politico.eu
April 1, 2026 8:54 pm CET
By Zoya Sheftalovich, Sam Clark and Sebastian Starcevic

European Commission department chiefs and their deputies were told to stop gabbing on the encrypted app following a series of cyberattacks on the EU’s internal communications.

BRUSSELS — The European Commission has told some of its most senior officials to shut down a Signal group they were using to exchange information over fears it was a hacking target.

Department chiefs and deputy chiefs were members of the group chat on the encrypted messaging app, according to three Commission officials with knowledge of the issue. The embargo comes as the EU grapples with a series of spying allegations, with the Commission saying last week it was investigating a cyberattack on its websites.

“Cyber operations” are “increasing in quality and quantity” including from both data-hungry criminals and foreign governments, said Sven Herpig, a cybersecurity and emerging threats researcher at German think tank Interface. “Politicians and political parties have always been targeted” by spies and snoops, he added.

The Commission became aware of the group chat last month and asked its members to delete it fearing they could be targeted by hackers, two of the officials said. There is no evidence any member of the group was intercepted, and the order to stop using the chat was issued due to increasing security concerns about messaging apps in the institution, one of the officials said. Last month, a private telephone conversation between a POLITICO reporter and an EU official was intercepted and published online.

Two other Commission officials and one of the officials mentioned above, all of whom were granted anonymity to speak freely about sensitive matters, confirmed that members of commissioners' cabinets and other senior bureaucrats had received messages asking them to enter their Signal PIN codes, which were identified as phishing attempts.

“Signal is pretty secure, but if an attacker owns your phone, they might have access to your chats, including your pictures and everything else you have on your phone,” Herpig said. “If you want to communicate as a politician, as a parliamentarian … you don’t have any better options."

Users of the messaging app WhatsApp have also been targeted, although attempted hacks have lately been more common in Signal, two of the officials said.

The Commission's official guidance for its employees suggests they should avoid WhatsApp and instead use Signal, which cybersecurity experts regard as more secure.

A Commission spokesperson said: "We do not comment on internal security practices. We take cybersecurity risks very seriously and have clear internal guidelines for our staff."

The institution is taking the recent spate of attacks seriously, holding comprehensive cybersecurity assessments and regularly replacing officials' phones and devices, two Commission officials said.

The Commission is investigating a cyberattack on its websites, with early findings suggesting some data was stolen, the institution said Friday. In January the Commission said it had found evidence of a cyberattack on the technical infrastructure it uses to manage its mobile devices, which “may have resulted” in hackers gaining access to staff names and mobile numbers.

Hacking and Signal vulnerability is an issue not just for the Commission. Intelligence services in the Netherlands warned last month of a “large-scale global cyber campaign,” in which hackers from the Kremlin posed as a fake Signal support chatbot to trick officials into revealing their app PIN codes. French, German, Portuguese and British security services issued similar alerts.

“The best option you have right now is Signal, Threema, and after that, to a certain degree, WhatsApp,” said Herpig of Interface. Threema is a Swiss-developed encrypted messaging app.

Signal and WhatsApp lack features required for government comms, said Matthew Hodgson, chief executive of Element, a company that built tech used by multiple European governments for secure messaging apps. "You can't kick somebody out of a WhatsApp group if they get fired from the government. You have no single sign-on, no authentication access control … you have a single point of failure."

The use of Signal by government officials drew a spotlight last year after the editor-in-chief of U.S. magazine The Atlantic was accidentally added to a Signal group chat containing some of the most senior members of the U.S. government, including Vice President JD Vance, in which they discussed detailed military plans — in a breach of security dubbed Signalgate. The episode highlighted the extent to which commercial messaging apps have become embedded in government operations.

Following major public exposures by Insikt Group and others throughout the last two years, alongside US government sanctions targeting the Intellexa Consortium — the organizational structure behind the Predator mobile spyware — Insikt Group observed a significant decline in Predator-related activity. This apparent decline raised questions about whether the combination of US sanctions, public exposure, and broader international efforts to curb spyware proliferation, such as the UK and France-led Pall Mall process, had dealt a lasting blow to Intellexa’s operations. Yet, Predator activity has not stopped, and in recent months, Insikt Group has observed a resurgence of activity, reflecting the operators’ continued persistence. While much of the identified infrastructure is tied to known Predator operators in countries previously identified by Insikt Group, a new customer has also been identified in Mozambique — a country not previously publicly linked to the spyware. This aligns with the broader observation that Predator is highly active in Africa, with over half of its identified customers located on the continent. Additionally, Insikt Group has found a connection between high-tier Predator infrastructure and a Czech entity previously associated with the Intellexa Consortium.

• Insikt Group has identified new infrastructure associated with Predator, indicating continued operations despite public exposure, international sanctions, and policy interventions.
• The newly identified infrastructure includes both victim-facing Tier 1 servers as well as high-tier components that likely link back to Predator operators in various countries.
• Although much of Predator’s infrastructure remains consistent with previous reporting, its operators have introduced changes designed to further evade detection — a pattern Insikt Group noted in earlier reporting.
• Insikt Group has detected Predator-related activity in several countries throughout the last twelve months and is the first to report a suspected Predator operator presence in Mozambique.
• Insikt Group also connected components of Predator’s infrastructure to a Czech entity previously linked with the Intellexa Consortium by a Czech investigative outlet.

