Russian intelligence services are no longer satisfied with stealing your Signal login codes. The FBI and CISA updated their advisory today to warn that the phishing campaign tracked as UNC5792 and UNC4221 now targets Signal Backup Recovery Keys - the cryptographic keys that unlock end-to-end encrypted message backups stored on Signal's cloud servers.
The Phishing Flow: Two Messages, One Goal
The attackers first impersonate Signal support with a message claiming mandatory two-factor verification is being rolled out after alleged attacks by hackers from Iran and post-Soviet countries. The target is walked through Signal's Secure Backups setup: Settings -> Backups -> Enable backups -> View recovery key -> Copy to clipboard -> Next -> Enter the recovery key. The victim creates a backup encrypted with their own key - and sends that key to the attacker.
A second message follows, posing as Signal support warning that data is at risk of permanent loss due to a sync issue. The victim is instructed to paste their recovery key directly into the chat. At that point the attacker has everything needed to restore the backup to their own device and read every private and group conversation in the victim's history.
Why This Changes the Game
Previous versions of this campaign targeted verification codes, account PINs, or tricked users into linking attacker-controlled devices to their Signal account. Those attacks gave temporary access. A stolen Backup Recovery Key is permanent: the attacker downloads the encrypted backup once and holds it forever. The FBI explicitly warns that creating a new Signal account with the same phone number does not invalidate a stolen key. Users must manually generate a new Backup Recovery Key through Signal's backup settings, and even that only prevents future downloads - it cannot revoke backups already exfiltrated.
Who's Being Targeted and What to Do
The advisory names current and former US and international government officials, military personnel, political figures, journalists, and key officials in Ukraine as high-value targets. The threat actors are attributed to the Russian Federal Security Service (FSB) Border Guards and other Russian military-linked operatives.
Legitimate Signal support never communicates through in-app messages, never asks for verification codes or recovery keys within the app, and never sends links to verify accounts. Anyone who suspects compromise should report to the FBI's IC3 or a local field office.
The next evolution of this campaign will likely target other messaging apps that offer cloud backup with recovery keys. If Signal wants to stay ahead, it needs to add an irreversible flag that triggers a mandatory key rotation after any password or phone number change - and a visible warning when a backup has been restored to a new device.
Source: FBI: Russian hackers now target Signal backup recovery keys
Domain: bleepingcomputer.com
Comments load interactively on the live page.