Russia didn’t break Signal’s encryption — Russian-backed hackers broke Polish government officials instead, using impersonation calls and malicious QR codes to hijack secure messaging accounts until Poland announced it was abandoning Signal entirely for government use.
Poland Moves to Nationally Controlled Messaging After Signal Account Compromises
Poland’s government has officially announced it is shifting away from Signal following a series of cyberattacks attributed by national CSIRTs to Russian-backed APT groups with ties to hostile state intelligence services. The affected accounts belonged to Polish politicians, military personnel, and public servants — individuals whose encrypted communications represent high-value intelligence targets given Poland’s central role in Ukrainian aid coordination and NATO’s eastern flank.
The move places Poland’s government communications on two replacement platforms: mSzyfr Messenger, an encrypted tool managed by NASK-PIB (the Polish research network institute) and available by invitation to approved organizations; and SKR-Z, an isolated classified network supporting communications up to the “Restricted” classification level.
How Russian-Backed Attackers Took Over Signal Accounts Without Cracking Encryption
The attacks exploited two distinct methods, neither of which involved breaking Signal’s cryptographic protocol. In the first technique, attackers impersonated Signal support staff, contacting officials via phone or message and convincing them to share verification codes or account PINs — enabling direct account takeover. In the second, attackers distributed malicious QR codes and links that, when scanned by the target, silently linked an attacker-controlled device to the victim’s Signal account, granting persistent access to the full chat history going forward.
Signal’s end-to-end encryption remained intact throughout. The compromise occurred at the human layer — account verification and device-linking mechanisms — rather than at the cryptographic level. This distinction matters because it means no flaw in Signal’s core technology was exploited; the platform’s security model was circumvented by targeting the people using it, not the protocol itself.
Russian-Backed APT Attribution and the NATO Targeting Logic
Polish national CSIRTs attributed the attacks to Russian-backed APT groups linked to hostile state intelligence agencies. The targeting is consistent with Russian intelligence tradecraft focused on signals collection against NATO member states. Poland has been a particularly attractive target: its territory hosts NATO logistics infrastructure supporting Ukraine, and Polish officials communicate extensively with Ukrainian government counterparts, Western defense ministries, and allied intelligence partners.
The simultaneous targeting of Poland by Russian-linked actors targeting Signal accounts — and by China-aligned Webworm APT targeting government networks via cloud-platform C2 channels — places the country under active pressure from two nation-state actors at once.
Poland’s Shift to Domestically Controlled Platforms
The decision to replace Signal with NASK-PIB’s mSzyfr Messenger reflects a broader strategic calculation: nationally controlled infrastructure reduces the exposure created by relying on commercial platforms, regardless of how secure those platforms are technically. When the vulnerability lies in user-facing account mechanisms rather than the encryption layer, a platform controlled by the national government offers direct control over enrollment verification and device management procedures.
Germany made a comparable transition for some government communications in 2024. Poland’s move, following confirmed compromise of specific officials, represents a reactive policy shift rather than a proactive standardization effort — but the underlying logic of keeping government communications within domestically administered systems has gained traction across multiple EU member states.
The NASK-PIB-managed mSzyfr system is restricted by invitation to approved organizations, limiting its exposure surface compared to a publicly available messaging platform. SKR-Z, the classified channel, serves as the higher-security tier for communications at the “Restricted” level and above.
Signal’s Security Architecture and Its Limits Against Social Engineering
The Poland incident illustrates a limitation inherent in any secure messaging platform: cryptographic strength provides no protection when an authorized user is deceived into sharing their credentials or inadvertently authorizes a hostile device. Signal’s account security depends on users correctly identifying legitimate support channels and scrutinizing device-linking requests — behaviors that sophisticated social engineering campaigns are specifically designed to undermine.
Nation-state adversaries targeting government officials have the resources and operational patience to conduct convincing impersonation campaigns. The attack methods used against Polish officials — fake support staff, malicious QR codes — require no technical exploitation of Signal’s codebase. They require only that the target act normally under false pretenses. No cryptographic architecture prevents that.
