"RIS cyber threat actors continue to masquerade as automated CMA support accounts in updated phishing messages but have evolved their tactics to attempt to elicit victims' Backup Recovery Keys," warns an FBI PSA published today.
FBI and CISA describe an evolved phishing campaign
The FBI and CISA updated a March 2026 advisory with a public service announcement published today that says a phishing campaign tied to Russian Intelligence Services (RIS) has shifted its objective. Where earlier messages sought verification codes, account PINs, or attempts to link attacker-controlled devices to Signal accounts, the agencies say the actors are now explicitly targeting Signal Backup Recovery Keys so they can access historical message backups.
How the phishing messages work
According to the advisory, threat actors continue to impersonate Signal support teams and send messages that falsely claim Signal is rolling out mandatory two-factor verification following an alleged wave of attacks. One quoted phishing message reads: "Recently, attempts to hack users of our messenger with the connection of third-party devices to the account have become more frequent." The message directs targets through the app's Backup setup flow — Settings -> Backups -> Enable backups -> View recovery key -> Copy to clipboard — and instructs them to paste the recovery key back into the conversation.
The campaign uses a two-step lure. After inducing a user to enable Signal Secure Backups and reveal the recovery key, the actors send a second message warning that "Your Signal Account data (messages and media) is at risk of permanent loss due to a sync issue" and again ask the user to paste the recovery key into the chat. Once the recovery key is provided, the advisory says attackers can restore the backup to their own devices and "gain access to the victim's historical messages, including private and group conversations."
Attribution and tracked threat clusters: RIS, FSB Border Guards, UNC5792 and UNC4221
The agencies attribute the activity to Russian Intelligence Services (RIS), explicitly naming officers embedded with Russia's Federal Security Service (FSB) Border Guards as among the actors and noting others "working on behalf of the Russian military." The campaign is publicly tracked under two cluster names: UNC5792 and UNC4221.
The FBI and CISA say the campaign targets "individuals of high intelligence value," listing current and former US and international government officials, military personnel, political figures, journalists, and key officials located in Ukraine.
Why the Backup Recovery Key is the prize — and the limits of remediation
Signal's Secure Backups keep encrypted copies of conversations on Signal's cloud servers, protected by a recovery key that "should never be given to anyone else," the advisory emphasizes. Anyone possessing that key can use it to recover the encrypted backups on other devices.
The advisory also highlights a recovery pitfall users may miss: creating a new Signal account with the same phone number after compromise does not invalidate an old, stolen recovery key. Only generating a new Backup Recovery Key through Signal's backup settings will invalidate the previous key for future downloads — and even then, that will not prevent attackers who already downloaded backups with the compromised key from accessing those copies.
Reporting advice and what affected groups should note
The FBI and CISA remind recipients that legitimate messaging-app support will contact users only from official company email addresses, will never request verification codes inside the application, and will not send links asking users to verify or restore their accounts. Anyone who believes they have been victimized is encouraged to report the incident to the FBI's Internet Crime Complaint Center (IC3), a local FBI field office, or CISA.
For the specific groups named in the advisory: current and former government officials and military personnel should be aware they are explicitly listed as high-value targets; journalists and political figures are likewise named as targets; and "key officials located in Ukraine" are singled out. Each of these groups should treat requests for recovery keys as a direct compromise risk and follow the reporting channels the FBI and CISA set out.
The agencies' update makes a narrow but consequential point: the adversary has moved from account hijacking through codes or device linking to stealing the cryptographic key that unlocks cloud-held histories. Generating a new Signal Backup Recovery Key can stop future downloads with the old key, but it cannot retroactively protect backups already captured by an attacker who followed the stepped phishing playbook the advisory describes.
