30APR

Signal, WhatsApp hit by three states

3 min read

08:16UTC

Russia's FSB, China's APT31 and Iran's IRGC are all running the same trade against journalists, lawyers and politicians. NCSC and Dutch AIVD advised passkeys plus a device audit.

← Back to FIRESTARTER puts Cisco below the patch line Jump to analysis ↓

TechnologyAssessed

Key takeaway

Three state services converging on the same civil-society vector makes messaging-app compromise a standard intelligence technique.

The UK National Cyber Security Centre (NCSC) and the Dutch General Intelligence and Security Service (AIVD) issued joint advisories on 31 March and 9 March 2026 warning that state-linked actors are targeting the Signal, WhatsApp and Facebook Messenger accounts of politicians, journalists, academics and lawyers using malicious QR codes and contact impersonation ¹. The named clusters span three adversary states: Russia's Federal Security Service (FSB) running the operation known as Star Blizzard, China's APT31, and the Iranian Islamic Revolutionary Guard Corps (IRGC). A QR code linked in a message, scanned on a phone, can add an attacker's device as a linked Signal or WhatsApp session; contact impersonation through a spoofed voice or typed identity gets the target to send that QR on in the first place.

Three unrelated services arriving at the same attack vector is a tradecraft signal. Messaging apps have become the collection target because they now sit outside the corporate email perimeter where most monitoring lives. A journalist's Signal conversations with a source, a barrister's WhatsApp group with a client, a member of parliament's encrypted chat with a constituent, all carry the material that traditional lawful-intercept once got from telephone taps. The mitigation both agencies recommend, passkeys plus a device audit on every linked session, is specific and actionable in a way that generic state-threat advisories rarely are. A passkey is a cryptographic key bound to the user's device that replaces the password and cannot be phished; device audits on Signal and WhatsApp are done from the app's own "linked devices" menu.

Deep Analysis

In plain English

Signal and WhatsApp allow you to use your account on more than one device. If you get a new phone, for example, you scan a QR code to link it. This is a legitimate feature. Russian, Chinese, and Iranian intelligence services have been exploiting this feature by tricking politicians, lawyers, journalists, and academics into scanning malicious QR codes, linking the attacker's device to the target's account. The victim keeps using their messaging apps normally while the attacker can also read all their messages in real time. The UK's NCSC and the Dutch intelligence service AIVD issued a joint warning about this. The recommended defences are switching to passkeys instead of passwords and regularly checking the list of linked devices in your Signal and WhatsApp settings to remove any you do not recognise.

Deep Analysis

Root Causes

Signal and WhatsApp's legitimate multi-device feature allows a user to scan a QR code displayed by any additional device to link it as an authorised second client. Both platforms implemented this to compete with iMessage and other multi-device ecosystems. The feature has no built-in alert mechanism that clearly distinguishes a legitimate second-device link from a malicious one; the notification sent to the primary device is easily missed.

The target population that intelligence agencies are trying to protect (lawyers, journalists, politicians) is exactly the population least likely to have completed advanced security configuration (passkeys, linked-device auditing) on their personal messaging accounts, because their training is in their professional domain, not operational security.

What could happen next?

Risk
Malicious QR-code device-linking requires no technical exploit and no zero-day purchase; it scales to any actor with social engineering capability, which means the threat extends well below the nation-state tier.
Consequence
Signal and WhatsApp will face regulatory and civil-society pressure to implement more prominent linked-device notifications and audit logging following the NCSC-AIVD advisory, following the precedent of Apple's Lockdown Mode introduction after Pegasus exposure.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2016 WhatsApp account compromise of Bahraini human rights activist Ahmed Mansoor, documented by Citizen Lab, which used an iOS zero-day to plant Pegasus rather than a messaging-app device-linking technique.

The QR-code linking approach documented in the 2026 NCSC-AIVD advisory requires no zero-day; it exploits a legitimate feature of Signal and WhatsApp (the ability to link a second device) through social engineering. The technical barrier to this attack is dramatically lower than the 2016 Pegasus model.

