The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have warned that Russian state-backed hackers have developed a new phishing tactic targeting the Signal Backup Recovery Key. Rather than attempting to break Signal’s end-to-end encryption, the attackers trick victims into revealing the recovery key that protects encrypted cloud backups.
The updated advisory expands on a warning issued earlier this year and shows that the campaign has shifted from account hijacking to stealing the Signal Backup Recovery Key.
Attackers Now Target the Signal Backup Recovery Key
According to the FBI, Russian Intelligence Services continue to impersonate Signal support representatives in phishing campaigns aimed at high-value individuals.
The attackers first persuade victims to enable Signal Secure Backups and create a Signal Backup Recovery Key by claiming the messaging platform has introduced mandatory security changes.
The phishing messages falsely warn about increased attacks from hackers operating in Iran and other post-Soviet countries. They then guide users through the backup setup process, making the instructions appear like a legitimate security update.
Fake Support Messages Request the Recovery Key
After victims enable encrypted backups, the attackers send a second phishing message claiming that a synchronization problem could permanently erase stored conversations.
The fake support request instructs users to open their backup settings, copy the Signal Backup Recovery Key, and paste it into the chat to prevent data loss.
That recovery key encrypts every cloud backup created through Signal Secure Backups. Anyone who obtains it can restore those backups on another device and read stored conversations, including private chats, group messages, media, and attachments.
Government Officials Remain Primary Targets
The FBI says the campaign mainly targets people with access to sensitive information.
Current and former government officials, military personnel, journalists, political figures, and officials connected to Ukraine remain among the primary targets.
U.S. authorities attribute the activity to Russian Intelligence Services, including personnel linked to Russia’s Federal Security Service (FSB) Border Guards and other actors supporting the Russian military.
Researchers track the campaign as UNC5792 and UNC4221.
Changing Your Account Is Not Enough
The FBI warns that creating a new Signal account with the same phone number does not invalidate a stolen Signal Backup Recovery Key.
Instead, users must generate a new recovery key through Signal’s backup settings. That action blocks future backup downloads with the previous key but cannot stop attackers from accessing data they already restored before the key changed.
How to Stay Protected
The FBI and CISA recommend treating the Signal Recovery Key like any other highly sensitive credential. Users should never share it with anyone, regardless of who requests it.
Signal support will never ask users to provide recovery keys, verification codes, PINs, or other sensitive credentials through chat messages or unsolicited links.
The campaign shows how attackers increasingly rely on social engineering instead of technical exploits. Rather than defeating Signal’s encryption, they manipulate users into voluntarily revealing the one credential needed to restore encrypted cloud backups.


0 responses to “FBI Warns Russian Hackers Now Target Signal Backup Recovery Keys”