The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have released an updated advisory concerning ongoing phishing attacks by Russian intelligence targeting Signal accounts. The new tactic involves persuading victims to provide their Signal Backup Recovery Key, which can allow attackers to restore account backups and access private message histories.
Details of the Attack
Once an attacker obtains the Recovery Key, they can take control of the account, including reading both private and group messages. Notably, the Recovery Key remains valid even if the user creates a new account with the same phone number, meaning that the attacker can still exploit it. The advisory recommends that users generate a new key through the app’s settings to invalidate the old one, acknowledging that any data accessed by the attacker prior to this change may be compromised.
Target Profile and Attack Methods
The advisory identifies the targets as individuals of significant intelligence value, including current and former U.S. and international government officials, military personnel, political figures, journalists, and officials in Ukraine. The phishing attempts typically masquerade as messages from Signal support, asking users to enable backups and share their Recovery Key. Previous tactics included requests for SMS verification codes and account PINs, as well as deceptive group invite links that connected the attacker’s device to the victim’s account.
Official Response and Recommendations
The updated advisory, designated as PSA I-062626-PSA, also introduces two public tracking names, UNC5792 and UNC4221, linked to the Russian intelligence activities. The FBI attributes these phishing campaigns to multiple Russian Intelligence Services (RIS), including the FSB and military services. The State Department’s Rewards for Justice program is offering up to $10 million for information related to UNC5792.
Mitigation Measures
Users are advised to treat any in-app messages claiming to be from Signal support as potentially malicious. Legitimate support will not request sensitive information like codes or Recovery Keys through the app. Users should also regularly check their linked devices and remove any that appear unfamiliar. If a Recovery Key has been shared, generating a new one immediately is crucial, as any previous backups may have been accessed by unauthorized parties.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
