Srsly Risky Biz: Politicians to Ditch Signal for Homegrown Apps

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Amberleigh Jack. This week's edition is sponsored by Push Security.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

European governments are trying to move their politicians away from encrypted messaging apps like Signal and WhatsApp and towards sovereign encrypted messaging solutions. This won't be as safe and secure as they think it will, but at least they'll have sovereign control. 

Back in 2020, the European Commission (EC) told its staff that Signal had been "selected as the recommended application for public instant messaging". The idea at the time was it would be used for communications between staff and people outside the Commission. There were already encrypted ways to send sensitive information internally, like encrypted internal email, but they were relatively inconvenient and clunky.

Signal is easy, and adopting it for that relatively narrow use case was a good thing. From a security point of view it was a massive step up from alternatives such as SMS or email, which are more vulnerable to interception and keep plaintext copies lying around on servers. 

However, there has been a lot of scope creep since then as Signal's convenience as an app on personal smartphones became the universal "good enough" solution for basically everything. Signal, and to a lesser extent WhatsApp, has become the de facto global communications infrastructure for politicians and bureaucrats worldwide.  

Despite this, the European Union's diplomatic service advice is that these chats should not discuss sensitive information and should only be used for "informal exchanges" like arranging meetings. 

It's great advice, but absolutely nobody will follow it. The reality is Signal is used for statecraft. In 2024, for example, French President Emmanuel Macron even used Signal to raise concerns about a trade deal with EC President Ursula von der Leyden. 

Of course, this isn't just a European phenomenon. In the US, senior members of the Trump administration were using Signal like crazy and accidentally invited a reporter into a group chat that was discussing imminent war plans. Outside of the administration, large Signal group chats have been described as "a kind of dark matter of American politics and media". UK parliamentarians and political parties also use Signal and WhatsApp. 

High-level discussions being held on Signal inevitably attracts state-backed hackers, and they've come up with clever ways to phish users and spy on accounts. These phishing campaigns take advantage of Signal's linked devices feature which allows the app to be used concurrently on multiple devices. In these attacks, the attacker convinces the victim to link an attacker-controlled device by modifying a device-linking request so that it looks like some other legitimate Signal resource. This could involve making a device-linking request look like a group invite QR code, for example. When these attacks are successful, the attacker is able to link a device they control to the victim's account and from then on get persistent access to the victim's Signal communications. The most prolific of these campaigns have been attributed to Russian intelligence services.

Over the last year, governments have cottoned on and issued lots and lots of warnings about the attacks.

Now, European governments are seeking alternatives to Signal. Fundamentally, these phishing attacks are possible because Signal and WhatsApp do a fairly poor job of verifying who you are talking to, and anyone can sign up for an account. They're open ecosystems. 

Signal even notes it "does not verify profile names or identities" and it can be hard to know if you are talking to the Secretary of Defense, the Editor-in-Chief of The Atlantic or even an account controlled by Russia's FSB. 

So now, Germany, France, Belgium and Poland are all developing and adopting sovereign solutions built on top of the open source Matrix protocol. 

At least in the short term, the Matrix-based systems European governments are developing are only intended to provide secure messaging within government. This reduces the number of potential attackers from 'everyone on the internet', to 'everyone in government', which makes the support message-style phishing attacks that have been successful against Signal users more difficult to pull off. 

Helpfully, it also won't be possible for officials to inadvertently invite journalists into government group chats. 

Matrix-based systems have another advantage in that they are federated. Governments can run their own servers and use their own identity platforms for authentication. These systems could be set up to be far more robust against phishing. They could require, for example, strong identity checks when onboarding users, phishing-resistant authentication and detecting and investigating anomalous logins. If the sovereign messengers were opened up to become more interoperable, and therefore more exposed to untrusted outsiders, these countermeasures would make them more secure against phishing. None of those controls apply to Signal. It's just, "trust me bro, I am Signal Support ChatBot".

