Mastodon Mastodon Mastodon Mastodon

Russian intelligence shifts Signal phishing to backup recovery keys

Photo of author

CyberSecureFox Editorial Team

Published:

FBI and CISA have updated their March warning about a Russian intelligence phishing campaign targeting Signal users. According to the updated bulletin PSA I-062626-PSA, the operators have added a new tactic: instead of one-time verification codes they now trick victims into handing over their Backup Recovery Key — the Signal backup recovery key. Once they obtain this key, the attacker can restore the entire account backup, read the history of private and group messages, and seize control of the account. The campaign targets current and former government officials, military personnel, politicians, journalists and officials of Ukraine. The key protective measure is to immediately generate a new backup recovery key in Signal settings.

Evolution of the tactic: from verification codes to encryption keys

The March bulletin PSA260320 described earlier waves of attacks in which operators asked victims for SMS verification codes and account PINs, and also used fake “group invitation” links that allowed them to quietly link the attacker’s device to the victim’s account. The updated version of the campaign is fundamentally different in the scale of its consequences.

Now the phishing message, disguised as a notification from Signal support, walks the victim step by step through the process: enabling backups, opening the backup recovery key, and pasting it into the chat. The bulletin provides two lure samples — one framed as a mandatory two-factor authentication update, the other as an urgent “data recovery” for messages supposedly at risk of being lost.

A critically important detail: the recovery key remains valid even after creating a new account on the same phone number. This means that a single compromise of the key gives the attacker ongoing access to future backups until the victim generates a new key. The tactic of stealing recovery keys, according to the bulletin, is specific to Signal, although the broader campaign also affects WhatsApp and Telegram.

The agencies emphasize that none of the described attacks break Signal’s encryption or exploit vulnerabilities in the app. Compromise occurs solely through social engineering and abuse of legitimate messenger features.

Attribution and scale of the campaign

The updated bulletin for the first time publicly names two groups behind the campaign: UNC5792 and UNC4221. According to the FBI, the activity is linked to several units of the Russian security services, including FSB officers seconded to the Border Service of the FSB, as well as entities working for Russian military agencies. It should be noted that this attribution is based on a single government bulletin and has not been independently confirmed by other researchers.

Google Threat Intelligence Group documented UNC5792’s abuse of the Signal device-linking feature in early 2025 and observed similar methods being used against WhatsApp and Telegram. The March bulletin reported that by that point the campaign had already compromised thousands of accounts worldwide.

In parallel, the U.S. Department of State, through the Rewards for Justice program, announced a reward of up to $10 million for information on UNC5792 — underscoring how seriously the U.S. government views this threat.

Who is being targeted

The campaign’s target audience consists of individuals with high intelligence value:

  • Current and former government officials in the U.S. and other countries
  • Military personnel
  • Political figures
  • Journalists
  • Officials of Ukraine

However, the attack mechanism itself — phishing via messenger — does not require complex infrastructure and can be scaled to any category of Signal users. The thousands of already compromised accounts confirm that the campaign’s reach extends far beyond its initial priority targets.

Protection recommendations

  • Assume any in-app message from “support” in Signal is hostile. Legitimate Signal support does not send messages inside the app and does not request codes, PINs or recovery keys.
  • Never paste your Backup Recovery Key, verification code or PIN into a chat. No legitimate process will ever require you to transmit this data in that way.
  • Check your linked devices: open Settings → Linked Devices and remove anything you do not recognize.
  • If you have already shared your recovery key — immediately generate a new one in Signal settings. The old key will be invalidated for future backup downloads, but anything the attacker has already downloaded should be considered compromised.
  • Notify your contacts: if your account has been compromised, warn your correspondents — the attacker may have sent messages impersonating you.

The shift from stealing one-time codes to obtaining a key that unlocks the entire message archive is a qualitative escalation. A one-time code grants access to a session; a recovery key opens the full message history, and that access persists until the key is forcibly rotated. The only action that reliably cuts off the attacker’s access to future backups is generating a new Backup Recovery Key in Signal settings. If you fall into any of the listed target categories, do this now instead of waiting for signs of compromise.


CyberSecureFox Editorial Team

The CyberSecureFox Editorial Team covers cybersecurity news, vulnerabilities, malware campaigns, ransomware activity, AI security, cloud security, and vendor security advisories. Articles are prepared using official advisories, CVE/NVD data, CISA alerts, vendor publications, and public research reports. Content is reviewed before publication and updated when new information becomes available.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.