In the last decade, digital security has become one of the main areas of dispute among states, criminal organizations, and technology companies. Encrypted communications, once seen as the ultimate refuge of privacy, have also become a priority target for espionage operations.
A recent example of this dynamic emerged in March 2026, when intelligence agencies from the Netherlands warned about a global hacking campaign linked to actors backed by Russia that managed to compromise messaging accounts on popular applications such as Signal and WhatsApp used by officials, military personnel, and journalists.
This episode reflects an increasingly evident reality: in the contemporary world, wars are no longer fought only with conventional weapons, but also through digital intrusions, psychological manipulation, and covert operations within communication networks. Unlike traditional cyberattacks that exploit technical flaws, this campaign was mainly based on social engineering techniques, deceiving users into voluntarily providing their security credentials.
The case of Rusia provides an opportunity to understand how these operations work, why applications considered secure can become vulnerable points, and what implications all of this has for global security and the privacy of citizens.
The origin of the international alert
The warning about the espionage campaign emerged from a joint report by two Dutch intelligence agencies: the General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD). According to these agencies, actors linked to the Russian state had launched a large-scale operation within the context of cyberwar, aimed at infiltrating messaging accounts used by people with access to sensitive information. This type of action fits within the current dynamics of cyberwar, where digital communications become strategic targets.
The targets included government officials, military personnel, and journalists, many of whom were involved in issues related to international politics, security, or defense. In the context of cyberwar, these individuals represent priority targets due to the value of the information they handle. Victims were also detected within institutions of the Dutch government, reinforcing the idea that cyberwar is already part of contemporary conflicts between states.
The campaign was not limited to a single country. According to the reports, it was a global operation with multiple targets distributed across different regions, a pattern characteristic of cyberwar strategies that seek to collect strategic information in various geopolitical scenarios. This is consistent with the usual strategy of state cyber-espionage groups, which within the logic of cyberwar attempt to access communication networks where political, military, or diplomatic information circulates.
Authorities warned that attackers had probably already managed to access confidential conversations, which increased concern among governments and international organizations. This type of incident demonstrates how cyberwar has become a central element of international security, where cyberwar not only involves attacks on digital infrastructure but also infiltration into private communications, intelligence gathering, and the expansion of cyberwar operations on a global scale.
How did they infiltrate encrypted accounts?
One of the most striking aspects of the attack is that it was not based on technical vulnerabilities in the software of the applications. Neither Signal nor WhatsApp were “hacked” in the traditional sense. In reality, end-to-end encryption — the technology that protects messages — remained intact, something that shows how in modern cyberwar the technology itself is often not attacked directly, but rather the people within cyberwar scenarios.
Instead of breaking the cryptographic system, the attackers resorted to social engineering. This technique consists of manipulating people so that they voluntarily provide confidential information, a strategy increasingly used in cyberwar operations where the goal is to access information without needing to compromise complex technical systems within the dynamics of cyberwar.
The procedure described by authorities worked approximately as follows within this type of cyberwar operation:
- Hackers initiated contact with the victim pretending to be technical support or an official bot, a tactic frequently seen in campaigns linked to cyberwar.
- During the conversation they requested verification codes or PIN numbers necessary to activate the account, using manipulation methods commonly observed in cyberwar scenarios and digital espionage.
- Once they obtained this information, they could link the account to another device under their control, which in cyberwar contexts allows attackers to access private communications without raising suspicion.
- From that moment on they had access to messages, groups, and contacts, something that makes these intrusions very valuable tools within cyberwar operations.
The attack also exploited legitimate features of the applications, such as the “linked devices” system, which allows the same account to be used from multiple devices. When attackers managed to add their own device, they could read conversations without the victim noticing, a practice that demonstrates how modern cyberwar can rely on legitimate tools to carry out covert cyberwar actions.
This approach shows that digital security does not depend only on technology, but also on human behavior, something particularly relevant in a global context marked by the constant growth of cyberwar.
Why target Signal and WhatsApp?
Signal and WhatsApp are two of the most widely used messaging applications in the world. Both implement end-to-end encryption, which means that only the participants in a conversation can read the content of the messages, a feature particularly relevant in the context of cyberwar, where protecting communications has become a central element of digital cyberwar.
Precisely because of this characteristic, they have become popular tools among diplomats, journalists, and activists. In politically sensitive contexts, these applications are used to coordinate actions, share information, or maintain private communications, something that within the global cyberwar scenario gains great strategic importance in the current dynamics of cyberwar.
However, that same trust makes them valuable targets for espionage operations. If an attacker manages to access a legitimate account, they gain direct access to conversations that would otherwise be practically impossible to intercept, which explains why these platforms have become frequent targets within cyberwar strategies.
According to experts, this explains why attackers prefer to manipulate users instead of trying to break encryption. Modern cryptography is extremely robust; by contrast, deceiving a person can be much easier, something that is constantly observed in operations linked to contemporary cyberwar.
The role of social engineering
Social engineering has become one of the most effective methods in the arsenal of cyber spies. Unlike purely technical attacks, this approach exploits psychological factors such as trust, urgency, or fear, elements widely used in campaigns related to cyberwar.
A classic example is phishing, in which attackers send messages that appear to be legitimate communications. In the case of the campaign detected by Dutch intelligence services, hackers impersonated the platforms’ technical support in order to convince victims to share security codes, a practice increasingly common in cyberwar operations.
