(Credit: Florian Gaertner / Contributor / Photothek via Getty Images)
Russian hackers are breaking into Signal group chats, according to a Pentagon memo obtained by NPR. The memo was sent on March 18—three days after the US bombed Yemen and five days after top Trump officials accidentally included a journalist on a Signal chat group about it.
"A vulnerability has been identified in the Signal messenger application," the memo says. At issue is Signal's "linked devices" feature, which allows a user to access their account on multiple devices. Russian hackers are reportedly taking advantage of this to add Signal accounts to their own devices and eavesdrop on what should be encrypted conversations. "This allows the group to view every message sent by the unwitting user in real time," says the memo.
The Pentagon memo provides steps to "safeguard your Signal application," and reiterates the government's Signal policy. It permits the use of Signal for discussions about unclassified information but the app is "NOT approved to process or store nonpublic unclassified information," it says. All uses must "abide by DoD and NSA/CSS policy."
In February, Google's Threat Intelligence Group warned about vulnerabilities with Signal, and outlined how a "linked devices" attack works.
"Because linking an additional device typically requires scanning a quick-response (QR) code, threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim's account to an actor-controlled Signal instance," Google says. "If successful, future messages will be delivered synchronously to both the victim and the threat actor in real-time, providing a persistent means to eavesdrop on the victim's secure conversations without the need for full-device compromise."
Google expects Signal breaches to "grow in prevalence in the near-term," related to the war in Ukraine and "regions outside the Ukrainian theater of war." Other similar apps, such as WhatsApp and Telegram, are also being actively targeted with similar techniques.
In a statement, Signal said the memo is misleading. "The [Pentagon] memo used the term ‘vulnerability’ in relation to Signal—but it had nothing to do with Signal’s core tech. It was warning against phishing scams targeting Signal users.
"Phishing isn’t new, and it’s not a flaw in our encryption or any of Signal’s underlying technology. Phishing attacks are a constant threat for popular apps and websites," Signal adds. "In order to help protect people from falling victim to sophisticated phishing attacks, Signal introduced new user flows and in-app warnings."
Regarding the Signal chat among Trump officials, Secretary of Defense Pete Hegseth insisted that "nobody was texting war plans."
Typically, sensitive conversations take place in a secure room that top-ranking officials have in their offices and homes, called a Sensitive Compartmented Information Facility (SCIF).
In a hearing today on Capitol Hill, CIA Director John Ratcliffe and Director of National Intelligence Tulsi Gabbard, both of whom were on the "war plans" Signal chat, claimed they did not discuss classified information.
Democratic senators pushed them to release the full chat transcript. [Update: The Atlantic has now published the full text chain.] "If there was no classified material, share it with the committee," said Senate Intelligence Ranking Member Mark Warner. "You can't have it both ways. These are important jobs. This is our national security."
Editors' Note: This story was updated with comment from Signal.