The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued an update to their previous warning regarding Russian intelligence operations attempting to compromise Signal accounts. The updated advisory highlights a new tactic where attackers persuade users to disclose their Signal Backup Recovery Key, a critical piece of information that enables access to message history and account control.
Heightened Threat of Signal Account Compromise
The theft of a Backup Recovery Key allows attackers to restore an account’s backup, thereby gaining full access to private and group conversations. Even if a user creates a new account with the same phone number, the previously stolen key remains valid, posing a continuous threat. To mitigate this risk, users are advised to generate a new key through the app’s settings, effectively invalidating the compromised one.
Advisory Details and Target Identification
The advisory, identified as PSA I-062626-PSA, introduces public tracking identifiers UNC5792 and UNC4221, which were absent in the initial March notice. The FBI attributes these activities to multiple Russian Intelligence Services (RIS) groups, including units within the Federal Security Service (FSB) and military intelligence structures. Targets include high-profile individuals such as government officials, military personnel, journalists, and political figures, with a significant focus on those in the United States and Ukraine.
Phishing Techniques and Protective Measures
The phishing attempts masquerade as legitimate communication from Signal support, instructing targets to activate Signal backups and share their Recovery Key under the guise of security updates or data recovery processes. Users are warned to treat any in-app message asking for codes or keys as suspicious, as genuine support does not request such information through the app. Immediate actions include checking linked devices and revoking access to any unfamiliar ones.
The advisory underscores that Signal’s encryption remains uncompromised; the vulnerability lies in the exploitation of user trust through social engineering. The United States Department of State has also announced a reward of up to $10 million for information leading to the identification of those responsible for these operations.
International Collaboration and Future Outlook
This development intersects with alerts from Dutch, German, and French intelligence agencies, who have reported similar threats earlier this year. Google’s Threat Intelligence Group previously documented the exploitation of Signal’s linked-device feature by UNC5792, with similar tactics observed against other messaging platforms such as WhatsApp and Telegram. Users are urged to remain vigilant, as the tactics employed by these hackers continue to evolve, focusing on exploiting the human element as the primary vulnerability.
