FBI & CISA Alert: Russian Intelligence Is Hijacking WhatsApp Accounts — Saudi Banks Are a Prime Target

In March 2026, the FBI and CISA issued a joint emergency alert confirming that threat actors affiliated with Russian Intelligence Services — primarily APT29 (Cozy Bear) and its sub-clusters — are conducting large-scale phishing campaigns to seize control of WhatsApp and Signal accounts belonging to high-value targets. Thousands of accounts have already been compromised globally. For Saudi financial institutions where WhatsApp functions as the primary internal and client communication channel, the risk is not theoretical — it is immediate.

What the FBI and CISA Actually Found

The campaign, tracked under the advisory AA26-079A, works by impersonating "Signal Support" or "WhatsApp Security" and prompting targets to either click a specially crafted link or scan a malicious QR code. Once the victim complies, the attacker silently links the victim's account to an attacker-controlled device using the legitimate "Linked Devices" feature built into both applications. No exploit, no malware, no CVE required — only a social engineering lure that takes 30 seconds to execute.

The critical insight from the advisory is that end-to-end encryption is completely irrelevant here. The attacker does not crack the cryptography; they simply walk straight around it by gaining a legitimate linked-device session. From that position they can read all incoming messages in real time, send messages impersonating the victim, exfiltrate contact lists, and use the trusted identity to pivot laterally into the victim's broader social graph — including colleagues, clients, and executives.

Primary targets named in the advisory include current and former government officials, military personnel, political figures, journalists, and employees of critical infrastructure organizations. Financial sector executives — CISOs, CFOs, relationship managers handling sovereign wealth or high-net-worth clients — match this profile precisely.

Why Saudi Financial Institutions Face Elevated Exposure

WhatsApp's penetration among Saudi professionals is unlike almost anywhere else in the world. According to regional surveys, over 90% of Saudi business professionals use WhatsApp as their primary work communication tool, and it is routine for relationship managers, compliance officers, and even board members to conduct substantive business — including sharing deal documents, discussing client positions, and coordinating regulatory responses — over the platform. This is the exact attack surface the Russian campaign is engineered to exploit.

Unlike corporate email, which typically sits behind multi-layered security stacks — SEGs, DLP, email authentication (DMARC/DKIM/SPF), SIEM alerting — WhatsApp communications at most Saudi financial institutions are largely invisible to the security team. There is no centralized logging, no DLP inspection, no anomaly detection, and no audit trail that satisfies SAMA CSCC Domain 4 (Information Asset Management) or NCA ECC Control 2-7 (Communications Security). When an attacker silently mirrors a CFO's WhatsApp, the SOC has no telemetry to detect it.

The SAMA CSCC and NCA ECC Compliance Angle

SAMA's Cyber Security Framework (CSCC) explicitly requires regulated entities to establish controls over all communication channels used for business purposes, including third-party consumer applications where they carry regulated data or materially affect business operations. Specifically, CSCC Domain 3 (Third-Party Cybersecurity) and Domain 5 (Human Cybersecurity) impose obligations around employee awareness and secure-by-design communication architectures.

NCA's ECC-2:2024 Control 2-7-1 requires that organizations classify communication channels by sensitivity and enforce appropriate access controls, encryption standards, and monitoring commensurate with the data classification. Using an unmanaged consumer messaging application to transmit customer data or internally sensitive information without compensating controls is a compliance gap that SAMA inspectors and NCA auditors have begun flagging directly in recent supervisory cycles. The Russian campaign makes this gap a live incident waiting to happen rather than a checkbox finding.

Under PDPL (Personal Data Protection Law), any unauthorized access to customer data — including communications containing customer names, account details, or transaction discussions — triggers notification and remediation obligations. A hijacked WhatsApp account belonging to a relationship manager could easily constitute a reportable PDPL breach.

The Mechanics of the Attack — Technical Detail for Security Teams

The QR-code variant of this attack exploits the "Link a Device" flow in WhatsApp Web and Signal Desktop. When a victim scans the attacker's QR code, believing it to be a verification step, they are actually authorizing the attacker's device as a fully trusted linked device. Signal and WhatsApp both support multiple simultaneous linked devices by design — this is a feature, not a flaw. The attacker receives a full copy of all messages going forward, delivered in real time, without any notification visible to the victim beyond a brief "new linked device" status in the app that most users ignore.

The phishing lure is typically delivered through a prior account compromise — a colleague, contractor, or trusted contact whose account has already been hijacked sends the malicious link from a trusted identity. This multi-hop chain dramatically increases success rates because the lure arrives from a recognized number, not a cold contact. GRU and SVR operators have been observed executing this as a five-step chain across multiple targets to reach a single high-value individual within an organization.

Immediate Actions for Saudi Financial Institutions

1. Audit linked devices organization-wide. Direct employees to open WhatsApp → Settings → Linked Devices and terminate any sessions they do not recognize. Do this now, not next quarter. For Signal, the equivalent is Settings → Linked Devices. This audit should be completed within 72 hours for any employee with access to client data or sensitive internal systems.
2. Enable Registration Lock (Signal PIN) and Two-Step Verification (WhatsApp). Both applications offer an additional PIN that must be entered when re-registering on a new device. Enforcing this across all employee accounts raises the attacker's cost significantly, though it does not address the linked-device vector — it must be paired with the audit above.
3. Issue an immediate security awareness notice. Draft and distribute a one-page advisory to all staff clarifying that legitimate IT support, HR, compliance, or any support team will never ask for a verification code, PIN, or QR code scan via chat. Route it through a channel that cannot itself be compromised — email or the intranet portal.
4. Enforce a formal Secure Communications Policy. Classify WhatsApp as a "non-approved channel for regulated data" and define which categories of information are prohibited from being shared on it. This satisfies SAMA CSCC Domain 3 obligations and provides an audit trail for inspectors. Approved alternatives for sensitive communications should be documented and enforced — options include Microsoft Teams with E5 compliance, Wickr Enterprise, or similar enterprise-grade platforms with audit logging.
5. Implement out-of-band verification for sensitive requests. Any request received via WhatsApp or Signal — regardless of the sender's identity — that involves fund transfers, access changes, credential sharing, or executive instructions must be verbally verified over a separate, independently authenticated channel before action is taken. This is the single most effective control against the social engineering component of this campaign.
6. Alert your SOC and threat intelligence team. Have them review recent inbound communications to executives and key personnel for patterns consistent with this campaign: messages from known contacts containing unusual links, QR codes, or urgency framing around account security. Cross-reference against CISA AA26-079A indicators.

Conclusion

The FBI/CISA advisory is not a theoretical warning — thousands of accounts have already been compromised in this campaign, and the operational tempo of Russian intelligence services targeting financial sector communications shows no sign of slowing in 2026. The combination of near-universal WhatsApp adoption in Saudi business culture, limited visibility of consumer messaging apps within enterprise security stacks, and the active targeting of financial sector professionals by nation-state actors creates a risk concentration that demands a structured, policy-driven response — not just an email to employees asking them to "be careful."

SAMA CSCC compliance is not satisfied by awareness training alone; it requires documented, enforceable controls over the communication channels your people actually use. Now is the time to close that gap before an inspector — or an incident — forces the issue.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment — including a review of your secure communications posture and WhatsApp exposure across critical roles.