Russian intelligence operatives are targeting Signal users connected to Ukraine with a new phishing campaign designed to steal encrypted message archives, according to a new warning from the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA).
The advisory updates guidance first issued in March, revealing a change in tactics. Rather than focusing solely on one-time verification codes and account PINs, the attackers are now attempting to convince victims to hand over their Signal Backup Recovery Keys, allowing them to access historical conversations stored in encrypted backups.
The campaign is aimed at individuals considered to be of high intelligence value, including current and former government officials, military personnel, political figures, journalists, and Ukrainian officials. The FBI said the activity has been linked to multiple Russian intelligence service cyber threat groups, including operations publicly tracked as UNC5792 and UNC4221.
The groups previously abused Signal’s device-linking feature with fake group invites and phishing pages disguised as trusted Ukrainian military services, allowing them to monitor conversations without compromising Signal’s encryption.
The phishing messages pose as Signal support and warn that users risk losing their messages and media unless they enable backups or verify their accounts. Victims are then walked through the process of turning on backups before being asked to copy and paste their Backup Recovery Key into the chat.
The agencies stressed that Signal itself has not been compromised. Instead, the campaign relies on social engineering to persuade users to surrender credentials that give attackers access to their own accounts and backups.
Recovery keys are a far more valuable prize. Unlike one-time verification codes, they remain valid after an account is recreated using the same phone number. Unless the victim generates a new key in Signal’s settings, the attackers can continue using the old one to access future backups.
Even then, rotating the recovery key cannot undo any damage already done. If the attackers have already downloaded an encrypted backup, changing the key only prevents future access.
The phishing messages themselves attempt to add credibility by falsely claiming Signal is introducing mandatory two-factor verification following investigations with the US government and European partners into attacks by hackers from Iran and post-Soviet countries.
The FBI urged anyone targeted by the campaign never to share verification codes, account PINs, or backup recovery keys, and reminded users that legitimate support services will not ask for them. Anyone who believes they have fallen victim to the campaign should generate a new Backup Recovery Key immediately and report the incident to the relevant authorities.
