Current Affairs Topics Archive
International Relations Economics Polity & Governance Environment & Ecology Science & Technology Internal Security Geography Social Issues Art & Culture Modern History

Russia-backed hackers breach Signal, WhatsApp accounts of officials, journalists, Netherlands warns

March 10, 2026 5 min read Internal Security Science & Technology GS Paper 3 (Internal Security Cybersecurity)
On This Page

What Happened

  • Dutch intelligence agencies AIVD (General Intelligence and Security Service) and MIVD (Military Intelligence and Security Service) issued a joint cyber advisory on 9 March 2026 warning of an active, large-scale Russian state-backed campaign targeting Signal and WhatsApp accounts of government officials, military personnel, and journalists globally.
  • The attackers exploit the legitimate "linked devices" feature in both apps — tricking victims into scanning a malicious QR code that silently links their account to a device controlled by the attacker, enabling real-time eavesdropping without needing to compromise the victim's phone.
  • Confirmed victims include Dutch government employees; the MIVD director warned that despite end-to-end encryption, Signal and WhatsApp are not suitable for classified or sensitive government communications.
  • Warning signs of compromise include a contact appearing twice in a user's contact list under the same or slightly altered name, or a number showing up as "deleted account" — indicators that an account has been paired with an additional linked device.
  • Users were advised to audit their linked devices list in app settings, check group chats for suspicious duplicate accounts, verify unusual accounts by phone or email, and report concerns to IT security teams.

Static Topic Bridges

The "Linked Devices" Attack Vector: How Encryption Is Bypassed

Signal and WhatsApp offer end-to-end encryption (E2EE), meaning messages are encrypted on the sender's device and can only be decrypted on the intended recipient's device — no server in between can read them. However, both apps provide a "linked devices" feature that allows users to access the same account on multiple devices simultaneously (e.g., WhatsApp Web on a laptop). This feature requires the user to scan a QR code to authorise a new device. Attackers in this campaign craft malicious QR codes — embedded in phishing messages or fake official communications — that, when scanned by a victim, link the attacker's device to the victim's account. Once linked, all future messages are delivered to both the victim and the attacker in real time, completely bypassing E2EE without exploiting any software vulnerability.

  • E2EE protects messages in transit but does nothing if an attacker is authenticated as the account holder.
  • Linked devices in WhatsApp/Signal: up to 4 additional devices can be connected to one account.
  • The attack exploits a legitimate feature (not a zero-day vulnerability), making detection difficult.
  • The technique is known as "GhostPairing" in cybersecurity research.
  • Once linked, the attacker receives a synchronised copy of all messages without the victim being notified.

Connection to this news: The Dutch warning specifically highlights that Russia-backed actors have operationalised the QR-code-based device-linking trick at scale — targeting high-value individuals (officials, journalists) — demonstrating that even highly secure messaging apps can be compromised through social engineering rather than technical exploits.

State-Sponsored Cyber Espionage: Threat Landscape

State-sponsored cyber operations — conducted by or on behalf of a national government — have expanded beyond traditional network intrusion to target personal communications platforms used by officials, diplomats, journalists, and civil society. Russia, China, Iran, and North Korea are the most frequently attributed actors in such campaigns. The targeting of messaging apps reflects a deliberate strategy: officials often discuss sensitive matters on personal devices using commercial apps, which may be less hardened than classified government systems. The AIVD-MIVD campaign follows earlier warnings by the UK's NCSC and the US CISA about similar Russian tactics targeting Signal specifically.

  • Russia's GRU (military intelligence) and FSB (security service) are the primary attributed actors for messaging app campaigns.
  • APT groups involved: Fancy Bear (APT28, GRU), Cozy Bear (APT29, SVR), and UAC-0195 (linked to Russia).
  • The campaign predates the Netherlands warning; similar tactics were flagged by Google Threat Intelligence Group in early 2025.
  • Journalists covering Russia-Ukraine conflict, diplomats, and defence ministry officials are primary targets.
  • Previous high-profile linked-device compromise: Ukrainian military officials' Signal accounts in 2024-25.

Connection to this news: The Netherlands is the seat of multiple international courts (ICJ, ICC) and NATO cyber institutions, making its officials high-value espionage targets. The Dutch advisory also signals that Western intelligence agencies are now openly attributing and publicising Russian tactics — a deterrence-by-disclosure approach.

Cybersecurity Governance: India's Context

India is among the top five most cyber-attacked nations globally. The Indian Computer Emergency Response Team (CERT-In), established under the IT Act 2000 (Section 70B), is the national nodal agency for cybersecurity. India's National Cyber Security Policy (2013) and the draft National Cybersecurity Strategy (2020) recognise state-sponsored cyber threats as a critical security challenge. The Telecom Cybersecurity Rules (2024) mandate service providers to report cybersecurity incidents to CERT-In within six hours. The Dutch warning has direct relevance for India given widespread use of WhatsApp by government officials — an issue that has previously drawn attention from India's cybersecurity establishment.

  • CERT-In: national nodal agency for cyber incidents; reports to Ministry of Electronics and IT.
  • IT Act 2000 (amended 2008): primary legislation governing cybersecurity in India.
  • CERT-In mandatory reporting: cybersecurity incidents must be reported within 6 hours (2022 directive).
  • India's National Cyber Coordination Centre (NCCC) and Defence Cyber Agency (DCA) are key institutions.
  • WhatsApp penetration in India: ~500 million users — highest globally — including widespread use by officials.

Connection to this news: The Russian campaign targeting Signal and WhatsApp accounts of officials and journalists is directly relevant to India's internal security calculus — official use of consumer messaging apps for sensitive communication remains a persistent vulnerability that mirrors the Dutch experience.

Key Facts & Data

  • Advisory issued by: AIVD and MIVD (Netherlands), 9 March 2026.
  • Attack method: Malicious QR codes abusing the "linked devices" feature (not a software vulnerability).
  • Confirmed victims: Dutch government employees; potential victims globally across government and journalism.
  • Warning signs: contact appearing twice in list; number showing as "deleted account".
  • MIVD director's statement: Signal/WhatsApp not suitable for classified or sensitive government information.
  • User mitigation: check Settings > Linked Devices, remove unknown devices, enable registration lock/PIN.
  • E2EE limitation: protects messages in transit only — does not protect against authenticated device linking.
  • Prior warnings: UK NCSC, US CISA, and Google Threat Intelligence Group had flagged similar Russian tactics in 2024-25.