Security Service of Ukraine (SBU) together with the FBI have uncovered a long-running cyber operation which, according to the Ukrainian intelligence service, is being conducted by Russian intelligence agencies. The goal of the campaign is to compromise messenger accounts — Signal, WhatsApp and other platforms — belonging to government officials, military personnel, politicians and activists in Ukraine, Europe and the United States. The attackers use SMS phishing, imitating official messenger service bots to steal account credentials. All users of secure messengers, especially those linked to government and military structures, are advised to immediately check active sessions and enable two-factor authentication.
Attack mechanism: SMS phishing posing as support
As the SBU reports, the attackers send victims SMS messages disguised as notifications from an official messenger support bot. The messages prompt users to disclose their account credentials — verification codes, PIN codes or recovery keys.
This social engineering method is effective for several reasons:
- The SMS channel is perceived by users as more trustworthy than email
- Impersonating an official messenger bot creates an illusion of legitimacy
- Urgent wording in the messages reduces critical thinking
The SBU stresses that the attacks target not only organizations, officials and public figures, but also the personal accounts of ordinary Ukrainian citizens. This points to the large scale of the operation, where personal contacts can be used as entry points to reach more valuable targets.
Threat context and attribution
The SBU directly linked the campaign to Russian intelligence services, but did not name a specific hacking group. It is worth noting that, according to available information, the FBI also associates the ongoing phishing campaign targeting commercial messengers with Russian intelligence structures, although a primary public FBI document on this matter is not present in accessible sources — this detail should therefore be treated with a caveat until official confirmation appears from the U.S. agency.
In parallel, CERT-UA reported a separate but thematically related targeted phishing campaign against Ukrainian government organizations. This operation is attributed to the group UNC1151 (also known as Ghostwriter and UAC-0057), which is linked to Belarus. The attackers used compromised accounts to deliver malware — the infostealer OYSTERBLUES.
The combination of these events demonstrates coordinated pressure on the communications infrastructure of Ukrainian government structures from several directions at once.
Impact assessment
Compromise of messengers represents a critical threat to several categories of users:
- Military personnel and the defense sector — leakage of operational information, coordinates, plans
- Government officials — access to politically and economically sensitive correspondence
- Activists and journalists — exposure of sources, contacts, activity plans
- Ordinary citizens — use of their accounts as intermediate links in attacks on more significant targets
In the context of an active armed conflict, interception of military communications via messengers can have direct consequences on the battlefield. Messengers, originally positioned as secure communication channels, become priority targets precisely because users entrust them with the most sensitive information.
Practical recommendations
To reduce the risk of messenger account compromise, the following actions are necessary:
- Audit active sessions — check the list of connected devices in your messenger settings (Signal: Settings → Linked devices; WhatsApp: Settings → Linked devices). Disconnect any unfamiliar sessions immediately
- Enable two-factor authentication — activate a registration PIN in Signal and two-step verification in WhatsApp
- Never share verification codes — no legitimate service will request verification codes, PIN codes or recovery keys via SMS or in chat
- Do not scan QR codes from untrusted sources — a QR code can be used to link your account to an attacker’s device
- Ignore suspicious links — do not follow links or open files from unknown or dubious chats
- Inform your staff — for organizations: brief personnel about the current SMS phishing campaign, including concrete examples of impersonation of support bots
Given that the campaign is ongoing and spans several countries, the response priority is high. Checking active sessions and configuring two-factor authentication should be completed within the next 24 hours, especially by users connected to government, military or civil society structures. Organizations are advised to consider migrating to managed corporate messaging solutions with centralized session control if messengers are used for official communications.