It’s not just the phishing risk that's driving the European shift from Signal and WhatsApp. Just as important are European concerns about data retention and sovereignty. Relying on US-based organisations is a bit on the nose right now. Matrix-based solutions tick that box too, and governments are able to set their own data retention policies. 

Of course, this is a swings and roundabouts situation here. From a security perspective Signal is well-tested and we know where the security pitfalls are and where it is lacking. But new homegrown systems come with new, homegrown security vulnerabilities. 

Implementing federated systems with data retention capabilities also vastly increases the attack surface as compared to Signal. Do that in an ill considered way and you end up in a worse situation than you started with. One of the Trump administration's mistakes with Signal, for example, was to use a fork for data retention that happened to be horrendously insecure.

As of right now, however, the walled-garden nature of the systems being developed by European governments limits their usefulness. Part of the appeal of Signal and WhatsApp is that they can be used to communicate with anyone. That is essential for politicians trying to build links with friends and foes. It is surprising how often international diplomacy is carried out via text message. 

We understand the desire to more strongly protect internal government communications within vetted communities. But this is just a subset of the messages that Signal or WhatsApp are used for. In contrast to mid-level bureaucrats, the most senior politicians and officials must often communicate with frenemies. In those cases, there is no trusted community where a sovereign, government-controlled secure messenger could be used. 

So Signal will continue to be used for that reason. So we don't think governments should shun the app, but rather encourage the Signal Foundation to engineer more robust anti-phishing protections. And if data retention is a concern, they may want to spend the money to fork Signal into something that can securely implement suitable retention policies as well as their own anti-phishing controls. 

Obviously, some of this will go horribly wrong. Could it be the home-grown Matrix-based apps? Bad attempts at Signal forks? Design-by-committee data retention architectures? Place your bets!

The Slow Burn of Fast16 and Stuxnet

In recent weeks details have come to light about the cyber operations campaign intended to slow Iran's development of nuclear weapons in the mid-to-late 2000s.

The overall campaign was intended to stop or slow Iran's nuclear weapon development program, and we’ve recently learnt that the infamous Stuxnet worm was just one arm of a two-pronged effort. 

Stuxnet was discovered in 2010 and had been deployed in the years prior. It was malware intended to destroy centrifuges being used to enrich uranium at the Natanz nuclear facility. It did so by rapidly changing the speed of these centrifuges while making it appear to those in the control room that  they were behaving normally. 

The second, previously unknown element of the campaign is malware that has been dubbed Fast16. It was developed around the same time as Stuxnet, and was subsequently recovered from malware archives by SentinelOne researchers in 2019.

But it's only in the last month that subsequent analysis from SentinelOne and Symantec indicated the malware had a very specific purpose. It was also designed to frustrate Iran's nuclear program. 

Symantec was able to confirm that Fast16 targeted LS-DYNA and AUTODYN, two software applications that simulate real-world events such as vehicle crashes and explosions. In both applications, Fast16 would only tamper with the results of simulations of high explosive detonations. 

The Institute for Science and International Security (ISIS) has published further technical detail that supports the hypothesis that the malware's target was Iran's nuclear program. LS-DYNA and AUTODYN were both being used in Iran at that time, and the malware would change results when simulations involved uranium being compressed in an explosion. David Albright of ISIS, told Zero Day’s Kim Zetter (who, as an aside, literally wrote the book on Stuxnet) that the malware could have been "very disruptive" for Iran's nuclear program. (Another aside, Albright is obviously with the other ISIS.)

"The effect would be to waste time, resources, and lower the overall morale of the program", he continued. 

As for Stuxnet, there are claims it may have destroyed a fifth of Iran's centrifuges, although the overall impact of this on the entire Iranian nuclear program is disputed. It appears that it was a technical success, but it may only have delayed Iran's nuclear enrichment program by a year or so. 

But now we also know Fast16 was simultaneously targeting a totally different aspect of Iran's nuclear weapons program: How to develop and test the implosion mechanism that kicks off the nuclear reaction. 

