Overview
- The FBI, CISA and Ukraine’s Security Service warned in a June 26 advisory that Russian intelligence clusters have shifted from stealing one-time verification codes to specifically seeking Signal Backup Recovery Keys.
- The campaign targets high-value people such as current and former government officials, military personnel, political figures and journalists while also collecting broadly from ordinary citizens using simpler SMS impersonation.
- Operators rely on social engineering and abuse of legitimate app features by posing as support bots, sending phishing SMS or emails, and using QR/linked-device tricks to elicit verification codes, PINs or recovery keys.
- A stolen Signal Backup Recovery Key is a persistent secret that lets an attacker restore a user’s encrypted cloud backup and read historical private and group messages unless the user generates a new key to invalidate the old one.
- Agencies advise users to check active sessions, never share codes or recovery keys, enable phishing-resistant 2FA or a complex alphanumeric PIN, avoid scanning unknown QR codes, and report suspicious messages while investigators track clusters tied to FSB-linked groups.