Emerging ThreatsMalware & Ransomware

Russia Targets Messaging Credentials with Fake Support Texts

Analyst 207||Source: TheHackerNews
Person sitting in quiet room, holding smartphone with concern, surrounded by papers and laptop.

"The goal of these 'hacks' is to gain access to sensitive military, political, and economic information exchanged by users, as well as to steal their personal data," the Security Service of Ukraine (SSU) warned in a Telegram post, summarizing a campaign it says it uncovered jointly with the U.S. Federal Bureau of Investigation.

How the SSU and FBI say the campaign operated

The SSU reported a long-running, systematic campaign — uncovered in coordination with the FBI — that targeted messaging accounts belonging to government officials, military personnel, politicians, and activists in Ukraine, Europe, and the United States, as well as personal accounts of Ukrainian nationals. According to the SSU, attackers used SMS messages that impersonated a messaging platform's support bot and urged recipients to disclose account credentials, a social-engineering tactic designed to harvest access to conversations and account data.

Attribution signals and named Russian-associated clusters

While the SSU did not attribute this campaign to a single, specific hacking group, the advisory noted that similar waves targeting Signal and WhatsApp users have previously been attributed to Russian threat activity clusters tracked as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185). Separately, the FBI has attributed Russian Intelligence Services (RIS) cyber threat actors to an ongoing commercial messaging application (CMA) phishing campaign that aims high-value targets and seeks to trick them into surrendering backup recovery keys.

CERT‑UA's related finding: UNC1151 and OYSTERBLUES

Adding to the picture, Ukraine's Computer Emergency Response Team (CERT‑UA) issued its own attribution late last month. CERT‑UA linked a spear-phishing campaign targeting government organizations to UNC1151 (also referred to as Ghostwriter and UAC‑0057). That operation used compromised accounts to deliver an information stealer named OYSTERBLUES, according to the bulletin referenced by the SSU notice.

Practical defenses the SSU recommended

The SSU provided a set of concrete precautions for users of messaging platforms, reflecting the social‑engineering vectors described in its advisory. The agency's guidance includes:

  • Periodically review active messaging-app sessions and log out of any unknown connections.
  • Enable two‑factor authentication (2FA) on accounts.
  • Do not scan QR codes sent by unknown users.
  • Do not disclose confirmation codes, PIN codes, passwords, or account recovery keys to anyone.
  • Avoid clicking suspicious links or opening files from unknown or dubious chats.

What this means for technologists, officials, and ordinary users

Technologists and security teams: The SSU–FBI disclosure and the FBI's separate CMA-phishing attribution indicate multiple, coordinated social‑engineering routes to account compromise — SMS-based support impersonation and phishing aimed at backup recovery keys. Defensive teams will need to monitor for signs of SMS and CMA phishing and ensure account‑session hygiene and 2FA enforcement across at-risk user populations.

Government officials, military personnel, politicians, and activists: These groups were explicitly named among the campaign's targets. The SSU advisory implies that protecting messaging-account recovery mechanisms and vigilance around unsolicited support-style SMS messages should be immediate priorities.

End users and Ukrainian nationals: The SSU highlighted that personal accounts belonging to Ukrainian nationals were included in attack waves. For ordinary users, the agency's step-by-step precautions — especially not sharing confirmation codes or recovery keys and logging out of unfamiliar sessions — are direct, actionable defenses against the specific tactics the advisory describes.

The SSU's joint disclosure with the FBI, combined with CERT‑UA's separate attribution to UNC1151 and the FBI's linkage of RIS to CMA-phishing aimed at backup recovery keys, paints a consistent picture of adversaries using social engineering to turn routine messaging features into points of compromise. Whether routine session audits, universal 2FA, and tighter controls on account recovery processes will blunt these campaigns remains the immediate, practical test for defenders and high‑value users named in the advisory.

Source: https://thehackernews.com/2026/06/ukraine-says-russian-intelligence-used.html

Emerging ThreatsEuropeNation-StatePhishingRussiaSupply ChainUkraineUnited StatesMfa BypassSMS Phishing
Related Intelligence

Continue Reading

Developer workstation with laptop open to GitHub repository, surrounded by coding tools and notes on cluttered desk.

GitHub Repos Used to Deploy Malware via AI Coding Tools

Imagine a GitHub repository that looks perfectly safe, yet can secretly deploy malware on a developer's device - all without triggering any red flags. Researchers have demonstrated just how easily this can happen, using an AI coding agent to run a malicious payload hidden in a seemingly clean project.

Analyst 207
Person sits in quiet room with smartphone, papers, and blurred laptop screen, conveying cautious atmosphere.

FBI Warns of Russian Hackers Targeting Signal Backup Keys

Stay vigilant, as Russian hackers are now targeting Signal backup keys in an evolved phishing campaign, attempting to gain access to your historical message backups by tricking you into revealing these sensitive keys. Be cautious of messages masquerading as automated support accounts, as they may be part of this sinister plot.

Analyst 207
Smartphone with Signal app open on screen in a public setting.

FBI Warns of Russian Hackers Targeting Signal with Recovery Key Phishing

Beware of scammers posing as Signal support - the FBI and CISA warn that Russian hackers are using recovery key phishing to target users, so treat any in-app message from Signal support with extreme caution. Stay safe by being vigilant about unexpected messages.

Analyst 207
Government building exterior with laptops and diverse people, hinting at global connectivity.

SharkLoader Malware Targets Global Entities in StrikeShark Cyberattacks

Kaspersky has uncovered a massive global cyberattack campaign, dubbed StrikeShark, that uses SharkLoader malware to target a wide range of organizations across multiple countries and industries. The attacks have hit diplomatic and government bodies, software development companies, and other entities in over a dozen countries.

Analyst 207