FBI and CISA Issue Urgent Warning: Russian Intelligence Escalates Signal Phishing Campaign with Recovery Key Theft

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have significantly updated their March advisory, revealing a dangerous escalation in a Russian intelligence-backed phishing campaign targeting Signal accounts. The sophisticated operation now actively coerces high-value targets into divulging their Signal Backup Recovery Key, a critical credential that grants attackers pervasive access to an account’s entire message history and enables full account takeover. This development marks a concerning evolution in state-sponsored cyber espionage, underscoring the persistent threat posed by advanced persistent threat (APT) groups leveraging social engineering tactics against secure communication platforms.

The ramifications of a compromised Signal Backup Recovery Key are severe and long-lasting. Once obtained, the attacker can restore the victim’s Signal account backup on a new device, thereby gaining unrestricted access to all private and group message history. Crucially, the advisory warns that the stolen recovery key retains its potency even if the victim creates a new account associated with the same phone number. This means a single compromise can lead to sustained surveillance and control over a user’s communication, posing an extraordinary risk to individuals handling sensitive information. The only mitigation, described as a "blunt fix" by the agencies, involves generating a new recovery key within Signal’s settings. While this action invalidates the old key for future backup downloads, any data already exfiltrated by the attacker remains compromised, highlighting the irreversible nature of such a breach.

Deepening the Threat: The Recovery Key Exploit

Signal, renowned for its robust end-to-end encryption, provides a backup feature that allows users to restore their message history when moving to a new device. This backup is also end-to-end encrypted and protected by a unique 30-word Recovery Key, which acts as a passphrase. Without this key, the encrypted backup remains unreadable, even to Signal itself. The current campaign exploits this legitimate feature not by breaking Signal’s cryptographic security, but by manipulating the human element to surrender this crucial key.

Attackers initiate contact by posing as official Signal support, leveraging a variety of pretexts designed to evoke urgency and compliance. Earlier iterations of this campaign focused on tricking users into providing SMS verification codes or account PINs, or even exploiting vulnerabilities in Signal’s linked-device feature to silently connect an attacker’s device to the victim’s account. However, the latest escalation directly targets the Recovery Key.

The new social engineering script meticulously guides targets through a series of steps: first, enabling Signal backups if they haven’t already; second, navigating to the "Recovery Key" section within the app’s settings; and finally, pasting the sensitive 30-word key directly into the phishing chat. The FBI and CISA advisory, PSA I-062626-PSA, provides examples of these deceptive messages. One common lure presents the request as a "mandatory two-factor rollout," implying that sharing the key is a necessary security measure. Another tactic is an "urgent data recovery" fix, falsely claiming that the user’s messages are at imminent risk of loss and that the key is required to prevent data corruption. These high-pressure scenarios are designed to bypass critical thinking and induce immediate action, allowing the attackers to bypass Signal’s otherwise impenetrable encryption.

The persistence of the compromised key is a particularly alarming aspect. Even if a user recognizes the breach and deletes their account or creates a new one, the old recovery key associated with that phone number remains valid until explicitly regenerated by the user. This means that an attacker who successfully obtains a key can potentially re-access backups associated with that number repeatedly, maintaining a persistent foothold in the victim’s communication history. This emphasizes the critical importance of immediately generating a new key if any suspicion of compromise arises.

Tracing the Adversary: UNC5792 and UNC4221

The updated advisory introduces two public tracking names associated with this malicious activity: UNC5792 and UNC4221. The FBI explicitly attributes this campaign to multiple Russian Intelligence Services (RIS) groups. This includes elements of the Federal Security Service (FSB), specifically officers embedded with the FSB Border Guards, as well as operatives working for various branches of the Russian military services. This attribution underscores the state-sponsored nature of the attacks, indicating a strategic effort to gather intelligence from high-value targets.

The campaign’s scope is deliberately focused on individuals possessing information of significant intelligence value. These targets include current and former U.S. and international government officials, military personnel, political figures, journalists, and officials actively involved in Ukraine. The March notice had already indicated the broad success of the campaign, reporting that thousands of accounts worldwide had already been compromised. While the broader campaign also targets WhatsApp accounts, the specific tactic of coercing users into handing over their Signal Backup Recovery Key is unique to Signal due to its distinct backup mechanism.

A Chronology of Escalation: From Device Linking to Key Theft

The evolution of this Russian intelligence campaign against secure messaging applications illustrates a persistent and adaptive threat.

• Early 2025: Google TAG Identifies Initial Tradecraft. Google’s Threat Intelligence Group (TAG) was among the first to document the activities of UNC5792. Their analysis in early 2025 revealed initial abuses of Signal’s linked-device feature, where attackers would trick users into inadvertently linking an attacker’s device to their Signal account, thereby gaining access to real-time communications. Google TAG observed the same sophisticated tradecraft being deployed against users of WhatsApp and Telegram, indicating a broader, multi-platform approach by the Russian APT groups.
• February 2026: European Intelligence Agencies Issue Warnings. Reflecting the expanding geographical reach and increasing sophistication of the attacks, several European intelligence agencies issued their own warnings. Dutch intelligence services (AIVD and MIVD), Germany’s Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI), and France’s National Agency for the Security of Information Systems (ANSSI) all published advisories. These warnings highlighted the coordinated nature of the threat and emphasized the risk to government and critical infrastructure personnel across allied nations.
• March 2026: Initial FBI/CISA Warning. The United States formally acknowledged the threat with the issuance of its initial warning from the FBI and CISA. This advisory detailed early phishing tactics, which included attempts to solicit SMS verification codes and account PINs. It also highlighted the use of doctored "group invite" links that, when clicked, silently linked an attacker’s device to the victim’s account, granting surreptitious access to ongoing communications. The March notice underscored the attribution to Russian Intelligence Services and warned that the tactics were likely to evolve.
• June 2026: The Recovery Key Escalation. The latest advisory, PSA I-062626-PSA, serves as a direct fulfillment of the March warning regarding evolving tactics. The shift from one-time codes and device linking to the direct theft of the Signal Backup Recovery Key represents a significant tactical escalation. This new method provides attackers with a far more comprehensive and persistent level of access to historical communications, moving beyond real-time monitoring to exfiltration of entire communication archives. The inclusion of specific threat actor names, UNC5792 and UNC4221, in this updated warning, further refines the intelligence community’s understanding of the perpetrators.