• Trend Research has identified multiple IP address ranges in Russia that are being used for cybercrime activities aligned with North Korea. These activities are associated with a cluster of campaigns related to the Void Dokkaebi intrusion set, also known as Famous Chollima.
• The Russian IP address ranges, which are concealed by a large anonymization network that uses commercial VPN services, proxy servers, and numerous VPS servers with RDP, are assigned to two companies in Khasan and Khabarovsk. Khasan is a mile from the North Korea-Russia border, and Khabarovsk is known for its economic and cultural ties with North Korea.
• Trend Research assesses that North Korea deployed IT workers who connect back to their home country through two IP addresses in the Russian IP ranges and two IP addresses in North Korea. Trend Micro’s telemetry strongly suggests these DPRK aligned IT workers work from China, Russia and Pakistan, among others.
• Based on Trend Research’s assessment, North Korea-aligned actors use the Russian IP ranges to connect to dozens of VPS servers over RDP, then perform tasks like interacting on job recruitment sites and accessing cryptocurrency-related services. Some servers involved in their brute-force activity to crack cryptocurrency wallet passwords fall within one of the Russian IP ranges.
• Instructional videos have also been found with what it looks like non-native English text, detailing how to set up a Beavertail malware command-and-control server and how to crack cryptocurrency wallet passwords. This makes it plausible that North Korea is also working with foreign conspirators.
• IT professionals in Ukraine, US, and Germany have been targeted in these campaigns by fictitious companies that lure them into fraudulent job interviews. Trend Research assesses that the primary focus of Void Dokkaebi is to steal cryptocurrency from software professionals interested in cryptocurrency, Web3, and blockchain technologies.
• Trend Vision One™ detects and blocks the IOCs discussed in this blog. Trend Vision One customers can also access hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest updates on Void Dokkaebi.

Russian hacktivist groups Z-Pentest and People’s Cyber Army escalate attacks on U.S. energy and water systems. Learn about their tactics and how to mitigate risks

CISA and the FBI said attackers deploying Ghost ransomware have breached victims from multiple industry sectors across over 70 countries, including critical infrastructure organizations.
#CISA #Computer #Cring #Critical #FBI #Ghost #InfoSec #Infrastructure #Ransomware #Security

After the excitement of our .MOBI research, we were left twiddling our thumbs. As you may recall, in 2024, we demonstrated the impact of an unregistered domain when we subverted the TLS/SSL CA process for verifying domain ownership to give ourselves the ability to issue valid and trusted TLS/

Massive ‘Typhoon’ cyberattacks on U.S. infrastructure and telecoms sought to lay groundwork for potential conflict with Beijing, as intruders gathered data and got in position to impede response and sow chaos

This guide provides network engineers and defenders of communications infrastructure with best practices to strengthen their visibility and harden their network

Ukrainian hackers carried out a cyberattack that took down online broadcasts of Russian state television and radio channels on Monday, according to an official in Kyiv with knowledge of the operation.
#A #Dmitry #Emerging #Europe #Infrastructure #Markets #Media #Peskov #Putin #Radio #Russia #Ukraine #Vladimir #business #cybersecni #cybersecurity #politics #technology

Many spammers have elected to attack web pages and mail servers of legitimate organizations, so they may use these “pirated” resources to send unsolicited email.

Intellexa’s Predator spyware infrastructure re-emerges after sanctions. Learn how this mercenary spyware is evolving, targeting high-profile individuals, and what defensive measures can be taken.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) assess that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020. GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022. These cyber actors are separate from other known and more established GRU-affiliated cyber groups, such as Unit 26165 and Unit 74455.

The attack comes a few days after a coordinated arson assault on the French rail network.

Wiz Research discovered CVE-2024-37032, an easy-to-exploit Remote Code Execution vulnerability in the open-source AI Infrastructure project Ollama.

Cyber Army of Russia Reborn, a group with ties to the Kremlin’s Sandworm unit, is crossing lines even that notorious cyberwarfare unit wouldn’t dare to.

The U.S. Treasury Department has sanctioned a Wuhan-based company used by the Chinese Ministry of State Security (MSS) as cover in attacks against U.S. critical infrastructure organizations.
#APT31 #China #Computer #Critical #InfoSec #Infrastructure #Sanctions #Security #USA

Le Cyber Solidarity Act ouvre la voie à une infrastructure paneuropéenne de SOC. Quels acteurs - français, notamment - se sont positionnés ?

Since it appeared in July 2022, Play ransomware has launched devastating attacks on municipalities and critical infrastructure, agencies said.

This blog post seeks to draw out some high-level trends and anomalies based on our ongoing tracking of QakBot command and control (C2) infrastructure. By looking at the data with a broader scope, we hope to supplement other research into this particular threat family, which in general focuses on specific infrastructure elements; e.g., daily alerting on active C2 servers.

Canada's domestic food production system may actually be one of the most glaring cracks in Canada's national defences.
...
Attacking agricultural infrastructure has proven to be an effective part of the Russian playbook so far in its invasion of Ukraine. In June 2022, EU trade counsellor Maud Labat said Moscow has figured out how to wield food as a “geopolitical weapon.”