<article>Investigative journalists at Berlin-based Correctiv have uncovered fresh evidence connecting a sophisticated Signal messenger phishing operation to Russian intelligence services, revealing what security experts describe as an evolving escalation in digital espionage methods targeting European officials.The hacking campaign, which compromised the accounts of prominent German government figures including Arndt Freytag von Loringhoven—former vice president of Germany's foreign intelligence service—represents a significant breach of secure communications channels previously considered resistant to state-sponsored attacks. According to Correctiv's investigation, the operation also targeted numerous politicians, security agency civil servants, and journalists across Germany and other European states.The attack methodology demonstrates considerable sophistication. Initial phishing messages falsely claimed to originate from "Signal Support," requesting users enter verification codes and personal identification numbers. Once attackers gained access to compromised accounts, they deployed a secondary wave of fabricated WhatsApp or Telegram invitation links to the victim's contact lists, exponentially expanding the campaign's reach. The operation potentially affected thousands globally, security researchers told Correctiv.Three distinct evidence streams connect the campaign to Russian state actors. First, the phishing domains operated on servers belonging to Aeza, a Russian hosting provider previously sanctioned by the United States and United Kingdom for facilitating state-sponsored cyber operations. Second, the "Defisher" software employed in the attacks features a Russian-language interface and was advertised in Russian hacker forums for approximately $690—a price point suggesting state-backed groups rather than individual criminals. Third, nearly identical attacks targeted Ukraine and Moldova using the same infrastructure and methodology, indicating what Correctiv describes as "a connected political campaign originating in Russia."In Germany, as elsewhere in Europe, consensus takes time—but once built, it lasts. The breach has prompted urgent discussions within the federal government about digital security protocols for senior officials. The choice of Signal as a target proves particularly significant: the encrypted messaging platform had been widely adopted by European government personnel precisely because of its reputation for security against surveillance."The attack demonstrates how readily available, inexpensive tools enable sophisticated targeting of government officials," a German cybersecurity official told Correctiv, speaking on condition of anonymity. The official noted that compromised accounts could potentially expose classified communications and state secrets, particularly given the seniority of some victims.The campaign represents the latest manifestation of what German security services characterize as Russian "hybrid warfare" against European institutions. Unlike conventional cyberattacks targeting government networks directly, the Signal operation exploited trusted communications channels and social engineering rather than technical vulnerabilities—a tactical adaptation that German intelligence analysts view as evidence of evolving Russian espionage doctrine.Berlin has not yet issued a formal attribution statement, though government sources indicated that federal cybersecurity agencies are coordinating with European partners on response measures. The incident adds to mounting tensions between Germany and Russia over digital security, following previous attributions of cyberattacks against the Bundestag and German critical infrastructure to Russian intelligence services.</article>