Poland told officials to stop using the popular instant messaging app Signal after cyberattacks targeted government accounts.
Poland has instructed government officials to stop using Signal for sensitive communications and move to a state-developed alternative. The decision follows repeated cyberattacks targeting Signal accounts belonging to politicians, military personnel, and public servants. Officials believe the campaigns are linked to Russian-backed APT groups.
The attacks did not break Signal’s encryption but instead targeted users through account compromise and social engineering tactics. In one scenario, attackers impersonate Signal support staff or automated security bots, warning users about suspicious activity and tricking them into sharing verification codes or PINs, which allows full account takeover.
Another method uses malicious QR codes or links that secretly connect an attacker-controlled device to the victim’s account. Once linked, attackers can silently access private chats, group messages, and conversation history.
“National-level Computer Security Incident Response Teams (CSIRTs) have identified phishing campaigns conducted by APT groups linked to hostile state agencies. These attacks target, among others, public figures and government employees.” reads the announcement.
“Perpetrators use social engineering techniques, posing as Signal support staff. Victims receive messages about their account being blocked, which are intended to trick them into clicking malicious links. The goal is to take control of communications, posing a direct threat to national security and the confidentiality of information.”
To improve the security of official communications, the Ministry of Digital Affairs is recommending that government staff use national platforms developed specifically for public administration. These include mSzyfr Messenger, an encrypted communication tool managed by NASK-PIB, and SKR-Z, a secure system designed for handling classified communications up to the “Restricted” level.
The mSzyfr app is not publicly accessible; only users affiliated with approved organizations can receive an invitation to join the platform.
The government says the platform is fully hosted and managed within Poland under national cybersecurity standards. It will replace Threema, which had been recommended since 2022. Officials are also being directed to use SKR-Z, a separate isolated network designed for classified communications, with each platform handling different levels of sensitive government information.
Across Europe, other countries are moving in the same direction. In Germany, the Bundestag has told lawmakers to use Wire after phishing attacks, while Dutch intelligence agencies AIVD and MIVD said government officials were targeted in coordinated campaigns over Signal, with some compromises going through. The lesson is pretty clear: the real problem is usually not the encryption itself, but phishing, impersonation, and people being targeted directly.
Signal has tried to respond with in-app warnings and alerts to help users spot impostors, but governments say that is not always enough against state-backed attackers. Poland’s choice fits into this wider debate. It is less about a technical failure and more about the limits of secure apps when users are the easiest point of attack.
By moving to a system under domestic control, Poland gets more visibility over access and infrastructure, including who can join and how the platform is run. But that also means stepping away from platforms that are more widely tested and audited. The argument is likely to continue, especially in countries under constant cyber pressure, where the weak point is often not the app itself but the person using it.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Signal)
