Portugal's Intelligence Agency Warns of Russian Cyber Campaign Targeting Officials' WhatsApp and Signal Accounts

Portugal's Security Information Service (SIS) has issued a rare public warning about a state-backed cyber espionage campaign targeting the WhatsApp and Signal accounts of government officials, diplomats, military personnel, and journalists. Dutch intelligence services, which issued a parallel alert, have attributed the campaign directly to Russia.

What Is Happening

According to the joint warnings from Portuguese and Dutch agencies, the campaign uses a combination of social engineering, phishing, and artificial intelligence to compromise encrypted messaging accounts. The attackers are not exploiting vulnerabilities in WhatsApp or Signal themselves — the platforms remain secure. Instead, they are tricking individual users into handing over access.

The methods include:

• AI-powered impersonation: Attackers collect voice recordings and images of targets' trusted contacts, then use AI tools to conduct natural-sounding conversations via messages, phone calls, or even video calls — making it extremely difficult to distinguish the impersonator from the real person
• Fake technical support: Targets receive messages claiming to be from WhatsApp or Signal support, asking them to share verification codes or click on links that compromise their accounts
• Device-linking exploits: Once attackers obtain a target's one-time code, they can link a new device to the victim's account, gaining real-time access to all messages, group chats, and shared files — without the victim necessarily noticing

Who Is Being Targeted

Portugal's SIS described the targets as "government officials, diplomats, military personnel, and civil society members with access to privileged information from Portugal and allied countries." The Dutch General Intelligence and Security Service (AIVD) was more specific, confirming that government officials are among the victims and warning that journalists covering defence, intelligence, and foreign policy are also at risk.

Neither agency disclosed how many Portuguese accounts have been compromised, but the Dutch authorities indicated the campaign is global in scope, with targets across multiple NATO member states.

Russia's Role

While Portugal's SIS did not publicly name the state behind the campaign — consistent with its practice of avoiding direct attribution in public statements — the Netherlands' AIVD explicitly identified Russian state-backed hackers as responsible. The campaign aligns with known tactics used by Russian military intelligence (GRU) and the Federal Security Service (FSB), which have previously targeted encrypted messaging platforms in Ukraine, the Baltic states, and Western Europe.

How to Protect Yourself

Even if you are not a government official, the techniques described in this campaign are increasingly used against ordinary targets, including business executives, activists, and anyone with access to sensitive information. Here are the key steps to protect your accounts:

• Enable two-step verification on both WhatsApp (Settings → Account → Two-step verification) and Signal (Settings → Account → Registration Lock). This adds a PIN that attackers cannot bypass even if they obtain your SMS code
• Never share verification codes with anyone, regardless of who they claim to be. Neither WhatsApp nor Signal will ever ask for your code
• Check linked devices regularly: In WhatsApp, go to Settings → Linked Devices. In Signal, go to Settings → Linked Devices. Remove any device you do not recognise
• Be sceptical of unexpected messages from known contacts asking for codes, money, or sensitive information — especially if the tone or language seems slightly off
• Verify identity through a separate channel: If a colleague or friend sends an unusual request via WhatsApp, call them on a different phone number or speak to them in person before responding

Portugal's Cybersecurity Context

The warning comes just days after Portugal's new cybersecurity law took effect on April 3, transposing the EU's NIS2 Directive into national law. That legislation requires essential-service operators, government bodies, and medium-to-large enterprises to meet stricter cybersecurity standards, report incidents within 24 hours, and face fines for non-compliance.

Portugal has historically lagged behind its European peers in cybersecurity readiness. A 2024 Global Cybersecurity Index ranked Portugal 32nd among EU member states, and the country's National Cybersecurity Centre (CNCS) has repeatedly warned that both public and private sectors need to invest more in digital defences.

The SIS warning underscores that the threat is not abstract — it is active, targeted, and operating inside Portugal's own government communications channels.