Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Ukraine and FBI Expose Russian Intelligence Campaign Stealing Signal Credentials via Fake SMS
Ukraine and FBI Expose Russian Intelligence Campaign Stealing Signal Credentials via Fake SMS
NEWS

Ukraine and FBI Expose Russian Intelligence Campaign Stealing Signal Credentials via Fake SMS

The SSU and FBI jointly disclosed a sustained Russian intelligence operation targeting messaging credentials of government officials, military personnel,...

Dylan H.

News Desk

June 27, 2026
5 min read

SSU and FBI Disclose Long-Running Russian Phishing Operation

The Security Service of Ukraine (SSU) and the U.S. Federal Bureau of Investigation (FBI) have jointly disclosed a sustained Russian intelligence campaign targeting the messaging accounts of government officials, military personnel, politicians, journalists, and civilians across Ukraine, Europe, and the United States. The operation relies entirely on social engineering rather than software exploits — making it particularly difficult to defend against with technical controls alone.


How the Attack Works

Rather than exploiting software vulnerabilities, Russian intelligence actors — linked to FSB-affiliated operators — impersonate official support accounts for messaging platforms, most notably Signal, and send phishing messages to high-value targets.

The evolved attack chain specifically targets Signal Backup Recovery Keys:

1. Attacker identifies target (government official, military contact, journalist)
2. Target receives SMS impersonating Signal or platform support
   — Sent during early morning hours (higher fatigue = higher click rate)
   — Urgent framing: "Your account is at risk" / "Verify now to prevent suspension"
3. Target clicks link → lands on convincing phishing page
4. Target enters Signal account credentials and/or backup recovery key
5. Attacker restores full Signal message history on attacker-controlled device
6. Persistent access maintained even if victim changes phone number

The focus on backup recovery keys is a critical escalation. Unlike a stolen password that can be reset, a Signal backup recovery key allows an attacker to restore the victim's complete historical message archive — all conversations, contacts, and attachments — and maintain persistent account control that survives phone number changes or app reinstalls.


Scope and Targets

The campaign broadly targets individuals with perceived intelligence value:

Target CategoryExamples
Current/former government officialsCabinet members, legislative staff, diplomats
Military personnelActive and reserve officers, defense contractors
PoliticiansBoth domestic Ukrainian and international figures
JournalistsWar correspondents, investigative reporters covering Russia
Defense industry contactsWeapons contractors, logistics personnel
Ordinary civiliansIndividuals with connections to any of the above

The SSU declined to specify the exact RIS unit responsible or to quantify the total number of victims. The campaign is described as "long-running," with TTPs that have evolved since a March 2026 advisory on related activity.


Why Signal Recovery Keys Are the New Target

Signal is widely used by high-value targets precisely because of its end-to-end encryption and minimal metadata retention. Traditional credential theft that captures only a username and password is less effective because Signal sessions are device-bound. By harvesting backup recovery keys, attackers bypass this protection entirely:

  • Full historical access: Recover all past conversations, not just future messages
  • Durable persistence: The key remains valid even after a victim creates a new account
  • No technical exploit required: The attack works regardless of Signal's encryption strength
  • Plausible cover: Victims may not notice the account has been restored on another device

Broader Context

This disclosure fits into a documented pattern of Russian intelligence targeting communications infrastructure:

  • March 2026: SSU advisory on Russian actors hijacking messaging accounts of NATO-aligned diplomats
  • April 2026: Exposed Russian operation compromising Wi-Fi routers across Ukraine and the EU to intercept communications
  • Earlier 2026: Dutch intelligence warned of parallel campaigns targeting WhatsApp accounts of European government contacts

The FBI's joint attribution signals U.S. assessment that this campaign extends beyond Ukraine and actively targets American personnel and contacts.


Protective Measures

For individuals in or adjacent to high-risk roles, the SSU and FBI recommendations align with general messaging security best practices:

  1. Never share backup recovery keys — no legitimate support service will request them
  2. Enable Registration Lock (PIN) in Signal settings to prevent unauthorized account re-registration
  3. Verify support contacts independently — contact platform support through the official in-app channel, never through a link in an SMS
  4. Be especially cautious with messages received during off-hours — attacks are timed to exploit fatigue
  5. Enable two-factor authentication on email accounts linked to messaging platforms
  6. Audit linked devices in Signal (Settings > Account > Linked Devices) and remove any unrecognized entries
  7. Use hardware security keys for account recovery where supported

Signal-Specific Hardening

Signal Settings > Account > Enable Registration Lock
Signal Settings > Privacy > Screen Security (prevents screenshots)
Signal Settings > Account > Linked Devices (audit regularly)
Signal Settings > Notifications > Show (minimize in-notification content)

Immediately revoke access if a backup recovery key has been shared with any third party — generate a new backup to invalidate the old key.


References

  • The Hacker News — Ukraine Says Russian Intelligence Used Fake Support Texts to Steal Messaging Credentials
  • BleepingComputer — FBI: Russian Hackers Now Target Signal Backup Recovery Keys
  • The Record — Russia Targets Officials' Messaging Accounts

Related Reading

  • FBI Warns Russian Intelligence Targeting Signal and WhatsApp in Mass Phishing Campaign
  • Operation Epic Fury: Cyber Escalation Across 60 Hacktivist Groups
#Russia#Ukraine#Signal#Phishing#Threat Intelligence#FSB#Social Engineering

Related Articles

U.S. Offers $10 Million for Russian Hackers Targeting WhatsApp and Signal Users

The U.S. Department of State is offering up to $10 million through its Rewards for Justice program for information identifying members of UNC5792 and...

3 min read

Ukraine Says Russian Intelligence Used Fake Support Texts to Steal Messaging Credentials

Ukraine's SSU and the FBI have exposed a sustained Russian intelligence campaign using fake support SMS messages to steal Signal, WhatsApp, and Telegram...

5 min read

Russia Used Social Engineering to Breach Prominent Messaging Accounts, Ukraine Says

Ukraine's SBU and the FBI have jointly exposed a long-running Russian intelligence operation using fake tech-support workers to steal messaging app...

5 min read
Back to all News