The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued an updated advisory concerning Russian intelligence-affiliated cyber actors targeting users of the Signal messaging application. This latest development reveals that these actors are now employing sophisticated phishing techniques to obtain users’ Signal Backup Recovery Keys, thereby compromising account security.
Signal, renowned for its end-to-end encryption, offers a Backup Recovery Key feature that allows users to restore their message history when switching devices. However, if this key falls into the wrong hands, it can be exploited to access and control the associated account. The FBI and CISA’s advisory highlights that once attackers acquire a user’s Recovery Key, they can restore backups, read private and group messages, and potentially take over the account. Alarmingly, the compromised key remains effective even if the user creates a new account with the same phone number, unless a new Recovery Key is generated.
The advisory, designated as PSA I-062626-PSA, attributes these malicious activities to Russian Intelligence Services (RIS) groups, including UNC5792 and UNC4221. These groups have been linked to previous campaigns targeting messaging platforms like Signal and WhatsApp. The primary targets of these attacks are individuals of high intelligence value, such as current and former government officials, military personnel, political figures, journalists, and officials in Ukraine. Reports indicate that thousands of accounts worldwide have already been compromised through these methods.
The phishing tactics employed by these actors involve impersonating Signal support to deceive users into revealing their Recovery Keys. Previous campaigns requested SMS verification codes and account PINs or used deceptive group invite links to link an attacker’s device to the victim’s account. The updated strategy guides victims through enabling Signal backups, accessing the Recovery Key, and sharing it within the chat. Sample phishing messages include prompts for mandatory two-factor authentication rollouts or urgent data recovery procedures, both designed to create a sense of urgency and legitimacy.
It’s crucial to note that these attacks do not exploit vulnerabilities within Signal’s encryption protocols or the application itself. Instead, they rely on social engineering to manipulate users into voluntarily providing sensitive information, thereby granting unauthorized access to their accounts.
In response to these threats, the U.S. State Department’s Rewards for Justice program is offering up to $10 million for information leading to the identification or location of individuals associated with UNC5792. This initiative underscores the severity of the threat and the commitment to countering such cyber activities.
To safeguard against these attacks, users are advised to:
- Be cautious of any in-app messages claiming to be from Signal support, especially those requesting codes, PINs, or Recovery Keys. Legitimate support will not contact users in this manner.
- Never share your Backup Recovery Key, verification code, or PIN through chat messages. Authentic requests for such information will not occur via these channels.
- Regularly review linked devices in Signal’s settings and remove any unrecognized devices to ensure account security.
- If you suspect that your Recovery Key has been compromised, generate a new one immediately through the app’s settings. This action will invalidate the previous key and prevent unauthorized access to future backups.
As cyber threats continue to evolve, it’s imperative for users to remain vigilant and informed about the latest tactics employed by malicious actors. By understanding these methods and implementing recommended security practices, individuals can better protect their personal information and maintain the integrity of their communications.
