On June 28, 2026, the U.S. Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Security Service of Ukraine (SSU) released an updated joint advisory warning of a sophisticated phishing campaign attributed to Russian Intelligence Services. The campaign targets high-value individuals in Ukraine, Europe, and the U.S., including government officials and military personnel. A significant evolution in the attackers' tactics is the direct targeting of backup recovery keys for secure messaging apps like Signal and WhatsApp. The threat actors use carefully crafted SMS and in-app messages to impersonate support staff and trick users into divulging their keys. This campaign does not exploit a technical vulnerability but relies entirely on social engineering to bypass end-to-end encryption by gaining access to decrypted message backups.
UNC5792 (UAC-0195), and UNC4221 (UAC-0185).T1566 - Phishing) delivered via SMS and in-app messages.The attack is simple but effective, preying on user trust and a sense of urgency:
T1598.003 - Phishing for Information: Credentials.It is critical to understand that this attack does not break the encryption of Signal or WhatsApp. It bypasses it by tricking the legitimate user into handing over the key to their decrypted data.
The impact of a successful attack is severe, particularly for the targeted individuals. For government and military personnel, the compromise of their secure communications can lead to the leakage of classified information, operational plans, and intelligence sources. This poses a significant national security risk. For activists and journalists, it can expose their networks, endanger their contacts, and undermine their work. The campaign demonstrates that even with strong end-to-end encryption, the human element remains a primary target for sophisticated nation-state actors.
Detection is challenging as the attack occurs outside of enterprise security controls. However, organizations can:
If a user suspects they have been compromised, they should:
Mitigation is entirely focused on user awareness and behavior:
Dutch intelligence, FBI, and CISA confirm widespread Russian phishing targeting Signal backup keys, detailing specific lures and offering new mitigation steps.
The most critical mitigation. Train users to recognize social engineering tactics and to never share sensitive credentials like backup keys or PINs, regardless of the source.
In the context of Signal, the Registration Lock PIN acts as a second factor for account registration, preventing an attacker from taking over the account with just a stolen SMS code.
Encourage users to create strong, unique PINs for the Registration Lock feature to make them more difficult to guess or brute-force.
In the context of the Signal attack, the 'Strong Password Policy' principle applies directly to the Signal Registration Lock PIN. Organizations should advise their high-risk personnel to enable this feature immediately and to use a strong, non-obvious PIN (more than the default 4 digits, and not a recycled password or common number sequence). This PIN acts as a critical second factor that is required to re-register the account on a new device. Even if an attacker manages to phish the SMS verification code, they would still be blocked by the PIN prompt. This D3FEND technique hardens the account against takeover, which is a common precursor to using a stolen backup key.
While direct analysis of Signal messages is not possible due to encryption, organizations can apply User Behavior Analysis to surrounding metadata and related accounts. For example, monitor for alerts from Google or Apple about new sign-ins to the cloud accounts where backups are stored. An alert for a sign-in from an unusual location followed by an access to a Signal backup file is a strong indicator of compromise. Security awareness programs should train users to recognize and immediately report these cloud account security alerts, treating them as potential precursors to a full compromise of their secure communications.
The FBI, CISA, and SSU issue an updated joint advisory warning about the campaign targeting Signal backup keys.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.