Full Report
The FBI and CISA have updated their March warning about Russian intelligence phishing Signal accounts, and the operators have added a step: they now coax targets into handing over their Signal Backup Recovery Key. Hand it over once, and the attacker can restore the account's backup, read the private and group message history, and take over the account. Worse, the key keeps working.
Analysis Summary
# Threat Actor: Russian Intelligence Services (RIS) / UNC5792
## Attribution & Identity
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) attribute this activity to multiple **Russian Intelligence Services (RIS)** groups.
* **Known Aliases:** UNC5792, UNC4221.
* **Known Associations:** FSB (Federal Security Service) officers embedded with FSB Border Guards, and operators working for Russian military intelligence services (GRU).
* **Bounty:** The U.S. State Department's "Rewards for Justice" program is offering up to $10 million for information leading to the identification of UNC5792.
## Activity Summary
Since early 2025, these actors have engaged in a global phishing campaign targeting secure messaging applications. While a March 2026 warning focused on account hijacking via SMS codes, a June 2026 update reveals a new, more persistent tactic: the theft of **Signal Backup Recovery Keys**. This allow attackers to recover historical message archives and maintain access even if a user creates a new account on the same phone number.
## Tactics, Techniques & Procedures
* **Social Engineering (Phishing):** Threat actors pose as official "Signal Support" through in-app messaging.
* **Credential/Key Harvesting:** Coaxing users into providing SMS verification codes, account PINs, or the 30-digit Signal Backup Recovery Key.
* **Rogue Device Linking:** Using doctored "group invite" links to silently link an attacker-controlled device to the victim's account.
* **Persistence:** By obtaining the Backup Recovery Key, attackers can restore backups and read private/group message history indefinitely, as the key remains valid even after account recreation unless manually rotated.
* **MITRE ATT&CK IDs (Inferred):**
* T1566.003 (Phishing: Spearphishing Service)
* T1098.003 (Account Manipulation: Add Public Key)
* T1539 (Steal Web Session Cookie/Linked Device Session)
* T1411 (Inter-Application Communication)
## Targeting
* **Sectors:** Government, Military, Political, Media/Journalism.
* **Geography:** Primarily United States, Ukraine, and International (global reach).
* **Victims:** Current and former government officials, military personnel, political figures, and journalists. The campaign has reportedly compromised thousands of accounts.
## Tools & Infrastructure
* **Malware:** No specific malware family; the attack utilizes the legitimate Signal and WhatsApp application features for exploitation.
* **Infrastructure:**
* Impersonation of "Signal Support" within the app.
* Malicious "group invite" URIs.
* Phishing lures regarding "Two-Factor Authentication Rollouts" or "Urgent Data Recovery."
## Implications
This campaign demonstrates that the encryption of Signal remains secure; however, the **user is the weak point**. By obtaining the recovery key, Russian intelligence bypasses end-to-end encryption by simply "restoring" the data as a legitimate user. This allows for deep intelligence harvesting of private communications and group memberships, with a high degree of stealth and persistence.
## Mitigations
* **Key Rotation:** If a breach is suspected, users must generate a **new** Backup Recovery Key in Signal Settings. This invalidates the old key and prevents future backup downloads by the attacker.
* **Session Management:** Regularly audit "Linked Devices" in Signal/WhatsApp settings and remove any unrecognized entries.
* **Security Hygiene:** Never share SMS verification codes, PINs, or Recovery Keys via chat. Official support for these apps will never ask for this information within the app.
* **Verification:** Treat all unsolicited "Support" messages as hostile.
* **Detection:** Organizations should advise high-value targets to monitor for unusual "new device linked" notifications.