Russian spies exploit Signal backups to read private chats, FBI warns
Russian cyber operatives linked to the FSB have shifted tactics in a phishing campaign, now focusing on Signal’s Backup Recovery Keys to silently access years of private conversations and permanently take over accounts. The FBI and CISA updated their March advisory to highlight that operators no longer just steal SMS codes—they guide victims through enabling backups and surrendering the recovery key itself. Once obtained, the key unlocks not only current messages but the entire archive, and remains valid even if the target tries to reset their account.
A two-step trap with lasting consequences
The new phishing messages arrive as fake support alerts, one posing as a mandatory two-factor rollout and another warning of imminent data loss. Both walk users through the exact steps to enable Signal backups and reveal the 30-digit Recovery Key. Victims who paste the key into the chat give attackers permanent visibility into private chats, group discussions, and shared files. Unlike a one-time verification code, the key never expires, so a compromised key can later unlock any future account tied to the same phone number unless the user manually generates a fresh key in Settings.
Why the change matters
The FBI and CISA stress that Signal’s end-to-end encryption remains intact; the breach happens because users are tricked into handing over legitimate credentials. The two tracked clusters, UNC5792 and UNC4221, are publicly associated with Russian intelligence officers embedded in border guard and military units. Early versions of the campaign relied on stolen verification codes or doctored invite links, but the updated lure is more reliable and damaging. Security teams now advise organizations that rely on Signal for sensitive communication to review backup settings, disable automatic cloud backups, and reissue Recovery Keys immediately if any suspicion of compromise arises.
Source: Security Affairs. AI-assisted editorial synthesis — TechnoExpress.