Full Report
Russia-linked hacking groups tracked as UNC5792 and UNC4221 have socially engineered their way into the messaging accounts of government officials.
Analysis Summary
Below is a structured summary of the threat actor information provided in the article.
# Threat Actor: UNC5792 and UNC4221
## Attribution & Identity
* **UNC5792:** Attributed to the Russian Federal Security Service (FSB) and Border Guards.
* **UNC4221:** Attributed to Russian military intelligence (likely GRU).
* **Associated State:** Russia.
## Activity Summary
These actors are engaged in a long-running cyber-espionage campaign focused on compromising encrypted messaging accounts. Recently, the U.S. State Department’s Rewards for Justice program offered a $10 million reward for information on these groups. Their operations involve social engineering to gain persistent access to private communications and have recently evolved to target backup recovery mechanisms.
## Tactics, Techniques & Procedures
* **Social Engineering:** Impersonating official platform support services via text message to solicit credentials.
* **Credential Theft:** Tricking victims into revealing verification codes, account PINs, and backup recovery keys.
* **Unauthorized Device Linking:** Altering legitimate Signal group invitation pages to redirect victims to malicious links, allowing the attackers to link their own devices to the victim’s account.
* **Persistence:** Exfiltrating backup recovery keys which remain valid even if the user changes their phone number.
* **MITRE ATT&CK IDs:**
* T1566 (Phishing)
* T1098.003 (Account Manipulation: Add Device)
* T1539 (Steal Web Session Cookie/Recovery Keys)
## Targeting
* **Sectors:** Government, Military, Media (Journalists), Political Activism.
* **Geography:** Ukraine, Europe, and the United States.
* **Victims:** High-profile individuals, government officials, military personnel, and activists.
## Tools & Infrastructure
* **Malware/Platform Targets:** Signal and WhatsApp.
* **Infrastructure:**
* Malicious redirect links disguised as legitimate Signal invitations.
* Attacker-controlled devices used to link to compromised accounts.
* SMS delivery systems for impersonation messages.
## Implications
The focus on backup recovery keys indicates a strategic shift toward long-term persistence that survives standard account security rotations. By compromising encrypted messaging, these actors gain access to sensitive military, political, and economic intelligence that is often discussed in "secure" channels, bypassing the core encryption of the platforms by targeting the human element/endpoints.
## Mitigations
* **Hardware Security Keys:** Utilize physical security keys for multi-factor authentication where supported.
* **Application-Specific PINs:** Enable and never share the "Registration Lock" or "Two-Step Verification" PINs within Signal and WhatsApp.
* **Verification:** Never share verification codes or recovery keys with any party, including those claiming to be "Support."
* **Link Scrutiny:** Thoroughly inspect group invitation links; avoid clicking links in unsolicited SMS messages.
* **Session Management:** Regularly audit "Linked Devices" within messaging apps and unpair any unrecognized sessions.