Cityscape and bubble chat showing phishing campaign for messaging apps

Russian Phishing Campaign Targets Messaging App Users to Steal Recovery Keys and Take Over Accounts

A Russian state‑sponsored phishing campaign is targeting commercial messaging applications (CMAs), specifically Signal, to steal recovery keys, enabling the attackers to restore backups, access historical messages, private and group chats, and take over the accounts.

Signal is a secure, free, and open-source instant messaging app, renowned for its end-to-end encryption features. The app has about 70 million and 100 million active monthly users.

The campaign was attributed to the Russian threat clusters UNC5792 and UNC4221, closely linked to the Russian Intelligence Services (RIS), including elements of the Russian Federal Security Service (FSB) Border Guards.

Russian phishing campaign targets key officials to steal Signal recovery keys

The advisory warns that the Russian phishing campaign targets individuals of intelligence value. Valuable targets include current and former U.S. government officials, military personnel, political figures, journalists, and key Ukrainian officials.

According to the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), which jointly issued the public service alert (PSA), the attackers compromise secure commercial messaging apps without breaking encryption.

They masquerade as automated Signal support accounts to trick the victims into disclosing their recovery keys.

According to the federal agencies, if the victims back up their messages and later provide their recovery keys, the state-sponsored attackers can access their historical messages, private and group messages, and even take over their accounts. Additionally, the recovery keys remain valid even after the victims create a new account using the same phone number.

“If a victim inadvertently shares their Backup Recovery Key, that same key remains valid even if they create a new account following the compromise using the same phone number. Consequently, the actor could potentially use the compromised key to take over the new account in the future as well,” the advisory said.

Consequently, the FBI and CISA advised messaging application users to recreate their recovery keys using security settings. However, this measure would not prevent threat actors from accessing previously downloaded messages using the old recovery keys.

Meanwhile, the FBI and CISA did not disclose the number of victims targeted in the ongoing phishing campaign. Nevertheless, they reminded users that the Signal support team only communicates via the official email address and does not send verification links.

“The timing of this update says the campaign is still moving,” said Nick Tausek, Lead Security Automation Architect at Swimlane. “In March, the warning centered on Russian intelligence-linked actors abusing trust inside encrypted messaging apps. Now the concern is broader. The playbook has expanded from fake support prompts into linked-device abuse, full account takeover, and the possible use of malware after the first bite.”

“A hijacked account does not stop with the person who clicked. It can quietly become a trusted launchpad into group chats, sources, colleagues, and partner networks. For defenders, the challenge is not just seeing each signal. It is turning scattered activity into one prioritized response. Agentic AI and automation can help connect identity alerts, device changes, message patterns, and vulnerability context without forcing analysts to stitch everything together by hand. The faster teams can move from discovery to prioritization to remediation, the smaller the blast radius becomes,” added Tausek.

Russian hackers frequently target messaging apps

Messaging apps are a lucrative target for Russian state-sponsored and financially motivated hackers. A previous phishing campaign by Iranian and Russian hackers targeted Signal users by claiming that the app was introducing two-factor verification to trick users into revealing their PINs and verification codes.

The phishing messages also warned users that they would lose their backed-up data due to a synchronization issue, in an attempt to lure them into disclosing their recovery keys. The attackers instructed users to copy their recovery keys from their security settings and paste them into the message, effectively granting the attackers full access to their accounts.

A similar security alert by Dutch security agencies warned that a phishing campaign by Russian hackers was targeting messaging apps Signal and WhatsApp to compromise government employees.

“The Russian campaign is focused on persuading users to divulge their security verification- and pincodes, allowing the hackers to gain access to the users’ Signal or WhatsApp accounts,” the authorities warned.