What happened
The FBI and CISA warned that a phishing campaign tied to Russian intelligence services has evolved to target Signal Backup Recovery Keys.
The updated public service announcement builds on a March 2026 advisory warning that Russian-linked threat actors were targeting users of commercial messaging applications, especially Signal. The earlier activity focused on hijacking accounts through phishing rather than breaking Signal’s end-to-end encryption.
The campaign is attributed to Russian Intelligence Services, including officers embedded with Russia’s Federal Security Service Border Guards and other actors working on behalf of the Russian military. The activity is publicly tracked as UNC5792 and UNC4221.
The campaign targets individuals of high intelligence value, including current and former U.S. and international government officials, military personnel, political figures, journalists, and key officials in Ukraine.
The attackers continue to impersonate automated Signal support accounts. In the updated tactic, phishing messages falsely claim that Signal is introducing mandatory two-factor verification after supposed attacks by hackers from Iran and post-Soviet countries.
Victims are instructed to enable Signal backups and copy their Backup Recovery Key. A follow-up phishing message then claims the user’s Signal account data is at risk of permanent loss because of a sync issue and asks the victim to paste the recovery key into the chat.
Signal’s Secure Backups feature stores encrypted copies of conversations on Signal’s cloud servers. The backup is encrypted using the recovery key created by the user. If attackers obtain that key, they can restore the victim’s backed-up data on their own devices and access historical messages, including private and group conversations.
The FBI also warned that creating a new Signal account with the same phone number does not invalidate a stolen Backup Recovery Key. Users must generate a new key through Signal’s backup settings to invalidate the old key for future backup downloads.
However, generating a new key will not stop attackers from accessing backups they already downloaded using the compromised key.
Who is affected
Signal users targeted by Russian-linked phishing campaigns are affected, especially individuals of intelligence value.
The campaign is particularly relevant to current and former government officials, military personnel, political figures, journalists, and officials in Ukraine.
Organizations whose employees use Signal for sensitive communications may also be affected if staff members are tricked into sharing Backup Recovery Keys. Exposed historical messages could include private conversations, group chats, operational discussions, sources, contacts, or other sensitive information.
Why CISOs should care
This campaign shows that attackers do not need to break end-to-end encryption if they can manipulate users into giving up recovery material. The encryption remains intact, but the recovery key becomes the path into stored message history.
For CISOs, the lesson extends beyond Signal. Recovery keys, backup codes, account recovery flows, and device-linking mechanisms are high-value targets because they sit outside normal login monitoring and may be treated too casually by users.
The impersonation of Signal support also highlights the risk of trusted-channel social engineering. Employees may believe a message is legitimate if it appears inside the same app they are trying to secure.
The warning is especially important for organizations with executives, government-facing teams, journalists, researchers, defense personnel, or staff operating in sensitive geopolitical contexts.
3 practical actions
- Train users never to share recovery keys or verification codes: The FBI warned that legitimate messaging support teams do not request verification codes, recovery keys, or account restoration details inside the app. CISOs should reinforce that recovery keys should be treated like passwords and never shared.
- Review secure messaging guidance for high-risk users: The campaign targets individuals of high intelligence value. Organizations should provide specific guidance for executives, legal teams, journalists, government-facing staff, and personnel involved in sensitive communications.
- Rotate compromised Signal Backup Recovery Keys correctly: Creating a new Signal account with the same phone number does not invalidate a stolen recovery key. Users who may have shared a key should generate a new Backup Recovery Key through Signal’s backup settings and assume previously downloaded backups may already be exposed.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.