The U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued an updated public service announcement warning that Russian intelligence-linked threat actors have expanded an ongoing phishing campaign targeting Signal users. Rather than attempting to intercept authentication codes alone, the attackers are now seeking victims’ Signal Backup Recovery Keys, enabling them to restore encrypted cloud backups and gain access to historical conversations.
The latest advisory builds on an alert released in March 2026, when the agencies disclosed that Russian-backed operators were targeting users of commercial messaging applications, particularly Signal, through carefully crafted phishing campaigns. Those earlier attacks focused on compromising accounts by deceiving users into handing over verification codes, account PINs, or linking unauthorized devices to their Signal accounts, instead of defeating the application’s end-to-end encryption.
According to the FBI, the threat actors have refined their social engineering techniques by impersonating automated Signal support accounts and introducing a new objective: convincing users to disclose the recovery keys that protect their encrypted backups.
The agencies said the campaign continues to concentrate on individuals considered to be of intelligence value, including current and former U.S. government officials, government personnel from allied nations, military members, political figures, journalists, and officials located in Ukraine.
The activity has been attributed to Russian Intelligence Services (RIS), including officers associated with Russia’s Federal Security Service (FSB) Border Guards and additional actors operating on behalf of the Russian military. Security researchers publicly track the activity under the designations UNC5792 and UNC4221.
Phishing campaign evolves beyond account hijacking
The updated advisory describes a notable change in the attackers’ methods. Earlier phishing attempts largely sought one-time verification codes, Signal PINs, or persuaded victims to connect attacker-controlled devices to their accounts. The current campaign instead attempts to obtain the cryptographic recovery key used by Signal’s Secure Backups feature.
To begin the attack, the operators pose as Signal’s support team and distribute fraudulent messages claiming the messaging platform is introducing mandatory two-factor verification following an alleged increase in attacks carried out by hackers from Iran and post-Soviet countries. The messages falsely state that the security changes require users to configure Signal Backups in order to avoid losing conversations and media files.
Victims are instructed to navigate through the application’s backup settings, enable Secure Backups, reveal the Backup Recovery Key, copy it to the clipboard, and complete what appears to be a legitimate setup process.
Signal’s Secure Backups feature allows users to store encrypted copies of conversations on the company’s cloud infrastructure. Those backups remain protected through end-to-end encryption, with the Backup Recovery Key serving as the only credential capable of decrypting and restoring the archived data. Because Signal does not retain this key, anyone who obtains it can restore the encrypted backup onto another device.
After victims complete the initial steps, the attackers send a second phishing message while continuing to impersonate Signal support. This follow-up communication claims the user’s account is experiencing a synchronization problem and warns that stored messages and media could be permanently lost unless immediate action is taken.
The fra
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: