A data security expert evaluates the hijacking of Lintilä’s account

– Occam’s razor hits the fact that the account has fallen into the wrong hands due to fraud. They happen to even the best of us, states WithSecure’s Kauhanen. Inka Soveri

WithSecure’s cyber interpreter Janne Kauhanen according to the Minister of Economic Affairs Mika Lintilän The WhatsApp account of the (central) parliament phone could very well have been hijacked without Lintilä noticing.

Lintilä told STTthat the account was hijacked while he was at a dinner where the parliamentary phone was not included.

Such so-called no-click hijackings are known to have taken place, but according to Kauhanen, their techniques are usually revealed at some point.

– I am not aware that such a vulnerability currently exists or is being exploited. But they are usually quite high-profile attacks, says Kauhanen.

However, Kauhanen does not consider it likely that a government actor was behind the hijacking of Lintilä’s Whatsapp account, although it is possible.

About Lintilä’s case

The fact that the hijacker intentionally exposed himself, which according to Kauhanen is amateurish, speaks in favor of an ordinary scam. In addition, Lintilä’s account was quickly recoveredi.e. it may have only required resetting the password, for example.

According to Kauhanen, behind the act may have been the so-called “somebody” who has taken over the minister’s account.

– If a state actor had access to the minister’s messages, why would it be ruined by some trolling, when you could just sit quietly and read the messages until the end of the world? Kauhanen thinks.

– Of course, it’s about a minister, it’s not impossible that there isn’t a government actor behind it.

Usually scams

According to Kauhanen, hacks targeting WhatsApp are most often scams that can be easily executed. The account can be used without the victim’s phone.

– They don’t require technical hacking skills at all, but a clever plot with which you can perform. The classic thing is to pretend to be IT support and ask for usernames for testing something.

The most typical account hijacking is done, for example, by sending a message with a link that the victim is expected to click.

The fraudster can also try to get hold of a certain account, in which case he can try to appear more credible, for example, as the administrator of the service.

– Then there are real technical attacks, which are based on some vulnerability, where, traditionally speaking, hacking is done. They are rarer, and professional companies usually have good data security. But they have been seen.

– Complex technical vulnerabilities are precisely the core area of ​​state actors. None of the information I have received about the incident necessarily suggests that the vulnerability was in the Whatsapp application.

Signal for official communication

According to Kauhanen, there are huge differences in the information security of messaging applications. The choice of application depends on the purpose of use. According to Kauhanen, its most important feature is that it reaches the people it wants.

– Signal is what all the authorities I know use to communicate serious matters.

According to Kauhanen, the concern about Telegram is its maintenance. The application has strong links to Russia and the Russian authorities, and through this perhaps Russian-backed hacker groups.

– It should not be used in any name of an authority, but not necessarily of a private citizen either, even if no big secrets are dealt with there.

The Parliament’s guidelines separate the communication of different messaging applications from each other, which is basically a good idea for cyberinterpreting.

Are there thoughts in general that a minister-level person uses Whatsapp or is it just a personal choice?

– Pretty much a personal choice, and how specific you are about your own data protection. Meta, the company behind Whatsapp, has announced that it will automatically read messages in the Facebook application. Whatsapp also got similar terms of use, meaning they target advertising.

What to do?

The information administration of the Parliament is investigating Lintilä’s phone.

– Basically, you have to find out what has happened: whether only the account or the application has fallen into someone’s possession, or whether the entire phone should be treated with suspicion, Kauhanen lists.

In the case of the minister, according to Kauhanen, even destroying the phone can come into question.

The Whatsapp user should also change the password, end active sessions and ensure that the account has not been installed on new unexpected devices.

Two-step authentication and tracking the application’s installation targets and active sessions are good tools for improving Whatsapp security.

– If you suspect that the account has been taken over, you just have to be more specific about where you log in and whether it was the login page or something else.

What if there was a government actor behind the Lintilä case?

– Then the priority is to find out how the device was taken over, says Kauhanen.

Usually in these cases the entire device is taken over. According to the expert, it is necessary to find out which technical identification marks have been left on the device during the fraud and whether the same marks are found on other devices. Typically, the attacker wants to secure access back to the device as well as access to other devices.

Story edited on February 10, 2023 at 8:54 p.m.: Corrected the name of the information security company F-Secure, which is now WithSecure.