Threat IntelligenceEmerging Threats

FBI Warns of Russian Intelligence Signal Phishing Attacks

Analyst 207||Source: InfoSecMag
Government agency setting with laptop on table, hinting at technology.

“Russian Intelligence Services (RIS) cyber‑threat actors continue to masquerade as automated CMA support accounts in updated phishing messages but have evolved their tactics to attempt to elicit victims' Backup Recovery Keys,” the FBI warned in a public service announcement issued June 26.

Russian intelligence clusters, FSB officers and military hackers named in FBI advisory

The FBI’s June 26 public service announcement says “multiple clusters” of Russian intelligence officers are actively targeting users of commercial messaging applications (CMAs). The notice explicitly names Federal Security Service (FSB) officers and military hackers as participants in the campaign. The advisory identifies the victims as high‑risk accounts: current and former U.S. and international government officials, military personnel, political figures, journalists, and Ukrainian officials.

Phishing has shifted to seek Signal Backup Recovery Keys, verification codes and PINs

The PSA cites two sample phishing messages that were both related to Signal and says RIS actors not only continue to elicit victims’ verification codes and account PINs but have “evolved their tactics to attempt to elicit victims' Backup Recovery Keys.” According to the FBI, victims typically receive phishing messages purporting to come from a Signal chatbot requesting they enter their PIN or verification code; another variation seeks to abuse the linked devices function.

What the FBI says attackers can do if they obtain a Backup Recovery Key

The advisory makes a clear, narrow technical warning: “If a targeted user backs up their CMA messages … and later provides their Backup Recovery Key, RIS cyber threat actors can view the account's historical messages, private and group messages, and take over the victim's account.” The notice stresses that attackers who obtain a backup can download historical conversations and use them to seize control of an account.

Backup recovery keys remain valid across account recreation unless re‑generated

The FBI warns that a shared recovery key “will remain valid even if [the user] create[s] a new account using the same phone number,” exposing a recreated account to the same compromise. The advisory specifies the mitigation: the user must generate a new backup recovery key within the Settings control to invalidate the previous key for all future backup downloads. The PSA cautions this action does not prevent an adversary “from having already downloaded a backup of the original account.”

March 2026 Dutch intelligence warnings and the recurring linked‑devices tactic

The FBI notes that this Russian campaign first surfaced publicly in March 2026 when Dutch domestic and military intelligence services — the AIVD and MIVD — warned that some of the Netherlands’ government employees had been victimized in a hacking campaign targeting Signal and WhatsApp accounts. In that earlier reporting, victims received messages purporting to be from a Signal chatbot that requested PINs or verification codes; in another variation, attackers tried to exploit the linked devices function, a technique the FBI says echoes previous campaigns targeting Ukrainian officials.

What this means for journalists, government officials, and Ukrainian officials

  • Journalists: Review whether messages are being backed up and, if so, confirm the provenance of any requests for recovery keys before responding; attackers explicitly use automated‑support impersonations tied to Signal in the samples cited by the FBI.
  • Government and military personnel: Treat verification codes and account PINs as high‑value credentials and avoid providing them in response to in‑app support prompts; the FBI warns legitimate CMA support will not request verification codes within the application.
  • Ukrainian officials: Be alert to linked‑device abuse and support‑account impersonations — the FBI links the current activity to prior campaigns that targeted Ukrainian officials and to the Dutch March 2026 disclosures.

The FBI closes its advisory with a set of practical reminders aimed at reducing successful impersonation: CMA support services only communicate via official company email addresses; legitimate CMA support services will not request verification codes within the application; CMA support services do not send users links to “verify” or “restore” accounts; and users should never provide a verification code without confirming the request comes from a legitimate CMA communication channel.

The FBI’s PSA portrays a compact, targeted campaign that has shifted from simple theft of one‑time codes to actively seeking long‑lived recovery credentials. It leaves open the extent of successful downloads and compromises but delivers a specific operational remedy: if an account’s backup recovery key may have been exposed, generate a new key in Settings to invalidate the prior key for future backups — even though that step cannot undo any backup an adversary has already taken.

https://www.infosecurity-magazine.com/news/fbi-alarm-russian-intelligence/

Cyber ThreatsEmerging ThreatsNation-StatePhishingRussiaMfa BypassFSBFederal Security ServiceRussian IntelligenceSignal Phishing Attacks
Related Intelligence

Continue Reading

Jaguar Land Rover factory interior with vehicles on assembly line and industrial equipment.

Russia Targets Jaguar Land Rover in Economically Destructive Cyber-Attack

Russian hackers allegedly launched a devastating cyber-attack on Jaguar Land Rover, causing a staggering £1.9bn hit to the British economy. This brazen breach is just the latest example of nation states using underhanded tactics to wreak havoc on a global scale.

Analyst 207
Browser extension icon on a computer screen with abstract code in the background.

Microsoft Disrupts StegoAd Malware Operation in Edge Extensions

Microsoft cracked down on a sneaky malware operation called StegoAd, which had infected up to 2.6 million installs across 119 Edge extensions with hidden code that lay dormant for days before stealing credentials and committing ad fraud. The cleverly concealed code was tucked away in ordinary image and font files, making it a challenge to detect.

Analyst 207
Cluttered developer workspace with laptop, papers, and coffee cups.

Malware Exploits VS Code Tasks in Hijacked Packages

Researchers have uncovered a sneaky malware attack that hides in Visual Studio Code tasks, masquerading as a harmless "eslint-check" task that springs into action the moment you open a compromised package directory in VS Code. The malware cleverly disguises its executable payload as a font file, allowing it to slip past defenses undetected.

Analyst 207
Technicians surround a prominent server terminal with a blurred screen in a brightly-lit Japanese data center.

KDDI Data Breach Compromises 14.2 Million Email Logins at Six ISPs

A massive data breach at KDDI Corporation has put 14.2 million email logins at risk, compromising sensitive information for customers across six Japanese internet service providers. The breach, discovered on June 17, exploited a vulnerability in a third-party software component used on one of KDDI's email systems.

Analyst 207