Particle.news
Download on the App Store

Russian Intelligence Pursuing Signal Backup Recovery Keys

Security agencies say the tactic lets operators restore encrypted archives to maintain long-term access to targets' message histories.

Overview

  • The FBI, CISA and Ukraine’s Security Service warned in a June 26 advisory that Russian intelligence clusters have shifted from stealing one-time verification codes to specifically seeking Signal Backup Recovery Keys.
  • The campaign targets high-value people such as current and former government officials, military personnel, political figures and journalists while also collecting broadly from ordinary citizens using simpler SMS impersonation.
  • Operators rely on social engineering and abuse of legitimate app features by posing as support bots, sending phishing SMS or emails, and using QR/linked-device tricks to elicit verification codes, PINs or recovery keys.
  • A stolen Signal Backup Recovery Key is a persistent secret that lets an attacker restore a user’s encrypted cloud backup and read historical private and group messages unless the user generates a new key to invalidate the old one.
  • Agencies advise users to check active sessions, never share codes or recovery keys, enable phishing-resistant 2FA or a complex alphanumeric PIN, avoid scanning unknown QR codes, and report suspicious messages while investigators track clusters tied to FSB-linked groups.