Russian State Hackers Evolve Signal Phishing to Steal Backup Recovery Keys

Russian state hackers have updated their Signal phishing campaign to steal Backup Recovery Keys, granting persistent access to encrypted message histories.

CSBadmin
2 Min Read

New Tactic Targets Backup Recovery Keys

The FBI and CISA have updated their joint advisory on Russian intelligence phishing campaigns targeting secure messaging accounts. The latest warning details a new tactic where attackers trick victims into providing their Signal Backup Recovery Key. Once obtained, this key allows threat actors to restore the account’s message history, read private and group conversations, and take over the account permanently. The key remains valid even if the victim creates a new account with the same phone number, making this a persistent threat.

Attribution and Campaign Details

The advisory, designated PSA I-062626-PSA, links the activity to multiple Russian Intelligence Services (RIS) groups. Two tracking names have been publicly assigned: UNC5792 and UNC4221. The targets include current and former U.S. and international government officials, military personnel, political figures, and journalists in Ukraine. The phishing messages impersonate Signal support and ask victims to enable backups and share their Recovery Key. The State Department’s Rewards for Justice program is offering up to $10 million for information on UNC5792.

Mitigation and Response

The agencies emphasize that these attacks do not break Signal’s encryption. Instead, they exploit social engineering to compromise individual accounts through legitimate features. Users are advised to treat any in-app message claiming to be from Signal support as malicious. To protect themselves, users should never share their Backup Recovery Key, verification code, or PIN in any chat. If a key has been compromised, users should generate a new one immediately in Signal’s settings to invalidate the old key for future downloads.

Source: The Hacker News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.