The Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency have updated a cybersecurity advisory originally issued in March, warning that Russian intelligence linked threat actors have adopted a new phishing technique aimed at compromising Signal accounts by stealing users’ Backup Recovery Keys. According to the updated advisory identified as PSA I 062626 PSA, attackers are no longer relying solely on verification codes or account PINs. Instead, they are convincing victims to reveal their Signal Backup Recovery Key, allowing them to restore account backups, access private and group message history, and potentially take control of the account. Authorities warned that the recovery key remains valid even if a user creates a new Signal account using the same phone number, making it a persistent security risk unless a new recovery key is generated through the application’s settings. Officials emphasized that replacing the recovery key invalidates the previous one for future backup downloads, although any information already accessed by attackers cannot be recovered.
The updated advisory also introduces two publicly tracked threat clusters, UNC5792 and UNC4221, which were not identified in the earlier warning. FBI attributes the campaign to multiple Russian Intelligence Services groups, including officers associated with FSB Border Guards and personnel linked to Russian military intelligence. The campaign targets both Signal and WhatsApp accounts, although the newly documented Backup Recovery Key phishing technique specifically affects Signal users. Authorities said the attackers continue to focus on individuals considered to have high intelligence value, including current and former government officials from the United States and other countries, military personnel, political figures, journalists, and officials in Ukraine. According to the original March advisory, the broader phishing operation had already resulted in the compromise of thousands of messaging accounts worldwide through carefully crafted social engineering attacks targeting trusted communication platforms.
Investigators explained that the phishing campaign impersonates Signal support through convincing in application messages designed to create urgency and persuade users to share sensitive account information. Earlier phases of the operation requested SMS verification codes, account PINs, or encouraged victims to click manipulated group invitation links that silently connected an attacker’s device to the victim’s account. The latest campaign guides users through enabling Signal backups, opening the Backup Recovery Key, and sending it directly to the attacker through chat messages. Sample phishing messages referenced in the advisory falsely claim to introduce mandatory two factor authentication updates or urgent message recovery procedures intended to prevent data loss. FBI and CISA stressed that these attacks do not exploit weaknesses in Signal’s encryption or compromise the application itself. Instead, attackers rely entirely on social engineering techniques to persuade users into voluntarily disclosing sensitive credentials that enable legitimate account features to be abused.
Alongside the updated advisory, the U.S. Department of State’s Rewards for Justice program announced a reward of up to 10 million dollars for information related to UNC5792. The latest warning also aligns with earlier advisories issued by intelligence and cybersecurity agencies in the Netherlands, Germany, and France, while Google’s Threat Intelligence Group previously documented UNC5792 abusing Signal’s linked device feature during early 2025 before observing similar tactics targeting WhatsApp and Telegram. Security agencies are advising users to treat any in application message claiming to originate from Signal support as suspicious because legitimate support teams do not request verification codes, account PINs, or Backup Recovery Keys through chat conversations. Users are encouraged to regularly review linked devices connected to their accounts, remove any unfamiliar devices, and immediately generate a new Backup Recovery Key if they suspect it has been disclosed. Authorities noted that while Signal’s encryption remains secure, attackers continue to target the account holder through sophisticated social engineering techniques rather than attempting to compromise the platform itself.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
