Ukraine's Security Service (SBU) and the U.S. Federal Bureau of Investigation (FBI) have jointly exposed a coordinated Russian intelligence operation targeting the messaging accounts of senior officials, military personnel, politicians, journalists, and activists across Ukraine, Europe, and the United States. The operation relies not on technical software exploits, but on social engineering — with Russian operatives posing as tech-support representatives from messaging platforms like Signal and WhatsApp to trick victims into surrendering account credentials.
The Operation: Fake Tech Support at Scale
Ukraine's SBU described the campaign as a "long-running" operation in which attackers impersonate official customer support teams from messaging platforms. Victims receive text messages — often sent in the early hours of the morning when psychological defenses are lowered — purporting to come from Signal, WhatsApp, or Telegram support teams. The messages typically claim there is a problem with the victim's account requiring immediate action.
Once contact is established, attackers persuade targets to share one-time verification codes or account PINs, which are then used to register an attacker-controlled device to the victim's messaging account. In some variants of the attack, victims are sent QR codes through bots or unknown users — scanning the code silently registers an unauthorized device, granting attackers persistent access to ongoing message threads without the victim's knowledge.
The SBU noted that the campaign prioritizes individuals of "high intelligence value" — current and former government officials, military commanders, diplomats, and political figures whose communications contain sensitive strategic or operational information.
APT28: Russia's Military Intelligence Arm
The broader campaign has been attributed to APT28 (also known as Fancy Bear, Forest Blizzard, and STRONTIUM) — a threat group tied to Unit 26165 of Russia's military intelligence agency, the GRU. APT28 has been consistently linked to Russian state-sponsored cyber operations since at least 2007, with a track record that includes the 2016 U.S. election interference, attacks on NATO member military networks, and persistent targeting of Ukrainian government and military infrastructure throughout the ongoing conflict.
In a related but distinct operation, Ukraine's Computer Emergency Response Team (CERT-UA) identified two new malware strains — BeardShell and SlimAgent — being delivered via the Signal messaging app itself. BeardShell functions as a backdoor capable of executing PowerShell scripts, while SlimAgent is designed to stealthily capture encrypted screenshots and store them locally on infected devices. Both strains were delivered through malicious Signal messages crafted to appear as legitimate correspondence.
Why Messaging Apps — Not Infrastructure
The choice to target end-user messaging accounts rather than government IT infrastructure reveals a deliberate strategic calculation. Secure messaging apps like Signal, with their strong end-to-end encryption, have become the preferred channel for sensitive government and military communications precisely because they resist traditional network-level interception. By compromising the endpoint account rather than the network link, attackers can access decrypted message content, contact lists, and — critically — ongoing conversation threads that reveal operational intent, coordination plans, and intelligence assessments in real time.
The IC3 (Internet Crime Complaint Center) issued a public service announcement noting that after compromising an account, malicious actors can "view the victims' messages and contact lists, send messages, and conduct additional phishing against other accounts." This last capability is particularly dangerous: a compromised account belonging to a trusted official can be weaponized to phish their contacts with dramatically higher success rates than cold outreach.
Global Scope and Prior Warnings
This disclosure follows a pattern of escalating warnings from Western intelligence agencies. Earlier in 2026, Dutch intelligence agencies issued warnings about Russian state-backed hackers conducting a global campaign to hijack Signal and WhatsApp accounts of government officials and diplomats. The FBI's Internet Crime Complaint Center (IC3) separately published a public service announcement on Russian intelligence services targeting "commercial messaging application accounts" of U.S. government officials and military personnel.
The Kyiv Post reported that the campaign has resulted in unauthorized access to thousands of individual accounts across Ukraine, Europe, and the United States — with the affected population extending beyond government to include civil society organizations, NGOs, and journalists covering the conflict.
Protective Measures
The SBU and cybersecurity agencies recommend the following steps for individuals at risk:
Account Security:
- Enable two-factor authentication (2FA) using a complex alphanumeric PIN — not SMS-based 2FA where possible.
- Review active sessions in your messaging app settings regularly. In Signal: Settings → Account → Linked Devices. Log out of any session you do not recognize.
- Never share verification codes, PINs, passwords, or account recovery keys with anyone — including individuals claiming to be from platform support teams. Legitimate messaging services will never ask for these.
Device Verification:
- In Signal, use the Safety Number feature to verify the identity of contacts before sharing sensitive information.
- Be aware that account registration via QR code (e.g., Signal's "Link a Device" feature) can be abused — only scan QR codes from sources you have independently verified.
Phishing Awareness:
- Be skeptical of unsolicited messages claiming to be from messaging platform support teams, especially those received late at night or early morning.
- Do not click links in unexpected support messages — navigate directly to the app's official support resources.
- Notify your organization's security team immediately if you believe you have been targeted.
References
- The Record: Russia used social engineering to breach messaging accounts, Ukraine says
- The Record: Social engineering and Signal chats led to new Russian malware attacks
- Global Security: SSU and FBI expose Russian messaging app hacks
- IC3 PSA: Russian Intelligence Services Target Commercial Messaging Applications
- The Hacker News: FBI warns Russian hackers target Signal, WhatsApp
- Kyiv Post: Russia targets messaging accounts across Ukraine, Europe, and US