FBI warns of Russian, Iranian cyber activity involving messaging platforms

The FBI warned Friday in two separate notices about Russian and Iranian cyber campaigns involving messaging platforms. 

Russia’s intelligence services are allegedly targeting commercial applications like Signal, compromising the accounts of current and former U.S. government officials, military personnel, political figures and journalists.

The FBI, alongside the Cybersecurity and Infrastructure Security Agency (CISA), said the global campaign “has resulted in unauthorized access” to thousands of accounts of accounts.

Russian actors are sending phishing messages made to look like automated support notices. The messages are designed to make victims think they need to take an action like clicking a link or providing verification codes and account PINs. 

“If the user performs any of the requested actions, they unwittingly provide the actors with unauthorized access to their account either by adding the attacker's device as a linked device or through a full account takeover. As the campaign evolves, actors may use additional techniques, such as malware to infect the victim,” the agencies said. 

“After compromising an account, malicious actors can view the victims' messages and contact lists, send messages, and conduct additional phishing against other [messaging] accounts.”

While the notice focuses on Signal accounts, the FBI said it could apply to any messaging app. They urged people to be wary of unverified messages and “strengthen personal cybersecurity.” The advisory reiterates that there is no vulnerability with Signal or other messaging apps and the campaign is specifically designed to get around encryption by compromising the users themselves. 

During congressional testimony last year, Director of National Intelligence Tulsi Gabbard highlighted guidance released last year by CISA following the breach of U.S. telecom networks by Chinese hackers that urged “highly targeted individuals” to use “end-to-end encrypted communications.” She noted Signal comes pre-installed on federal government devices.

In December, President Donald Trump signed a Pentagon policy bill that requires the Defense secretary to ensure DOD senior leaders are provided mobile phones with “enhanced cybersecurity protections,” including data encryption. 

The Pentagon’s inspector general previously issued a report that found Defense Secretary Pete Hegseth broke existing department rules for handling sensitive information and potentially put troops in danger when he used Signal to discuss the then-pending U.S. military strike in Yemen. 

After President Donald Trump took office last year, The Atlantic released a full transcript of a Signal conversation among Cabinet-level officials ahead of a strike on the Houthi armed group in Yemen after a journalist was mistakenly added. The chat members spoke openly about strike timings and kinds of aircraft used.

Another watchdog report concluded the Defense Department lacks a secure messaging platform that could help coordinate sensitive operations.

Handala Hack

The FBI released another flash alert on Friday detailing how Iran’s Ministry of Intelligence and Security (MOIS) is using the messaging platform Telegram as infrastructure to communicate with malware used to infect the devices of Iranian dissidents, journalists and others. 

The malware allows MOIS to steal information and monitor those being targeted. The threat actors made the malware look like commonly used programs or services on Windows machines. Infected devices are connected to bots on Telegram “that enabled remote user access to exfiltrate screen captures or files from the victim devices.” 

The FBI tied the use of Telegram directly to the alleged Iranian group known as Handala Hack, which recently took credit for an attack on medical device company Stryker. 

The agnecy said the malware was in some cases initially made to look like AI video generator Pictory, password manager KeePass, or Telegram before it was opened and connected to a government-controlled Telegram bot, which allowed “bidirectional communication between the compromised device and api.telegram[.]org.” 

At least one victim was contacted through social media messaging apps, with the hackers pretending to be part of technical support for the app.

The Iranian cyber actors “then convinced the victim to accept a file transfer consisting of the masquerading stage 1 malware.” 

Additional malware was downloaded once initial access was established on the victim’s system.

The malware allowed for screen and audio recordings, cache captures, file compression, file deletion and more. 

“Based on multiple observations, stage 1 of the malware appeared to be tailored to the victim’s pattern of life to increase likelihood of victim downloading the malware, which indicates the Iranian cyber actors likely performed target reconnaissance prior to engaging with the victim,” the advisory said.  

Several experts said the use of Telegram as a key link in a compromise is a growing trend among cybercriminals and statebacked actors who use it as command-and-control infrastructure. 

Ensar Seker, CISO at SOCRadar, said Telegram allows threat actors to blend malicious traffic into trusted, encrypted platforms. 

“By leveraging a widely used application like Telegram, groups such as Handala significantly reduce the likelihood of detection, because security controls are often tuned to allow this traffic by default,” Seker said. 

“The bigger implication is that encrypted messaging platforms are becoming dual-use infrastructure for both communication and covert operations. Security teams need to reassess their trust assumptions and implement visibility controls around sanctioned apps, including logging, anomaly detection, and strict access policies.”