- Russian intelligence actors are using sophisticated phishing to steal Signal Backup Recovery Keys, allowing them to download and read a target’s entire message history and permanently compromise the account.
- Targets include high-value individuals such as government officials, military personnel, journalists, and Ukrainian officials, with thousands of accounts compromised globally.
- The U.S. State Department is offering up to $10 million via its Rewards for Justice program for information on the group UNC5792.
- Users should never share verification codes, PINs, or their Recovery Key in a chat, as legitimate support will never ask for them this way.
Russian intelligence services have escalated a global phishing campaign, now tricking high-value targets into surrendering their Signal Backup Recovery Keys, according to an updated joint advisory from the FBI and CISA. This new tactic, detailed in PSA I-062626-PSA, allows attackers to restore and read an account’s entire private and group message history. Consequently, even creating a new account with the same phone number remains vulnerable to the old key.
The operation, attributed to groups tracked as UNC5792 and UNC4221, targets current and former government and military officials, political figures, and journalists. These actors pose as Signal support, using urgent messages about data recovery or mandatory two-factor authentication to manipulate victims. Meanwhile, the encryption of the Signal app itself remains unbroken, with the compromise relying entirely on social engineering.
Once a Recovery Key is obtained, attackers can download the message backup and take over the account permanently. The only remedy is for users to generate a new key in Settings, which invalidates the old one for future downloads. However, any messages pulled by the attacker before this step are already compromised.
This campaign expands on warnings first issued in March, which indicated thousands of Signal and WhatsApp accounts had been breached. The activity has also been documented by international agencies, including Dutch and German intelligence, and Google’s Threat Intelligence Group. Users are urged to check their Linked Devices settings and remove any unfamiliar connections immediately.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