This type of strategy has several advantages for attackers within cyberwar scenarios.
- It does not require complex technological tools, which facilitates its use in multiple cyberwar campaigns.
- It is difficult to trace, making it an effective method in international cyberwar contexts.
- It can easily adapt to different targets, a key feature for flexible cyberwar operations.
In addition, users often trust messages that appear to come from official services, especially if they include logos or convincing technical language, which facilitates this type of manipulation within cyberwar dynamics.
The State Cyber-Espionage Ecosystem
The detected campaign fits within a broader phenomenon: the rise of state-linked hacker groups. These organizations, known as Advanced Persistent Threats or APTs, operate with significant resources and strategic objectives within the growing global cyberwar scenario.
Among the groups associated with Russia are organizations such as APT28, also known as Fancy Bear, and APT29, known as Cozy Bear. These collectives have been linked to espionage operations targeting governments, international organizations, and media outlets, many of them related to cyberwar dynamics.
APT29, for example, is associated with the Russian foreign intelligence service and specializes in prolonged digital espionage operations, a type of activity that is part of extended cyberwar strategies.
APT28, on the other hand, has been linked to Russian military intelligence and has been accused of attacks against political institutions and international organizations, actions that fall within the broader framework of cyberwar.
Although authorities do not always officially attribute every operation to a specific group, the tactics and objectives often reveal patterns that allow investigators to identify the responsible actors within the complex international cyberwar landscape.
Cyberwar and Geopolitics
Digital espionage has become a key tool in contemporary geopolitical rivalries and one of the most visible components of modern cyberwar. Powers use cyber operations to collect information, influence political processes, or weaken strategic adversaries within broader cyberwar strategies.
These activities intensified especially after the 2010s, when multiple high-profile incidents demonstrated the potential of digital operations and consolidated the role of cyberwar in international conflicts.
Among the best-known examples are attacks against critical infrastructures, massive information leaks, and disinformation campaigns on social media, all practices associated with the development of contemporary cyberwar.
Experts consider cyberspace to have become the fifth domain of war, alongside land, sea, air, and space, demonstrating how deeply cyberwar has been integrated into the military and political strategy of states.
In this context, intelligence services consider digital communications a priority target within cyberwar operations. Accessing private conversations can reveal political strategies, military movements, or diplomatic negotiations, making these intrusions key tools within global cyberwar dynamics.
The Growing Sophistication of Threats
Although the described campaign relied on relatively simple techniques, experts warn that cyber-espionage operations continue to evolve within the expanding cyberwar scenario. In today’s cyberwar context, digital attacks no longer depend solely on isolated tools but are part of broader strategies specifically designed to operate within the global cyberwar environment.
State-backed groups often combine multiple tools, including malware, phishing attacks, and exploitation of vulnerabilities—a combination frequently observed in cyberwar operations. These tools allow cyberwar campaigns to be more effective, adaptable, and difficult to detect.
Moreover, modern operations are often integrated with broader strategies including disinformation, political manipulation, and digital sabotage, elements that have become key components of contemporary cyberwar. In this sense, cyberwar is not limited to infiltrating computer systems but also includes influence and manipulation operations within international cyberwar scenarios.
These hybrid operations make defense more difficult, as attacks can occur simultaneously in multiple domains, a characteristic of many modern cyberwar campaigns that demonstrates the growing complexity of cyberwar in the international system.
An Invisible Conflict
The case of the campaign against Signal and WhatsApp illustrates how digital espionage has become an integral part of international politics and contemporary cyberwar dynamics. In many ways, cyberwar represents a new dimension of conflict between states.
Unlike traditional conflicts, these operations are usually carried out in secret and rarely make dramatic headlines. However, their impact can be significant, especially within the cyberwar strategies used by different governments.
An intercepted conversation can alter diplomatic negotiations, reveal military strategies, or compromise individual security, demonstrating the enormous strategic potential of cyberwar today.
In this sense, cyberwar is a silent but constant conflict in which governments, companies, and citizens participate—often without knowing it—within a global scenario increasingly marked by the expansion of cyberwar.
The case of the espionage campaign targeting Signal and WhatsApp users highlights a fundamental reality of the contemporary digital world: even tools designed to protect privacy can become targets within cyberwar. In today’s cyberwar context, digital communications have become a strategic objective. Although encrypted messaging applications offer high levels of technological security, their protection also depends on user behavior and their ability to recognize manipulation attempts in cyberwar scenarios.
The social engineering techniques used in these attacks demonstrate that the most vulnerable link in any security system remains the human factor, which is frequently exploited in cyberwar operations. Hackers do not necessarily need to breach complex cryptographic systems if they can persuade people to voluntarily reveal their credentials or access codes—a common practice in cyberwar campaigns.
At the same time, the episode reflects how cyberspace has become a strategic field within international relations and cyberwar. States increasingly use digital operations to gather information, influence adversaries, or strengthen their position on the global stage, demonstrating the growing importance of cyberwar.
Given this scenario, protecting privacy and digital communications requires a joint effort among governments, technology companies, and users in an environment shaped by cyberwar. Digital security education and the constant improvement of technological tools will be key elements in reducing the risks associated with cyberwar.
For organizations seeking to strengthen their security against digital threats and cyberwar risks, specialized support is essential. ITD Consulting offers cybersecurity and information protection solutions. For more information about their services, you can write to [email protected].
EN 
ES