Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Russia Used Social Engineering to Breach Prominent Messaging Accounts, Ukraine Says
Russia Used Social Engineering to Breach Prominent Messaging Accounts, Ukraine Says
NEWS

Russia Used Social Engineering to Breach Prominent Messaging Accounts, Ukraine Says

Ukraine's SBU and the FBI have jointly exposed a long-running Russian intelligence operation using fake tech-support workers to steal messaging app...

Dylan H.

News Desk

June 26, 2026
5 min read

Ukraine's Security Service (SBU) and the U.S. Federal Bureau of Investigation (FBI) have jointly exposed a coordinated Russian intelligence operation targeting the messaging accounts of senior officials, military personnel, politicians, journalists, and activists across Ukraine, Europe, and the United States. The operation relies not on technical software exploits, but on social engineering — with Russian operatives posing as tech-support representatives from messaging platforms like Signal and WhatsApp to trick victims into surrendering account credentials.

The Operation: Fake Tech Support at Scale

Ukraine's SBU described the campaign as a "long-running" operation in which attackers impersonate official customer support teams from messaging platforms. Victims receive text messages — often sent in the early hours of the morning when psychological defenses are lowered — purporting to come from Signal, WhatsApp, or Telegram support teams. The messages typically claim there is a problem with the victim's account requiring immediate action.

Once contact is established, attackers persuade targets to share one-time verification codes or account PINs, which are then used to register an attacker-controlled device to the victim's messaging account. In some variants of the attack, victims are sent QR codes through bots or unknown users — scanning the code silently registers an unauthorized device, granting attackers persistent access to ongoing message threads without the victim's knowledge.

The SBU noted that the campaign prioritizes individuals of "high intelligence value" — current and former government officials, military commanders, diplomats, and political figures whose communications contain sensitive strategic or operational information.

APT28: Russia's Military Intelligence Arm

The broader campaign has been attributed to APT28 (also known as Fancy Bear, Forest Blizzard, and STRONTIUM) — a threat group tied to Unit 26165 of Russia's military intelligence agency, the GRU. APT28 has been consistently linked to Russian state-sponsored cyber operations since at least 2007, with a track record that includes the 2016 U.S. election interference, attacks on NATO member military networks, and persistent targeting of Ukrainian government and military infrastructure throughout the ongoing conflict.

In a related but distinct operation, Ukraine's Computer Emergency Response Team (CERT-UA) identified two new malware strains — BeardShell and SlimAgent — being delivered via the Signal messaging app itself. BeardShell functions as a backdoor capable of executing PowerShell scripts, while SlimAgent is designed to stealthily capture encrypted screenshots and store them locally on infected devices. Both strains were delivered through malicious Signal messages crafted to appear as legitimate correspondence.

Why Messaging Apps — Not Infrastructure

The choice to target end-user messaging accounts rather than government IT infrastructure reveals a deliberate strategic calculation. Secure messaging apps like Signal, with their strong end-to-end encryption, have become the preferred channel for sensitive government and military communications precisely because they resist traditional network-level interception. By compromising the endpoint account rather than the network link, attackers can access decrypted message content, contact lists, and — critically — ongoing conversation threads that reveal operational intent, coordination plans, and intelligence assessments in real time.

The IC3 (Internet Crime Complaint Center) issued a public service announcement noting that after compromising an account, malicious actors can "view the victims' messages and contact lists, send messages, and conduct additional phishing against other accounts." This last capability is particularly dangerous: a compromised account belonging to a trusted official can be weaponized to phish their contacts with dramatically higher success rates than cold outreach.

Global Scope and Prior Warnings

This disclosure follows a pattern of escalating warnings from Western intelligence agencies. Earlier in 2026, Dutch intelligence agencies issued warnings about Russian state-backed hackers conducting a global campaign to hijack Signal and WhatsApp accounts of government officials and diplomats. The FBI's Internet Crime Complaint Center (IC3) separately published a public service announcement on Russian intelligence services targeting "commercial messaging application accounts" of U.S. government officials and military personnel.

The Kyiv Post reported that the campaign has resulted in unauthorized access to thousands of individual accounts across Ukraine, Europe, and the United States — with the affected population extending beyond government to include civil society organizations, NGOs, and journalists covering the conflict.

Protective Measures

The SBU and cybersecurity agencies recommend the following steps for individuals at risk:

Account Security:

  • Enable two-factor authentication (2FA) using a complex alphanumeric PIN — not SMS-based 2FA where possible.
  • Review active sessions in your messaging app settings regularly. In Signal: Settings → Account → Linked Devices. Log out of any session you do not recognize.
  • Never share verification codes, PINs, passwords, or account recovery keys with anyone — including individuals claiming to be from platform support teams. Legitimate messaging services will never ask for these.

Device Verification:

  • In Signal, use the Safety Number feature to verify the identity of contacts before sharing sensitive information.
  • Be aware that account registration via QR code (e.g., Signal's "Link a Device" feature) can be abused — only scan QR codes from sources you have independently verified.

Phishing Awareness:

  • Be skeptical of unsolicited messages claiming to be from messaging platform support teams, especially those received late at night or early morning.
  • Do not click links in unexpected support messages — navigate directly to the app's official support resources.
  • Notify your organization's security team immediately if you believe you have been targeted.

References

  • The Record: Russia used social engineering to breach messaging accounts, Ukraine says
  • The Record: Social engineering and Signal chats led to new Russian malware attacks
  • Global Security: SSU and FBI expose Russian messaging app hacks
  • IC3 PSA: Russian Intelligence Services Target Commercial Messaging Applications
  • The Hacker News: FBI warns Russian hackers target Signal, WhatsApp
  • Kyiv Post: Russia targets messaging accounts across Ukraine, Europe, and US
#Russia#Social Engineering#Phishing#APT28#Signal#Ukraine

Related Articles

Ukraine and FBI Expose Russian Intelligence Campaign Stealing Signal Credentials via Fake SMS

The SSU and FBI jointly disclosed a sustained Russian intelligence operation targeting messaging credentials of government officials, military personnel,...

5 min read

Ukraine Says Russian Intelligence Used Fake Support Texts to Steal Messaging Credentials

Ukraine's SSU and the FBI have exposed a sustained Russian intelligence campaign using fake support SMS messages to steal Signal, WhatsApp, and Telegram...

5 min read

Ukraine Confirms APT28 Campaign Targeting Prosecutors and Anti-Corruption Agencies

Ukraine's CERT-UA has confirmed a suspected APT28 espionage campaign targeting Ukrainian prosecutors and anti-corruption agencies, exploiting Roundcube...

4 min read
Back to all News