The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have warned that Russian intelligence hackers have adopted a new tactic against Signal users by attempting to steal backup recovery keys instead of verification codes, giving them access to victims’ encrypted message history.
The updated public service announcement expands on an advisory released in March, which warned that Russian intelligence services were targeting users of secure messaging apps through phishing campaigns. According to the FBI, the attackers have now shifted their focus to Signal Backup Recovery Keys, allowing them to restore message backups and access historical conversations without breaking Signal’s end-to-end encryption.
The campaign is attributed to Russian Intelligence Services (RIS), including operators associated with the Federal Security Service (FSB) and other military intelligence-linked groups. The activity is publicly tracked as UNC5792 and UNC4221. The primary targets include current and former government officials, military personnel, journalists, political figures, and officials connected to Ukraine.
Unlike previous phishing attempts that sought one-time verification codes or account PINs, the latest messages encourage victims to enable Signal backups and then share their Backup Recovery Key under the guise of a mandatory security update or data recovery procedure.
If a victim provides the recovery key, attackers can restore the account’s encrypted backups, read both private and group conversations, and potentially maintain access to future backups. According to the FBI, this access can persist even if the victim changes devices or creates a new Signal account using the same phone number, unless a new recovery key is generated.
The agencies emphasized that the attacks do not exploit vulnerabilities in Signal itself. Instead, they rely entirely on social engineering, convincing users to hand over sensitive account credentials through convincing phishing messages that impersonate Signal support.
Researchers say the phishing messages falsely claim that Signal is rolling out mandatory two-factor authentication following increased attacks from foreign hackers. Others warn that messages are at risk of being lost unless users complete an urgent recovery process, directing them to reveal their backup recovery key.
The FBI advises users never to share their Backup Recovery Key, verification code, or PIN with anyone, even if the request appears to come from Signal. Users should also regularly review the app’s linked devices, remove any unfamiliar connections, and generate a new Backup Recovery Key if they suspect it may have been exposed.