14JUN

Signal, WhatsApp hit by three states

3 min read

11:51UTC

Russia's FSB, China's APT31 and Iran's IRGC are all running the same trade against journalists, lawyers and politicians. NCSC and Dutch AIVD advised passkeys plus a device audit.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyAssessed

Key takeaway

Three state services converging on the same civil-society vector makes messaging-app compromise a standard intelligence technique.

The UK National Cyber Security Centre (NCSC) and the Dutch General Intelligence and Security Service (AIVD) issued joint advisories on 31 March and 9 March 2026 warning that state-linked actors are targeting the Signal, WhatsApp and Facebook Messenger accounts of politicians, journalists, academics and lawyers using malicious QR codes and contact impersonation ¹. The named clusters span three adversary states: Russia's Federal Security Service (FSB) running the operation known as Star Blizzard, China's APT31, and the Iranian Islamic Revolutionary Guard Corps (IRGC). A QR code linked in a message, scanned on a phone, can add an attacker's device as a linked Signal or WhatsApp session; contact impersonation through a spoofed voice or typed identity gets the target to send that QR on in the first place.

Three unrelated services arriving at the same attack vector is a tradecraft signal. Messaging apps have become the collection target because they now sit outside the corporate email perimeter where most monitoring lives. A journalist's Signal conversations with a source, a barrister's WhatsApp group with a client, a member of parliament's encrypted chat with a constituent, all carry the material that traditional lawful-intercept once got from telephone taps. The mitigation both agencies recommend, passkeys plus a device audit on every linked session, is specific and actionable in a way that generic state-threat advisories rarely are. A passkey is a cryptographic key bound to the user's device that replaces the password and cannot be phished; device audits on Signal and WhatsApp are done from the app's own "linked devices" menu.

Deep Analysis

In plain English

Signal and WhatsApp allow you to use your account on more than one device. If you get a new phone, for example, you scan a QR code to link it. This is a legitimate feature. Russian, Chinese, and Iranian intelligence services have been exploiting this feature by tricking politicians, lawyers, journalists, and academics into scanning malicious QR codes, linking the attacker's device to the target's account. The victim keeps using their messaging apps normally while the attacker can also read all their messages in real time. The UK's NCSC and the Dutch intelligence service AIVD issued a joint warning about this. The recommended defences are switching to passkeys instead of passwords and regularly checking the list of linked devices in your Signal and WhatsApp settings to remove any you do not recognise.

Deep Analysis

Root Causes

Signal and WhatsApp's legitimate multi-device feature allows a user to scan a QR code displayed by any additional device to link it as an authorised second client. Both platforms implemented this to compete with iMessage and other multi-device ecosystems. The feature has no built-in alert mechanism that clearly distinguishes a legitimate second-device link from a malicious one; the notification sent to the primary device is easily missed.

The target population that intelligence agencies are trying to protect (lawyers, journalists, politicians) is exactly the population least likely to have completed advanced security configuration (passkeys, linked-device auditing) on their personal messaging accounts, because their training is in their professional domain, not operational security.

What could happen next?

Risk
Malicious QR-code device-linking requires no technical exploit and no zero-day purchase; it scales to any actor with social engineering capability, which means the threat extends well below the nation-state tier.
Consequence
Signal and WhatsApp will face regulatory and civil-society pressure to implement more prominent linked-device notifications and audit logging following the NCSC-AIVD advisory, following the precedent of Apple's Lockdown Mode introduction after Pegasus exposure.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2016 WhatsApp account compromise of Bahraini human rights activist Ahmed Mansoor, documented by Citizen Lab, which used an iOS zero-day to plant Pegasus rather than a messaging-app device-linking technique.

The QR-code linking approach documented in the 2026 NCSC-AIVD advisory requires no zero-day; it exploits a legitimate feature of Signal and WhatsApp (the ability to link a second device) through social engineering. The technical barrier to this attack is dramatically lower than the 2016 Pegasus model.

Counter-parallel: The 2022 Conti ransomware group's internal chat leak, via a Ukrainian researcher who joined the group and leaked its Jabber logs, demonstrated that even sophisticated threat actors are not immune to social-engineering approaches to messaging access. The attack documented in the NCSC-AIVD advisory inverts this: the sophisticated actor uses social engineering to access the communications of a non-technical target rather than the other way around.

Consensus view: Citizen Lab at the University of Toronto, which tracks state-sponsored targeting of civil society, documents that the shift from spearphishing email to messaging-app QR code and device-linking abuse reflects a calculated response by state actors to end-to-end encryption: rather than breaking the encryption, attackers add their own device as an authorised second device on the victim's Signal or WhatsApp account, gaining access to all future and recent messages without decrypting the transport layer.

Counter-view: The AIVD's public advisory focuses on Western civil-society targets, but Chinese cybersecurity firm Qi An Xin assessed in 2025 that FSB Star Blizzard and APT31 also conduct identical QR-linking operations against non-Western journalists and activists, particularly in Central Asian states and Hong Kong, and that the threat is not limited to NATO-adjacent targets as Western advisories imply.

Key tension: Whether passkeys plus device audit is a realistic mitigation for the non-technical target population (politicians, academics, lawyers) that these agencies are trying to protect, or whether the mitigation gap between technical recommendation and non-technical adoption will sustain the attack's effectiveness indefinitely.

Sources:NCSC UK

Mentions:NCSC →AIVD →FSB Star Blizzard →APT28 →Islamic Revolutionary Guard Corps (IRGC) →Meta →Facebook Messenger →Russia →China →Iran →Bahrain →NATO →Prima →Toronto →Intel →Hong Kong →FSB →

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

NCSC UK· 17 Apr 2026

Read original →

Causes and effects

This Event

Signal, WhatsApp hit by three states

Three unrelated state services converging on the same civil-society attack vector suggests messaging-app compromise has become a standard intelligence-collection method.

Led to

FIRESTARTER implant survives every Cisco firewall patch

NCSC FIRESTARTER advisory repeats the attribution-output pattern established by the NCSC APT28 advisory in ID:2548, using the same co-signed format.

Occurred 24 Apr 2026

Read story →

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.