20MAY

Signal, WhatsApp hit by three states

3 min read

09:58UTC

Russia's FSB, China's APT31 and Iran's IRGC are all running the same trade against journalists, lawyers and politicians. NCSC and Dutch AIVD advised passkeys plus a device audit.

← Back to AI joins the breach column on both sides Jump to analysis ↓

TechnologyAssessed

Key takeaway

Three state services converging on the same civil-society vector makes messaging-app compromise a standard intelligence technique.

The UK National Cyber Security Centre (NCSC) and the Dutch General Intelligence and Security Service (AIVD) issued joint advisories on 31 March and 9 March 2026 warning that state-linked actors are targeting the Signal, WhatsApp and Facebook Messenger accounts of politicians, journalists, academics and lawyers using malicious QR codes and contact impersonation ¹. The named clusters span three adversary states: Russia's Federal Security Service (FSB) running the operation known as Star Blizzard, China's APT31, and the Iranian Islamic Revolutionary Guard Corps (IRGC). A QR code linked in a message, scanned on a phone, can add an attacker's device as a linked Signal or WhatsApp session; contact impersonation through a spoofed voice or typed identity gets the target to send that QR on in the first place.

Three unrelated services arriving at the same attack vector is a tradecraft signal. Messaging apps have become the collection target because they now sit outside the corporate email perimeter where most monitoring lives. A journalist's Signal conversations with a source, a barrister's WhatsApp group with a client, a member of Parliament's encrypted chat with a constituent, all carry the material that traditional lawful-intercept once got from telephone taps. The mitigation both agencies recommend, passkeys plus a device audit on every linked session, is specific and actionable in a way that generic state-threat advisories rarely are. A passkey is a cryptographic key bound to the user's device that replaces the password and cannot be phished; device audits on Signal and WhatsApp are done from the app's own "linked devices" menu.

Deep Analysis

In plain English

Signal and WhatsApp allow you to use your account on more than one device. If you get a new phone, for example, you scan a QR code to link it. This is a legitimate feature. Russian, Chinese, and Iranian intelligence services have been exploiting this feature by tricking politicians, lawyers, journalists, and academics into scanning malicious QR codes, linking the attacker's device to the target's account. The victim keeps using their messaging apps normally while the attacker can also read all their messages in real time. The UK's NCSC and the Dutch intelligence service AIVD issued a joint warning about this. The recommended defences are switching to passkeys instead of passwords and regularly checking the list of linked devices in your Signal and WhatsApp settings to remove any you do not recognise.

Deep Analysis

Root Causes

Signal and WhatsApp's legitimate multi-device feature allows a user to scan a QR code displayed by any additional device to link it as an authorised second client. Both platforms implemented this to compete with iMessage and other multi-device ecosystems. The feature has no built-in alert mechanism that clearly distinguishes a legitimate second-device link from a malicious one; the notification sent to the primary device is easily missed.

The target population that intelligence agencies are trying to protect (lawyers, journalists, politicians) is exactly the population least likely to have completed advanced security configuration (passkeys, linked-device auditing) on their personal messaging accounts, because their training is in their professional domain, not operational security.

What could happen next?

Risk
Malicious QR-code device-linking requires no technical exploit and no zero-day purchase; it scales to any actor with social engineering capability, which means the threat extends well below the nation-state tier.
Consequence
Signal and WhatsApp will face regulatory and civil-society pressure to implement more prominent linked-device notifications and audit logging following the NCSC-AIVD advisory, following the precedent of Apple's Lockdown Mode introduction after Pegasus exposure.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2016 WhatsApp account compromise of Bahraini human rights activist Ahmed Mansoor, documented by Citizen Lab, which used an iOS zero-day to plant Pegasus rather than a messaging-app device-linking technique.

The QR-code linking approach documented in the 2026 NCSC-AIVD advisory requires no zero-day; it exploits a legitimate feature of Signal and WhatsApp (the ability to link a second device) through social engineering. The technical barrier to this attack is dramatically lower than the 2016 Pegasus model.

Counter-parallel: The 2022 Conti ransomware group's internal chat leak, via a Ukrainian researcher who joined the group and leaked its Jabber logs, demonstrated that even sophisticated threat actors are not immune to social-engineering approaches to messaging access. The attack documented in the NCSC-AIVD advisory inverts this: the sophisticated actor uses social engineering to access the communications of a non-technical target rather than the other way around.

Consensus view: Citizen Lab at the University of Toronto, which tracks state-sponsored targeting of civil society, documents that the shift from spearphishing email to messaging-app QR code and device-linking abuse reflects a calculated response by state actors to end-to-end encryption: rather than breaking the encryption, attackers add their own device as an authorised second device on the victim's Signal or WhatsApp account, gaining access to all future and recent messages without decrypting the transport layer.

Counter-view: The AIVD's public advisory focuses on Western civil-society targets, but Chinese cybersecurity firm Qi An Xin assessed in 2025 that FSB Star Blizzard and APT31 also conduct identical QR-linking operations against non-Western journalists and activists, particularly in Central Asian states and Hong Kong, and that the threat is not limited to NATO-adjacent targets as Western advisories imply.

Key tension: Whether passkeys plus device audit is a realistic mitigation for the non-technical target population (politicians, academics, lawyers) that these agencies are trying to protect, or whether the mitigation gap between technical recommendation and non-technical adoption will sustain the attack's effectiveness indefinitely.

Sources:NCSC UK

Mentions:NCSC →AIVD →FSB Star Blizzard →APT28 →Islamic Revolutionary Guard Corps (IRGC) →Meta →Facebook Messenger →Russia →China →Iran →Bahrain →NATO →Prima →Toronto →Intel →Hong Kong →FSB →

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

NCSC UK· 17 Apr 2026

Read original →

Causes and effects

This Event

Signal, WhatsApp hit by three states

Three unrelated state services converging on the same civil-society attack vector suggests messaging-app compromise has become a standard intelligence-collection method.

Led to

FIRESTARTER implant survives every Cisco firewall patch

NCSC FIRESTARTER advisory repeats the attribution-output pattern established by the NCSC APT28 advisory in ID:2548, using the same co-signed format.

Occurred 24 Apr 2026

Read story →

Different Perspectives

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Google Threat Intelligence Group

GTIG's 11 May report establishes AI-assisted offence and AI-infrastructure targeting as concurrent named-incident categories, not theoretical ones: UNC6780 attacked LiteLLM and Cisco AI Defense in parallel; state actors used Gemini operationally; CANFAIL and LONGSTREAM used LLM-generated queries to evade static analysis.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.

NCSC

The ICO's South Staffs Water fine applies NCSC PAM and monitoring guidance as the GDPR Article 32 enforcement baseline against a water-sector CNI operator, extending the Capita precedent before the CS&R Bill has reached Royal Assent. NCSC guidance now carries enforceable weight inside the existing statutory framework for CNI sectors processing personal data.

Microsoft Security Response Center

The Exchange Emergency Mitigation Service URL rewrite is the sole available mitigation for CVE-2026-42897; MSRC has not signalled an out-of-band patch timeline. The workaround breaks OWA calendar print, inline images, and Light mode, forcing CISOs to choose between user-experience breakage and active-exploitation exposure.

CISA

CISA's Exchange CVE-2026-42897 deadline of 29 May, set before Microsoft published a patch, repeats the PAN-OS posture from 6 May: exploitation velocity now overrides vendor release timelines. BOD 22-01 compliance against an unpatched flaw leaves federal CISOs with only mitigation documentation and mailbox-rule monitoring.