"Treat any in-app message from "Signal support" as hostile," the FBI and CISA warned in an updated advisory, underscoring how a familiar app feature has become an entry point for espionage.
What the FBI and CISA now say (PSA I-062626-PSA)
The updated advisory, PSA I-062626-PSA, expands a March notice about Russian intelligence phishing campaigns against Signal and WhatsApp users. It adds two public tracking names that the March notice lacked — UNC5792 and UNC4221 — and explicitly links the activity to multiple Russian Intelligence Services (RIS) groups, "including FSB officers embedded with the FSB Border Guards and others working for the Russian military services," the agencies write.
The agencies emphasize that these operations do not break Signal's encryption or the app itself; instead, operators use social engineering to compromise individual accounts and exploit legitimate features.
How the campaign works
The advisory describes evolving tradecraft. Earlier waves coaxed targets into handing over SMS verification codes and account PINs, or they used doctored "group invite" links that silently linked an attacker's device to the target account. Google's Threat Intelligence Group first documented UNC5792 abusing Signal's linked-device feature in early 2025, and later observed similar techniques applied against WhatsApp and Telegram.
In this updated phase, phishing messages pose as Signal support and walk targets step-by-step through turning on Signal backups, opening the Backup Recovery Key, and pasting it into chat. The bulletin includes two sample lures: one framed as a "mandatory two-factor rollout" and another as an urgent "data recovery" fix for messages supposedly at risk of loss.
The Recovery Key twist and its consequences
The new, more damaging step is the request for the Signal Backup Recovery Key. Once a target pastes that key into chat, an attacker can restore the account's backup, read private and group message history, and take over the account. The advisory warns the key "keeps working": creating a new account on the same phone number does not neutralize a previously exposed key unless a new key is generated.
The remediation the agencies offer is blunt: "generate a new key in Settings, which kills the old one for future backup downloads, and accept that anything the attacker already pulled is gone." If a user believes they handed over the Recovery Key, the advisory says to assume any backup made before generating a new key is already in someone else's hands.
Who is being targeted and the international context
Targets are "individuals of high intelligence value": current and former U.S. and international government officials, military personnel, political figures, journalists, and officials in Ukraine. The March notice said the broader campaign had already compromised thousands of accounts worldwide.
Other Western intelligence agencies have issued overlapping warnings: the activity matches alerts from the Netherlands' AIVD and MIVD, Germany's BfV and BSI, and France's ANSSI earlier this year. Separately, the State Department's Rewards for Justice program is offering up to $10 million for information on UNC5792.
What to do now
- Treat any in-app message from "Signal support" as hostile. Real support does not message you inside the app to ask for codes, PINs, or your Recovery Key.
- Never paste your Backup Recovery Key, verification code, or PIN into a chat. Nothing legitimate asks for them that way.
- Open Settings, check Linked Devices, and remove anything you do not recognize.
- If you think you handed over your Recovery Key, generate a new one in Settings now, and assume any backup made before that is already in someone else's hands.
What this means for security teams, government and military officials, and journalists
Security teams and technologists should treat the account as the weak point: audit linked devices, harden backup workflows, and incorporate the advisory's sample lures into phishing awareness training. The advisory shows the tradecraft evolved from one-time-code theft to obtaining a key that opens entire archives.
Government and military officials — both current and former — are explicitly named as high-value targets; their security officers must assume the tactics will continue to shift and prioritize controls around device linking and backup keys.
Journalists and political figures face the same specific risk profile: social-engineered in-app messages dressed as support or urgent recovery notices. The agencies' guidance is categorical: "Treat any in-app message from 'Signal support' as hostile" and never transmit codes, PINs, or recovery keys into chats.
The bottom line from the advisory is stark and specific: Signal's encryption remains intact, but account compromise through social engineering gives attackers legitimate access. The fix is straightforward but costly in consequences — generate a new Recovery Key in Settings, and accept that anything already extracted cannot be reclaimed. The question the advisory leaves for defenders is immediate and concrete: can the people targeted most closely — officials, military personnel, and journalists — change behavior quickly enough to blunt a campaign the agencies tie to RIS operators and named UNC clusters?
https://thehackernews.com/2026/06/fbi-warns-russian-intelligence-hackers.html