Official Responses and Deterrent Measures

The U.S. government’s response to this escalating threat extends beyond mere warnings. In a significant move, the State Department’s Rewards for Justice program has announced an offer of up to $10 million for information leading to the identification or location of individuals associated with UNC5792. This substantial bounty underscores the severity of the threat posed by this group and the U.S. government’s commitment to disrupting state-sponsored cyber espionage activities. Such reward programs serve not only as an incentive for whistleblowers but also as a clear deterrent message to the perpetrators.

While Signal itself has not issued a specific statement directly referenced in the advisory, the nature of the attack aligns with the platform’s core security philosophy. Signal’s end-to-end encryption is designed to prevent third parties, including Signal itself, from accessing user communications. The compromise, in this case, does not stem from a flaw in Signal’s encryption protocols or an inherent vulnerability in the app’s architecture, but rather from the successful manipulation of the user. This reinforces the long-standing cybersecurity adage that the "human element" often represents the weakest link in even the most secure systems. Signal’s reliance on user-managed keys for backups means that the responsibility for safeguarding these keys ultimately rests with the individual user.

Broader Implications and the Future of Secure Messaging

This sophisticated phishing campaign has far-reaching implications, extending beyond the immediate compromise of individual accounts.

• Erosion of Trust in Secure Platforms: While Signal’s encryption remains unbroken, incidents like these can subtly erode public and professional trust in secure messaging platforms. The perception that even "secure" apps can be compromised, even if through social engineering, might lead some to question their efficacy, potentially driving users towards less secure alternatives or fostering a sense of resignation about digital privacy.
• Persistent Challenge of Social Engineering: The campaign highlights the enduring power of social engineering as a primary vector for even state-sponsored cyber attacks. As technical defenses become more robust, adversaries increasingly pivot to exploiting human psychology, relying on deception, urgency, and perceived authority to bypass security measures. This necessitates a continuous and evolving focus on user education and awareness as a critical component of cybersecurity strategy.
• National Security Implications: The explicit targeting of government officials, military personnel, and journalists underscores the national security implications of these attacks. Compromised communications from such individuals can yield invaluable intelligence for foreign adversaries, potentially influencing policy decisions, military operations, and public discourse. The access to historical message data is particularly potent, offering insights into past strategies, relationships, and vulnerabilities.
• The Evolving Landscape of Cyber Warfare: This campaign is a stark reminder of the ongoing, pervasive nature of state-sponsored cyber warfare. Adversaries are continually adapting their tactics, refining their social engineering techniques, and exploring new avenues to gain intelligence. The focus on communication platforms, which are central to modern professional and personal interaction, reflects a strategic effort to penetrate the very fabric of information exchange.
• The Need for Proactive Vigilance: The fact that the FBI and CISA’s March warning about shifting tactics proved accurate within months emphasizes the dynamic nature of these threats. Cybersecurity is not a static defense but an ongoing process of adaptation, intelligence gathering, and proactive vigilance. Organizations and individuals must continuously update their understanding of threat landscapes and implement robust security practices.

What to Do Now: Protecting Your Signal Account

Given the heightened threat, individuals, especially those in high-risk categories, must adopt an enhanced posture of cybersecurity vigilance.

1. Never Share Your Recovery Key: The most critical defense is an unwavering commitment to never, under any circumstances, share your Signal Backup Recovery Key. No legitimate Signal support agent or official entity will ever ask for this key. Treat it with the same secrecy as your most sensitive passwords.
2. Verify All Requests: Be extremely skeptical of any message, email, or communication claiming to be from Signal support, government agencies, or even known contacts, especially if it requests sensitive information or urges immediate action. Verify requests through alternative, trusted channels (e.g., directly calling an official number, checking official websites).
3. Generate a New Recovery Key if Compromised: If there is any suspicion that your Signal account may have been compromised or that your recovery key might have been exposed, immediately navigate to Signal Settings > Chats and media > Chat backups, and generate a new 30-word recovery key. This action invalidates any previously obtained keys. Be aware that any data already exfiltrated before this action cannot be recovered.
4. Enable and Secure Backups Prudently: Understand how Signal backups work. If you use backups, ensure they are stored in a secure location and that you understand the implications of the recovery key. Consider if regular backups are truly necessary for your threat model, or if a "fresh start" without historical data is preferable after a device change.
5. Utilize Strong Authentication Everywhere: While the recovery key bypasses traditional 2FA for account restoration, maintaining strong, unique passwords for your device and email accounts linked to Signal is still crucial for overall security hygiene.
6. Stay Informed: Regularly review advisories from trusted cybersecurity agencies like the FBI, CISA, and reputable cybersecurity news outlets. Understanding the latest tactics helps in recognizing and thwarting attacks.
7. Educate Your Network: Encourage colleagues, friends, and family, particularly those in high-value roles, to be aware of these evolving threats and adopt similar protective measures.

The escalation of Russian intelligence operations to target the Signal Backup Recovery Key represents a significant and dangerous shift in the landscape of state-sponsored cyber espionage. It serves as a powerful reminder that even the most technologically secure platforms can be undermined by sophisticated social engineering, making human vigilance the ultimate firewall against determined adversaries.