The problem with this type of very clever operation is that it can be hard for the malware's author to know if it worked. The end result of a successful operation is... the sound of Iranian engineers tearing their hair out? Them complaining on insecure lines to their spouses about bad days at work?

Still, this was a multi-pronged campaign with a clear strategic objective: slow Iran's nuclear ambitions. By contrast, the current administration's focus is on normalising the use of cyber operations within conventional military action. 

In recent years we've seen cyber operations being used to switch off street lights in Venezuela, disrupt air defence systems in Iran, and helped during the decapitation strike at the start of the Iran war. 

These are tactically useful, visible, but at the same time feel relatively small. For want of a better word, they're just not very cool. 

Our bet is that the truly impactful operations, the cool ones, are still out there but going undetected. Maybe we'll know about those ones 20 years from now, too.

Watch James Wilson and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. A New US Telco ISAC: Eight of the US's largest telcos have established the Communications Cybersecurity Information Sharing and Analysis Center (C2ISAC). The idea is that the non-profit will "strengthen cybersecurity across the communications sector". It is the 29th ISAC, but given the carnage caused by Salt Typhoon it's better late than never. 
2. UK to amend cybercrime laws: The British government is planning to update the country's Computer Misuse Act to allow for good-faith cyber security work. The Record has further coverage. 
3. Hardening Linux: Red Hat has announced Red Hat Hardened Images, a catalog of minimalist container images that ship security fixes rapidly. Debian has also announced that all new packages must use reproducible builds. This means that developers will be able to verify that a binary has originated from specific source code and makes it harder for supply-chain shenanigans to take place. 

Sponsor Section

In this Risky Business sponsor interview, James Wilson chats with Push Security’s Chief Research Officer Jacques Louw about how the company has integrated an army of AI agents into its threat detection platform. Not only has agentic AI led to the discovery of Install Fix campaigns, but it will help simplify the platform for new customers.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at Department 4 of Bauman Moscow State Technical University where students learn how to hack for the state. Its curriculum is extremely explicit about how the hacking and propaganda operations are relevant to state operations. They discuss whether this is an advantage for Russia’s cyber program and look at what Western intelligence agencies do instead.

Or watch it on YouTube!

From Risky Bulletin:

Microsoft takes down MSaaS used by ransomware gangs: Microsoft has sued and seized domains and server infrastructure belonging to SignSpaceCloud (signspace[.]cloud), a Russian cybercrime service that sold code signing certificates to malware and ransomware gangs.

The service, which Microsoft is tracking as Fox Tempest, has been running since May of last year and is what cybersecurity experts call a malware-signing-as-a-service (MSaaS).

The group used hundreds of fake accounts on the Microsoft Artifact Signing service to obtain code signing certificates that it later resold on its website for thousands of US dollars.

Cybercrime groups paid the hefty prices but used the certificates to sign their malware and make it appear as software from legitimate developers.

[more on Risky Bulletin]

Indonesia emerges as a new hub for cyber scams: Indonesia is emerging as a new hub for cyber scam operations and illegal online gambling in Southeast Asia after massive crackdowns in neighboring countries have sent criminal groups fleeing across borders and seeking to relocate facilities.

Local authorities have detained more than 550 suspects following three raids this month alone.

More than 200 suspects were detained after a raid on an apartment complex in the city of Batam on May 6. Another 321 were arrested in a commercial building near Jakarta's Chinatown neighborhood on May 10. Another 30 were then detained at guest houses on the island of Bali a few days after.

[more on Risky Bulletin]

Shai-Hulud goes open-source: Individuals claiming to be associated with the TeamPCP hacking group have released the source code of the Shai-Hulud worm that has devastated open-source libraries across the npm and PyPI ecosystems.

The code was released this week on the Breached[.]st hacking forum.

It  was released two days after it was used in a supply chain attack that compromised the TanStack React framework and then spread to almost 400 packages, including libraries at AI company Mistral and business automation giant UiPath.

Although threat actors have a tendency to lie about what they release, the worm's authenticity has already been confirmed as a near exact match by Datadog researchers

[more on Risky Bulletin]