Germany Blames Russia for Signal Phishing Attacks on MPs
German authorities say a wave of phishing attacks targeting lawmakers and senior officials via Signal was “presumably run from Russia,” marking a major escalation in a broader campaign against European political figures.
BERLIN, GERMANY — What began as a targeted intrusion has evolved into a full-scale diplomatic and espionage crisis. German authorities have now publicly attributed a sophisticated Signal phishing campaign to Russian-linked actors, escalating a probe that first made headlines earlier this month.
The attribution follows our prior coverage of the compromise of Bundestag President Julia Klöckner, whose account was hijacked through a similar social-engineering scheme. While that incident was initially viewed as an isolated high-value hit, federal prosecutors now treat the campaign as a coordinated act of state-sponsored espionage targeting the very heart of the German government.
From Social Engineering to State Espionage
The campaign is notable not for its technical complexity, but for its strategic precision. According to reports from Reuters and AFP, the attackers targeted a broad spectrum of high-value individuals, including:
- Members of Parliament (MPs)
- Senior Civil Servants
- Diplomats
- Journalists covering sensitive political beats
The methodology remains consistent: attackers impersonate Signal support staff or trusted contacts, sending urgent messages designed to trick victims into revealing their Signal PINs or SMS verification codes. This is a classic Account Takeover (ATO) play — the attackers are not breaking Signal’s end-to-end encryption; they are simply "walking through the front door" by stealing the session credentials.
The Escalation: A Formal Spying Probe
The shift from "suspicious activity" to formal attribution marks a turning point for German internal security. Federal prosecutors have opened a formal investigation into the matter, with the German government stating the campaign was "presumably run from Russia."
This attribution situates the Signal attacks within a larger wave of state-linked messaging-app phishing across Europe. By gaining access to a single MP’s account, attackers can map out entire contact networks, exfiltrate sensitive attachments, and — perhaps most damagingly — monitor private political group chats in real-time.
The CyberSignal Analysis: Strategic Signals
Signal 01 — The Trust Model is the Vulnerability
The attackers are weaponizing the "safe haven" reputation of Signal. Because users trust the platform’s privacy, they are often less skeptical of messages appearing to come from "Signal Support." This proves that as apps become more secure at the protocol level, the human element becomes the primary exploit path.
Signal 02 — Messaging Apps as Espionage Hubs
Secure messaging apps are no longer just for private chat; they have become de facto workspaces for government officials. This makes a single successful ATO a "force multiplier" for intelligence agencies, granting them access to unencrypted contact lists and community discussions that are often more candid than official email.
Signal 03 — The Trend of Public Attribution
Germany's decision to name Russia "presumably" responsible reflects a growing trend of "naming and shaming" in European cyber-policy. By making the attribution public, Germany is signaling that it views these social-engineering campaigns as a violation of sovereignty, not just a nuisance.
