Russian cyber spies target officials via SMS and Signal recovery keys
A joint alert from Ukraine’s Security Service and the FBI confirms that Russian intelligence has spent years quietly harvesting credentials from officials, military personnel, politicians and activists via everyday messaging apps. The operation is not about disruption—it is about long-term intelligence collection.
A low-tech but relentless campaign
Operators send SMS messages that appear to come from platform support bots, asking targets to surrender account credentials, confirmation codes, PINs or recovery keys. The messages often arrive in the morning, when targets are less alert, making timing part of the social-engineering playbook rather than coincidence. The scope is broader than many realize: the SSU notes that Russian services target not only organizations and public figures but also personal accounts of ordinary Ukrainians, using a tiered approach—sophisticated techniques for high-value targets, simpler lures for others.
From codes to keys—an escalation in tactics
Initial warnings focused on one-time verification codes, but the latest advisory shows Russian operators have shifted to Signal Backup Recovery Keys. Unlike codes, these keys remain valid even if a user creates a new account with the same phone number, granting access to an entire message history. Another active vector involves QR codes: scanning a QR code from an unknown bot can silently link an attacker’s device to the victim’s account, a technique documented by Google’s Threat Intelligence Group in early 2025.
How to stay ahead
The SSU’s practical guidance remains unchanged yet often ignored: regularly check active sessions in your messenger and end any you do not recognize. Blocking one delivery method will not stop the campaign, because operators continuously rotate techniques and target lists. Vigilance and routine audits are the most effective defenses against a campaign designed for persistence, not noise.
Source: Security Affairs. AI-assisted editorial synthesis — TechnoExpress.