- 23
- March
On March 9, 2026, Dutch intelligence agency AIVD warned that Russian state-backed hackers are targeting WhatsApp and Signal accounts of government officials worldwide — without deploying any malware. Instead, they use pure social engineering to trick victims into handing over their verification codes. FBI and CISA confirmed the campaign on March 21, 2026, revealing that thousands of accounts have already been compromised.
Key Facts at a Glance
- Targets: Government officials, military personnel, political figures, and journalists worldwide (including the United States)
- Threat Actors: Star Blizzard, UNC5792 (UAC-0195), UNC4221 (UAC-0185) — Russia-aligned groups
- Method: Social engineering — impersonating Signal support, claiming "data leak," requesting SMS verification code + PIN
- Scale: Thousands of accounts compromised globally
- Impact: Read messages, view contacts, send messages as victim, conduct follow-on phishing from trusted identity
Timeline — How Russian Hackers Targeted WhatsApp and Signal
| Date | Event |
|---|---|
| Early 2026 | Star Blizzard and UNC5792 launched campaigns targeting Signal and WhatsApp accounts of government officials in multiple countries |
| Feb - Mar 2026 | Attackers sent messages impersonating Signal support, claiming "your data has been leaked" and requesting identity verification |
| March 9, 2026 | AIVD (Dutch General Intelligence and Security Service) issued a public warning about Russian state hackers targeting Signal/WhatsApp |
| March 21, 2026 | FBI and CISA confirmed thousands of accounts compromised, issued advisory urging all organizations to take protective action |
The Attack Method — Social Engineering Without Malware
This campaign did not exploit any software vulnerability or deploy malware. Instead, the attackers used social engineering — psychological manipulation techniques to trick victims into voluntarily surrendering their credentials. Here is how Star Blizzard executed the attack:
- Impersonation: Sent messages posing as "Signal Support" or the "WhatsApp Security Team"
- Creating urgency: Claimed "a data leak involving your account has been detected" or "your account is about to be suspended"
- Requesting verification: Asked victims to send their SMS verification code and PIN to "verify their identity"
- Account takeover: Used the obtained codes to register the victim's Signal/WhatsApp account on the attacker's device
Why Is This So Dangerous?
Once an attacker gains control of an account, they can read all messages, view all contacts, and send messages as the victim. The most dangerous consequence is the ability to conduct follow-on phishing from a trusted identity — for example, impersonating a government official to request classified information from colleagues. This is the same class of threat as an insider threat, making it extremely difficult to detect.
Who Is Behind the Attacks?
| Group | Also Known As | Primary Targets |
|---|---|---|
| Star Blizzard | SEABORGIUM, ColdRiver | Government officials, diplomats, researchers in NATO countries |
| UNC5792 (UAC-0195) | — | Ukrainian military and intelligence services |
| UNC4221 (UAC-0185) | — | Military personnel, journalists, NGOs |
All three groups are classified as Advanced Persistent Threats (APTs) linked to the Russian government. Their objective is intelligence gathering, not ransom — which means many victims remain unaware their accounts have been compromised for weeks.
What Attackers Can Do After Account Takeover vs. How to Protect Yourself
| What Attackers Can Do | How to Prevent It |
|---|---|
| Read all messages in the account | Enable Registration Lock (PIN) and set a strong PIN |
| View all contacts | Never store sensitive information in chat — use separate encrypted channels for critical data |
| Send messages as the victim | Verify identity through another channel (phone call/in-person) before acting on important requests |
| Phish colleagues from a trusted identity | Establish policies requiring multi-channel verification for sensitive information requests |
| Access shared files, photos, and documents | Enable Disappearing Messages for sensitive conversations |
Messaging App Security Checklist — For Organizations
| # | Action Item | Details |
|---|---|---|
| 1 | Enable Registration Lock | Signal: Settings > Account > Registration Lock (6+ digit PIN) / WhatsApp: Settings > Account > Two-step verification |
| 2 | Never Share Verification Codes | Signal/WhatsApp will never ask for your SMS code — anyone who does is 100% a scammer |
| 3 | Verify Through Other Channels | If you receive a message from "support," call the number published on the official website instead |
| 4 | Check Linked Devices | Go to Settings > Linked Devices and verify no unfamiliar devices are connected |
| 5 | Train Your Staff | Conduct Security Awareness Training on social engineering every 6 months |
| 6 | Establish Communication Policies | Define which channels are approved for sensitive data and which classification levels are prohibited on messaging apps |
ERP Security Connection — Why Communication Security Matters for Organizations
Although this incident targeted messaging apps, the core lessons apply to every system in your organization — including ERP:
- Insider threat from compromised accounts: If a hacker takes over an executive's chat account, they could send messages instructing staff to modify ERP data (e.g., wire transfers, approve fake purchase orders)
- Social engineering works on every system: The same techniques can be used to trick employees into revealing ERP credentials
- Multi-channel verification is essential: Critical ERP commands must be verified through multiple channels — not just a chat message
| Defense Principle | Applied to Messaging Apps | Applied to ERP |
|---|---|---|
| Multi-Factor Authentication | Enable Registration Lock + PIN in Signal/WhatsApp | Enforce MFA on every login + FIDO2 for admin accounts |
| Identity Verification | Verify identity through another channel before acting on requests | Separation of Duties — critical commands require approver |
| Audit Trail | Regularly check Linked Devices | Log every change + alert on anomalous activity |
Saeree ERP — Access Controls That Defend Against Social Engineering
Saeree ERP includes Role-Based Access Control for granular permissions, a comprehensive Audit Trail logging every change, Separation of Duties preventing single-person approvals, and Multi-Factor Authentication support. Even if an executive's chat account is compromised, attackers cannot issue commands through the ERP system without going through the proper approval workflow.
Summary — Lessons from the WhatsApp/Signal Attacks Every Organization Must Remember
| Lesson | Details |
|---|---|
| 1. No malware needed to hack accounts | Social engineering uses psychological manipulation — antivirus software is useless against it |
| 2. Never share verification codes | No legitimate company will ever ask for your SMS code — anyone who does is a scammer |
| 3. Enable 2FA on every app immediately | Registration Lock / Two-Step Verification prevents 90%+ of account takeover attempts |
| 4. A compromised identity is more dangerous than malware | A hacker posing as a trusted colleague is far more dangerous than any virus |
| 5. Organizations need clear communication policies | Define approved channels, data classification levels, and identity verification processes for critical commands |
"The most dangerous threat is not malware — it is a message from someone you trust whose account has already been compromised. Every organization must enable 2FA and train staff on social engineering today."
- Saeree ERP Team
If your organization needs an ERP system with robust access controls, insider threat protection, and Multi-Factor Authentication — contact the Saeree ERP team for a free consultation.
References
- AIVD — Russian state hackers target Signal and WhatsApp (March 9, 2026)
- FBI/CISA — Warning on Russian hackers targeting messaging apps (March 21, 2026)
- BleepingComputer — Russian hackers hijack Signal, WhatsApp accounts of government officials
- Google Threat Intelligence — Russia-aligned actors targeting Signal Messenger
