Blog Details

The FBI and CISA are warning that a phishing advertising and marketing and marketing campaign concentrated on Signal customers tied to Russian intelligence services has superior to clutch Signal Backup Restoration Keys, permitting attackers to get true of entry to victims’ historic messages.

The updated public carrier announcement is an update to a March 2026 advisory that warned the risk actors had been concentrated on customers of business messaging applications, particularly Signal, via phishing campaigns designed to hijack accounts quite than smash terminate-to-terminate encryption.

“RIS cyber threat actors continue to masquerade as automated CMA support accounts in updated phishing messages but have evolved their tactics to attempt to elicit victims’ Backup Recovery Keys,” warns an FBI PSA published right this moment time.

Per the FBI, the advertising and marketing and marketing campaign continues to purpose individuals of excessive intelligence impress, including fresh and identical old US and global authorities officials, military personnel, political figures, journalists, and key officials located in Ukraine.

The businesses attribute the activity to Russian Intelligence Companies and products (RIS), including officers embedded with Russia’s Federal Security Service (FSB) Border Guards and masses of actors engaged on behalf of the Russian military. The advertising and marketing and marketing campaign is publicly tracked as UNC5792 and UNC4221.

Fresh phishing tactic targets Signal backups

While the distinctive advisory fascinated about phishing messages that attempted to clutch verification codes or account PINs, or to trick customers into linking attacker-managed devices to their Signal accounts, the updated alert says the attackers fetch superior their ways.

The FBI says the risk actors proceed to impersonate Signal enhance groups, sending phishing messages that falsely claim Signal is introducing important two-facet verification following an alleged wave of assaults by hackers from Iran and put up-Soviet countries.

“Recently, attempts to hack users of our messenger with the connection of third-party devices to the account have become more frequent,” reads the preliminary phishing message.

“An investigation conducted jointly with the US government and European partners revealed that the attacks on accounts were carried out by hackers from Iran and post-Soviet countries. In this regard, Signal updates Terms of Service & Privacy Policy, and introduces Mandatory Two-factor Verification for users.”

“Not to lose your messages and media, set up your Signal Backup (Settings -> Backups -> Enable backups -> View recovery key -> Copy to clipboard -> Next -> Enter the recovery key -> Next -> Continue -> Choose your backup plan). Click the “Bag” button in the pop-up and stay tuned for security updates on our messenger.”

When a purpose follows these instructions, their Signal messages are backed up the usage of Signal’s Stable Backups characteristic, which stores encrypted copies of conversations on Signal’s cloud servers.

The data is terminate-to-terminate encrypted the usage of the restoration key created in the steps above and can never be given to any person else, as any person with essentially the most important can employ it to get better the backed-up data on their have devices.

The risk actors later ship a 2nd phishing message, silent posing as Signal enhance, warning that your data is inclined to loss ensuing from a synchronization order.

“Your Signal Account data (messages and media) is at risk of permanent loss due to a sync issue,” reads the 2nd Signal message.

The risk actors then suggested you to enter the Backup settings, reproduction your restoration key to the clipboard, and paste it into the message to terminate the shortcoming of your kept data.

However, as soon as you present your restoration key, they’re going to restore the backup to their have devices and find get true of entry to to the victim’s historic messages, including personal and community conversations.

The updated advisory also warns of a restoration inconvenience that customers can also go out after their account used to be compromised.

The FBI warns that if an attacker obtains a consumer’s Backup Restoration Key, creating a brand current Signal account the usage of the identical phone number doesn’t invalidate the pale stolen key.

As an more than a few, customers have to generate a brand current Backup Restoration Key via Signal’s backup settings, which invalidates the old key for future backup downloads.

However, the businesses warn that producing a brand current restoration key isn’t going to terminate attackers from having access to backups they already downloaded the usage of the compromised key.

The updated advisory reminds customers that legitimate messaging utility enhance groups most productive keep in touch via official firm electronic mail addresses, never demand verification codes internal the utility, and carry out not ship links asking customers to bid or restore their accounts.

Someone who believes they’ve fallen victim to the advertising and marketing and marketing campaign is impressed to document the incident to the FBI’s Cyber web Crime Complaint Center (IC3), a local FBI discipline design of job, or CISA.