Counter-parallel: The 2022 Conti ransomware group's internal chat leak, via a Ukrainian researcher who joined the group and leaked its Jabber logs, demonstrated that even sophisticated threat actors are not immune to social-engineering approaches to messaging access. The attack documented in the NCSC-AIVD advisory inverts this: the sophisticated actor uses social engineering to access the communications of a non-technical target rather than the other way around.

Consensus view: Citizen Lab at the University of Toronto, which tracks state-sponsored targeting of civil society, documents that the shift from spearphishing email to messaging-app QR code and device-linking abuse reflects a calculated response by state actors to end-to-end encryption: rather than breaking the encryption, attackers add their own device as an authorised second device on the victim's Signal or WhatsApp account, gaining access to all future and recent messages without decrypting the transport layer.

Counter-view: The AIVD's public advisory focuses on Western civil-society targets, but Chinese cybersecurity firm Qi An Xin assessed in 2025 that FSB Star Blizzard and APT31 also conduct identical QR-linking operations against non-Western journalists and activists, particularly in Central Asian states and Hong Kong, and that the threat is not limited to NATO-adjacent targets as Western advisories imply.

Key tension: Whether passkeys plus device audit is a realistic mitigation for the non-technical target population (politicians, academics, lawyers) that these agencies are trying to protect, or whether the mitigation gap between technical recommendation and non-technical adoption will sustain the attack's effectiveness indefinitely.

Sources:NCSC UK

Mentions:NCSC →AIVD →FSB Star Blizzard →APT28 →Islamic Revolutionary Guard Corps (IRGC) →Meta →Facebook Messenger →Russia →China →Iran →Bahrain →NATO →Prima →Toronto →Intel →Hong Kong →FSB →

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

NCSC UK· 17 Apr 2026

Read original →

Causes and effects

This Event

Signal, WhatsApp hit by three states

Three unrelated state services converging on the same civil-society attack vector suggests messaging-app compromise has become a standard intelligence-collection method.

Led to

FIRESTARTER implant survives every Cisco firewall patch

NCSC FIRESTARTER advisory repeats the attribution-output pattern established by the NCSC APT28 advisory in ID:2548, using the same co-signed format.

Occurred 24 Apr 2026

Read story →

Different Perspectives

Norwegian Security and Service Organisation

NSSO was a prior victim of Ivanti EPMM zero-days and now faces CVE-2026-6973 in the same product line. Ivanti's position that on-premises EPMM is the only affected tier provides limited reassurance to a government body that has already been compromised twice via the same vendor's MDM infrastructure.

ENISA and EU CNA Ecosystem

ENISA onboarded four new CVE Numbering Authorities under ENISA Root on 6 May, expanding EU-sovereign vulnerability disclosure infrastructure in the same week three critical CVEs entered the CISA KEV catalogue. Greater CNA coverage inside the EU reduces dependence on US-anchored MITRE for European-sourced vulnerability identifiers.

German Federal Office for Information Security (BSI)

BSI rated CVE-2026-41940 in cPanel 'very high', reflecting Germany's exposure across shared-hosting infrastructure for Mittelstand businesses. The 65-day zero-day window and the amplification effect of cPanel's multi-tenancy model mean the BSI rating applies to thousands of German SME websites hosted on affected servers.

Republic of Korea National Intelligence Service

South Korea's NIS tracks UNC1069's tooling evolution; the CSIS paper argues the ROK's intelligence on DPRK cyber operations should feed joint US-ROK situational awareness rather than bilateral channels that move too slowly for real-time supply-chain response.

Democratic People's Republic of Korea

UNC1069's Axios operation scales North Korea's supply-chain access from niche Python packages to the most downloaded HTTP client in the JavaScript ecosystem. WAVESHAPER.V2 provides persistent access to development environments where cryptocurrency wallets and API keys are stored, serving the sanctions-evasion funding logic behind earlier DPRK toolchain operations.

WatchTowr Labs

WatchTowr Labs disclosed CVE-2026-41940 after the 28 April patch shipped, providing the 65-day exploitation timeline from KnownHost telemetry. The disclosure is textbook; the open question is why WebPros did not catch the cpsrvd CRLF class flaw before external researchers found it under active exploitation.