known contacts. If a message seems out of character, they should verify it through a separate communication channel (e.g., a phone call).
4. Do Not Click Links: Institute a strict policy of not clicking links or providing information in response to unsolicited messages from unknown senders.
5. Regularly Review Linked Devices: Instruct users to periodically check the 'Linked Devices' section of their Signal app to ensure no unauthorized devices are connected.