SBU and FBI detail Russian credential phishing of Signal and WhatsApp accounts via morning impersonation texts

Ukraine's SBU, working with the FBI, documented a sustained campaign that relied exclusively on social engineering rather than zero-days. Attackers sent SMS messages impersonating platform support during early morning hours when targets were most likely to respond without scrutiny. The goal was one-time codes and PINs that allowed full account takeover, granting access to military coordination threads, activist networks and government deliberations across Signal, WhatsApp and Telegram.

This matches the technical pattern reported by Dutch AIVD and MIVD in early 2024, where Russian operators posed as support staff to harvest verification codes from the same categories of targets. SBU statements note battlefield phone seizures as a parallel vector, where malware extracted cached encrypted messages after physical compromise. No contract or procurement records have surfaced naming the specific GRU or SVR subunit, leaving attribution reliant on Ukrainian intelligence rather than independent infrastructure tracing.

The operational significance lies in the low cost and high yield: once an account is controlled, adversaries obtain months of unencrypted context that survives even Signal's disappearing messages if backups or linked devices are present. Western agencies have issued similar warnings but released no CVE-linked data because the vector bypasses the apps entirely. Expect continued refinement of timing and impersonation scripts as Ukrainian forces increase Signal dependency.

Next indicators will likely appear in procurement notices for Russian-language SIM farms or in seized phishing infrastructure tied to known APT domains.