FBI, CISA, and SSU Warn of Russian Campaign to Steal Signal Backup Keys

FBI and SSU Warn of Russian Intelligence Campaign Stealing Signal and WhatsApp Backup Keys

HIGH
June 28, 2026
July 2, 2026
5m read
PhishingThreat ActorCyberattack

Related Entities(initial)

Full Report(when first published)

Executive Summary

On June 28, 2026, the U.S. Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Security Service of Ukraine (SSU) released an updated joint advisory warning of a sophisticated phishing campaign attributed to Russian Intelligence Services. The campaign targets high-value individuals in Ukraine, Europe, and the U.S., including government officials and military personnel. A significant evolution in the attackers' tactics is the direct targeting of backup recovery keys for secure messaging apps like Signal and WhatsApp. The threat actors use carefully crafted SMS and in-app messages to impersonate support staff and trick users into divulging their keys. This campaign does not exploit a technical vulnerability but relies entirely on social engineering to bypass end-to-end encryption by gaining access to decrypted message backups.

Threat Overview

  • Attacker: Russian Intelligence Services, with specific activity clusters tracked as Star Blizzard (also known as Callisto Group, SEABORGIUM), UNC5792 (UAC-0195), and UNC4221 (UAC-0185).
  • Victims: High-value targets, including government officials, military personnel, and activists, primarily in Ukraine but also extending to Europe and the United States.
  • Attack Vector: The campaign is a classic phishing operation (T1566 - Phishing) delivered via SMS and in-app messages.
  • Objective: The primary goal is espionage through the theft of sensitive communications. By obtaining a Signal 30-digit backup recovery key, attackers can restore a victim's entire message history to a device they control, gaining access to all past private and group chats.

Technical Analysis

The attack is simple but effective, preying on user trust and a sense of urgency:

  1. Impersonation: Attackers send messages pretending to be from official support channels for Signal or WhatsApp. They may use spoofed sender IDs or create convincing bot profiles.
  2. Social Engineering: The messages create a pretext for action. Common lures include warnings of a required security update, claims that user data is at risk, or notifications of a failed login attempt.
  3. Information Elicitation: The user is instructed to take an action that involves revealing their credentials. In this campaign, the specific ask is for the user to provide their backup recovery key or account PIN, as described in T1598.003 - Phishing for Information: Credentials.
  4. Account/Data Compromise: Once the attacker has the recovery key, they can install Signal on a new device and use the "Restore from backup" feature. This downloads the encrypted backup from the cloud (e.g., iCloud/Google Drive) and decrypts it using the stolen key, giving the attacker a complete copy of the victim's message history up to the last backup.

It is critical to understand that this attack does not break the encryption of Signal or WhatsApp. It bypasses it by tricking the legitimate user into handing over the key to their decrypted data.

Impact Assessment

The impact of a successful attack is severe, particularly for the targeted individuals. For government and military personnel, the compromise of their secure communications can lead to the leakage of classified information, operational plans, and intelligence sources. This poses a significant national security risk. For activists and journalists, it can expose their networks, endanger their contacts, and undermine their work. The campaign demonstrates that even with strong end-to-end encryption, the human element remains a primary target for sophisticated nation-state actors.

Detection & Response

Detection is challenging as the attack occurs outside of enterprise security controls. However, organizations can:

  • Educate High-Risk Users: Provide targeted security training to individuals likely to be targeted, focusing on the specific TTPs used in this campaign.
  • Monitor for Public Leaks: Use threat intelligence services to monitor for any discussion of compromised accounts or data related to the organization.
  • Encourage Reporting: Establish a clear and safe channel for users to report any suspicious messages or potential compromises.

If a user suspects they have been compromised, they should:

  1. Immediately Change PIN: If a Signal PIN is set, change it immediately.
  2. Disable and Re-enable Backups: Disabling backups may prevent further access, and creating a new backup with a new key will invalidate the old one.
  3. Re-register Signal: Re-registering the Signal account on the legitimate user's phone can de-register other linked devices.

Mitigation

Mitigation is entirely focused on user awareness and behavior:

  • NEVER Share Recovery Keys or PINs: This is the golden rule. Legitimate support services will never ask for this information.
  • Enable Registration Lock: In Signal, enable the Registration Lock feature (a PIN), which requires the PIN to be entered when registering a new device. This provides an additional layer of protection against account takeover.
  • Scrutinize Unsolicited Messages: Treat all unsolicited messages with suspicion, especially those that create a sense of urgency or ask for sensitive information.
  • Verify Sender Identity: Do not trust the display name. If a message claims to be from an official source, independently verify it through a known, legitimate channel.

Timeline of Events

1
June 28, 2026
The FBI, CISA, and SSU issue an updated joint advisory warning about the campaign targeting Signal backup keys.
2
June 28, 2026
This article was published

Article Updates

July 2, 2026

Dutch intelligence, FBI, and CISA confirm widespread Russian phishing targeting Signal backup keys, detailing specific lures and offering new mitigation steps.

MITRE ATT&CK Mitigations

The most critical mitigation. Train users to recognize social engineering tactics and to never share sensitive credentials like backup keys or PINs, regardless of the source.

In the context of Signal, the Registration Lock PIN acts as a second factor for account registration, preventing an attacker from taking over the account with just a stolen SMS code.

Encourage users to create strong, unique PINs for the Registration Lock feature to make them more difficult to guess or brute-force.

D3FEND Defensive Countermeasures

In the context of the Signal attack, the 'Strong Password Policy' principle applies directly to the Signal Registration Lock PIN. Organizations should advise their high-risk personnel to enable this feature immediately and to use a strong, non-obvious PIN (more than the default 4 digits, and not a recycled password or common number sequence). This PIN acts as a critical second factor that is required to re-register the account on a new device. Even if an attacker manages to phish the SMS verification code, they would still be blocked by the PIN prompt. This D3FEND technique hardens the account against takeover, which is a common precursor to using a stolen backup key.

While direct analysis of Signal messages is not possible due to encryption, organizations can apply User Behavior Analysis to surrounding metadata and related accounts. For example, monitor for alerts from Google or Apple about new sign-ins to the cloud accounts where backups are stored. An alert for a sign-in from an unusual location followed by an access to a Signal backup file is a strong indicator of compromise. Security awareness programs should train users to recognize and immediately report these cloud account security alerts, treating them as potential precursors to a full compromise of their secure communications.

Timeline of Events

1
June 28, 2026

The FBI, CISA, and SSU issue an updated joint advisory warning about the campaign targeting Signal backup keys.

Sources & References(when first published)

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

PhishingRussian IntelligenceSignalWhatsAppEspionageSocial EngineeringFBICISASSU

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.