The FBI has issued a public announcement warning that Russian threat actors are engaged in a phishing campaign on commercial messaging apps.
The campaign, being run by clusters of Russian Intelligence Services (RIS), mostly targets individuals deemed to have high intelligence value, such as former and current American and international government officials, political figures, military members, journalists, and officials located in Ukraine, the FBI said in a June 26 public alert along with the Cybersecurity & Infrastructure Security Agency.
An earlier March 20 alert from the agency warned that Russian cyber spies were posing as automated support accounts for messaging apps and sending phishing messages to targets.
These messages are tailored to encourage victims to take specific actions, such as providing verification codes, submitting their account PINs, or clicking on a link. If the targets perform the requested action, hackers will gain access to their accounts. The hackers reportedly target Signal accounts specifically.
In its latest update, the agency warned that RIS actors are now attempting to gain access to the messaging apps’ backup recovery keys in addition to PINs and verification codes.
The threat actors now message targets, asking to back up app data through misinformation narratives, for example, Iranian or post-Soviet hackers were hacking multiple user accounts on the platform. The malicious actors then ask targets to provide their accounts’ backup recovery key.
After the data is given, “RIS cyber threat actors can view the account’s historical messages, private and group messages, and take over the victim’s account,” the alert said.
Moreover, once a victim shares their backup recovery key, “that same key remains valid even if they create a new account following the compromise using the same phone number. Consequently, the actor could potentially use the compromised key to take over the new account in the future as well,” according to the alert.
To prevent this, a user whose account has been compromised must generate a new backup recovery key. This invalidates the previous key for all future backup downloads.
The alert asked device owners to “take actions to protect themselves,” reminding users that support services for messaging apps do not send links to restore or verify their accounts. Neither will such services request verification codes within the application. Plus, support services communicate only with users via official company email addresses.
The alert clarified that RIS only compromises individual accounts in messaging apps and not the encryption used on these platforms or the apps themselves. The agency attributed the hacking operations to two entities—UNC5792 and UNC4221. The U.S. government is currently offering a reward of up to $10 million for information on UNC5792.
Meanwhile, the 2026 Annual Threat Assessment report from the U.S. Intelligence Community cited cyber actors from Russia posing a “persistent, advanced cyber attack and foreign intelligence threat.”
Russian Cyber Threat
In February, Google released an analysis warning that Russian hackers were targeting American defense companies.Groups linked to Moscow focused on defense companies supporting technologies used in the Russia–Ukraine war, especially U.S. businesses related to drone technologies.
In March, a Russian citizen was sentenced to 81 months in prison for helping cybercrime groups carry out attacks against American companies and other organizations, according to a March 23 statement from the Department of Justice.
The Russia-based cybercrime group behind the malware framework used in this campaign has been sanctioned by U.S. authorities. The group has allegedly caused losses of more than $100 million worldwide.
