Russian Hackers Target Portuguese Officials via WhatsApp and Signal: What You Need to Know

Portugal's intelligence service has publicly warned that a state-sponsored cyber-espionage campaign is actively targeting messaging accounts belonging to government officials, diplomats, and military personnel across the country, though authorities say no Portuguese minister has yet fallen victim to the operation.

Why This Matters

• Foreign intelligence operatives are using phishing techniques to compromise WhatsApp and Signal accounts of high-ranking officials in Portugal and allied nations.

• The Netherlands intelligence services have attributed similar attacks to Russia, though Portugal's SIS has not officially named the foreign state behind the campaign.

• No technical vulnerability exists in the messaging platforms themselves—hackers are exploiting careless user behavior to steal passwords and verification codes.

• Portuguese Cabinet members reportedly follow strict protocols: official deliberations happen face-to-face or via government email networks, not through consumer messaging apps.

Foreign State Targets Portuguese Officials Through Social Engineering

The Serviço de Informações de Segurança (SIS), Portugal's domestic intelligence agency, issued the alert on March 11, describing a global cyber-espionage operation aimed at individuals with access to classified national and NATO documentation. The warning emphasizes that attackers are not exploiting flaws in WhatsApp or Signal encryption but are instead manipulating users into voluntarily surrendering access credentials.

According to the SIS statement, hackers employ various tactics including fake technical support contacts, QR code scams (known as "quishing"), and identity theft to trick targets into sharing sensitive information such as passwords and two-factor authentication codes. Once inside an account, operatives can read private conversations, download shared files, add unauthorized devices to monitor communications in real time, and even launch secondary phishing campaigns using the victim's contact list.

The agency did not identify which foreign government sponsors the operation, but Dutch intelligence services and Portuguese media outlet Expresso have publicly attributed the attacks to Russian operatives. Security analysts note that Russia, along with Iran and North Korea, regularly appears in global threat reports as states that fund and direct cyber-espionage campaigns against Western targets.

What This Means for Government and Military Personnel

Minister of the Presidency António Leitão Amaro addressed reporters following a Cabinet meeting on March 13, confirming that no Portuguese government official has been confirmed as a victim of the campaign. He stressed that the PSD/CDS-PP coalition executive adheres to security best practices recommended by both national and international cybersecurity authorities.

Leitão Amaro made a pointed reference to past lapses in digital security, alluding to a previous administration's practice of making official decisions via WhatsApp. "Government deliberations are not conducted through WhatsApp—those days are gone," he said. "Decisions are made either in person or, when electronic communication is necessary, through the Government's secure email network."

The remark was widely interpreted as a dig at former Infrastructure Minister Pedro Nuno Santos, who in a prior government authorized a decision regarding the national airline TAP using the instant messaging platform—a move that drew criticism at the time for its informality and potential security risks.

How the Attack Works: Phishing, Not Platform Flaws

Cybersecurity experts emphasize that the threat does not stem from weaknesses in the end-to-end encryption offered by WhatsApp and Signal. Both platforms remain technically secure. Instead, the campaign exploits human error and social engineering tactics that have grown increasingly sophisticated with the integration of artificial intelligence tools.

AI-powered systems allow attackers to assume convincing identities, mimic linguistic patterns, and craft personalized messages that appear authentic. Targets may receive contact requests from individuals posing as colleagues, technical support representatives, or even senior officials from allied governments. Once trust is established, the attackers request verification codes, QR code scans, or other sensitive data under false pretenses.

The SIS warns that once an account is compromised, the damage extends beyond the initial victim. Hackers can impersonate the account holder to target their entire network, potentially gaining access to classified information shared within group chats or stored in cloud-linked files.

Recommended Protective Measures for High-Risk Users

The intelligence agency has issued a detailed set of guidelines for government officials, diplomats, military officers, and others who handle sensitive information:

Verify all new contacts and unexpected interactions using alternative secure channels, such as institutional email or direct phone calls, before engaging in any conversation.

Never share account credentials, verification codes, or PINs, even if the request appears to come from official technical support. Legitimate platform operators will never ask for this information.

Limit QR code scanning to situations you initiate yourself. Do not scan codes sent by unknown or unverified contacts, as this can link unauthorized devices to your account.

Maximize privacy and security settings within both WhatsApp and Signal. Enable two-factor authentication and regularly review which devices are linked to your account.

Do not allow unauthorized additions to group chats or the linking of unknown devices to your messaging accounts.

Report any suspicious activity immediately to your institution's cybersecurity unit or through Portugal's official cybersecurity portal.

Security professionals stress that despite the robust encryption these platforms offer, they are not suitable for exchanging classified or highly sensitive government information, precisely because they remain vulnerable to social engineering attacks that bypass technical safeguards.

Portugal Among Multiple Western Targets

While the SIS alert focuses on threats to Portuguese officials, the campaign is described as global in scope, with allied nations also facing similar intrusions. Analysts suggest the attacks may be tied to ongoing geopolitical tensions, including conflicts in the Middle East and the broader strategic rivalry between NATO member states and adversarial governments.

Portugal's role as a NATO member and its participation in European defense initiatives make its officials attractive intelligence targets. The country's geographic position and diplomatic relationships provide access to military planning, alliance communications, and economic policy discussions of interest to hostile intelligence services.

Cybersecurity firms have noted an uptick in state-sponsored operations that combine traditional espionage objectives with criminal tactics, including ransomware and financial fraud, to fund ongoing intelligence activities. The use of consumer messaging platforms as an entry point represents a strategic shift, exploiting the widespread adoption of tools that were never designed to protect state secrets.

The Broader Implications for Digital Governance

The incident highlights the tension between the convenience of modern communication tools and the security requirements of government operations. While encrypted messaging apps offer privacy protections that exceed traditional SMS or email, they introduce new vulnerabilities rooted in user behavior rather than code.

Portugal's emphasis on secure government networks for official business reflects a growing recognition across Europe that consumer-grade platforms, regardless of their encryption standards, cannot fully protect against determined state actors. The shift away from informal messaging for policy decisions marks a maturation in digital governance practices, aligning Portugal with stricter protocols already in place in countries such as Germany, France, and the United Kingdom.

For residents and professionals in Portugal, the warning serves as a reminder that cyber threats are no longer abstract concerns reserved for large corporations or military installations. Individuals working in government, defense contractors, research institutions, and critical infrastructure sectors face real risks that require ongoing vigilance and adherence to security protocols.

The SIS continues to monitor the campaign and coordinate with international partners to identify and counter the evolving tactics of foreign intelligence operatives. Authorities urge anyone who suspects they have been targeted to report the incident immediately, as early detection can prevent broader network compromises and protect sensitive national information.