Poland builds its own Signal amid security concerns

Security

Shift comes amid mounting reports of successful social engineering attacks targeting higher-ups in government

The Polish government is urging public officials and “entities within the National Cybersecurity System” to stop using Signal, directing them to instead use an encrypted messenger developed by a leading Polish research organization.

In an announcement on Friday, the government stated that Signal comes with security risks, including social engineering attacks orchestrated by advanced persistent threat (APT) groups.

“National-level Computer Security Incident Response Teams (CSIRTs) have identified phishing campaigns conducted by APT groups linked to hostile state agencies,” the announcement says. “These attacks target, among others, public figures and government employees.”

Offering examples of these social engineering campaigns, the government said attackers impersonate Signal support staff and abuse this perceived trust to take over victims’ accounts.

Attackers trick users into opening malicious links by sending messages designed to create a sense of urgency, such as those supposedly informing them of their account being blocked.

Successful attempts can expose victims’ phone numbers and, crucially, messages sent between government officials, potentially threatening national security.

A more detailed advisory cited “recent security incidents” related to Signal as reasons for the change.

It didn’t specify what these recent attacks were, or even who was behind them, but it can be reasonably assumed that the Polish government was indirectly referencing Russia’s phishing attempts against both Signal and WhatsApp, which were revealed in March.

Dutch intelligence agencies AIVD and MIVD reported a “large-scale” campaign targeting their own government officials, noting that some attacks were successful.

“The Russian hackers have likely gained access to sensitive information,” the AIVD and MIVD said, adding that successful attacks were carried out on government bods as well as journalists.

Beyond Signal support staff impersonation, the agencies said the attacks can also involve outsiders persuading victims to surrender their verification codes or PINs, or abusing the platform’s Linked Devices feature via QR codes to take control of accounts.

The FBI, CISA, and the German information security department issued near-identical warnings.

The alternative

Poland announced the launch of mSzyfr Messenger in March, saying it was designed for use by public administration entities, those involved in the National Cybersecurity System, and others to be decided by the government.

Developed by the Ministry of Digital Affairs and the Scientific and Academic Computer Network – National Research Institute (NASK), mSzyfr was touted by the government as “the first secure instant messenger fully under Polish jurisdiction.”

It does, however, rely on multi-factor authentication (MFA) provided by US megacorps. Microsoft is the recommended option, but users can also opt for Google or FreeOTP.

Further, if users want to retain access to messages even after logging out of the platform, they must set up a recovery key, which the installation manual suggests storing in a password manager.

That undercuts the government’s emphasis on Polish jurisdiction somewhat, since many popular password managers are either foreign-owned or open source.

An FAQ document for mSzyfr states that the messenger is built with a privacy-by-design philosophy, and explicitly notes that neither WhatsApp nor Signal fits this description. It also claimed the US-based platforms are not GDPR-compliant.

The mSzyfr app is not publicly available. Only individuals working for approved organizations are able to receive invites to join the platform.

It replaces Swiss-founded Threema, which the Polish government began endorsing for state officials and law enforcement in 2022, but data such as messages cannot be transferred because of the apps’ encrypted nature.

All Threema users should expect to receive an invite to mSzyfr in the near future, if they have not already.

The Register asked Signal to comment on Poland’s announcement, but it did not immediately respond.

It did, however, recently address security concerns raised by various intelligence agencies last week, introducing new warnings and alerts inside the platform to help users weed out potential impostors and bad actors. ®