SSU and FBI Disclose Long-Running Russian Phishing Operation
The Security Service of Ukraine (SSU) and the U.S. Federal Bureau of Investigation (FBI) have jointly disclosed a sustained Russian intelligence campaign targeting the messaging accounts of government officials, military personnel, politicians, journalists, and civilians across Ukraine, Europe, and the United States. The operation relies entirely on social engineering rather than software exploits — making it particularly difficult to defend against with technical controls alone.
How the Attack Works
Rather than exploiting software vulnerabilities, Russian intelligence actors — linked to FSB-affiliated operators — impersonate official support accounts for messaging platforms, most notably Signal, and send phishing messages to high-value targets.
The evolved attack chain specifically targets Signal Backup Recovery Keys:
1. Attacker identifies target (government official, military contact, journalist)
2. Target receives SMS impersonating Signal or platform support
— Sent during early morning hours (higher fatigue = higher click rate)
— Urgent framing: "Your account is at risk" / "Verify now to prevent suspension"
3. Target clicks link → lands on convincing phishing page
4. Target enters Signal account credentials and/or backup recovery key
5. Attacker restores full Signal message history on attacker-controlled device
6. Persistent access maintained even if victim changes phone numberThe focus on backup recovery keys is a critical escalation. Unlike a stolen password that can be reset, a Signal backup recovery key allows an attacker to restore the victim's complete historical message archive — all conversations, contacts, and attachments — and maintain persistent account control that survives phone number changes or app reinstalls.
Scope and Targets
The campaign broadly targets individuals with perceived intelligence value:
| Target Category | Examples |
|---|---|
| Current/former government officials | Cabinet members, legislative staff, diplomats |
| Military personnel | Active and reserve officers, defense contractors |
| Politicians | Both domestic Ukrainian and international figures |
| Journalists | War correspondents, investigative reporters covering Russia |
| Defense industry contacts | Weapons contractors, logistics personnel |
| Ordinary civilians | Individuals with connections to any of the above |
The SSU declined to specify the exact RIS unit responsible or to quantify the total number of victims. The campaign is described as "long-running," with TTPs that have evolved since a March 2026 advisory on related activity.
Why Signal Recovery Keys Are the New Target
Signal is widely used by high-value targets precisely because of its end-to-end encryption and minimal metadata retention. Traditional credential theft that captures only a username and password is less effective because Signal sessions are device-bound. By harvesting backup recovery keys, attackers bypass this protection entirely:
- Full historical access: Recover all past conversations, not just future messages
- Durable persistence: The key remains valid even after a victim creates a new account
- No technical exploit required: The attack works regardless of Signal's encryption strength
- Plausible cover: Victims may not notice the account has been restored on another device
Broader Context
This disclosure fits into a documented pattern of Russian intelligence targeting communications infrastructure:
- March 2026: SSU advisory on Russian actors hijacking messaging accounts of NATO-aligned diplomats
- April 2026: Exposed Russian operation compromising Wi-Fi routers across Ukraine and the EU to intercept communications
- Earlier 2026: Dutch intelligence warned of parallel campaigns targeting WhatsApp accounts of European government contacts
The FBI's joint attribution signals U.S. assessment that this campaign extends beyond Ukraine and actively targets American personnel and contacts.
Protective Measures
For individuals in or adjacent to high-risk roles, the SSU and FBI recommendations align with general messaging security best practices:
- Never share backup recovery keys — no legitimate support service will request them
- Enable Registration Lock (PIN) in Signal settings to prevent unauthorized account re-registration
- Verify support contacts independently — contact platform support through the official in-app channel, never through a link in an SMS
- Be especially cautious with messages received during off-hours — attacks are timed to exploit fatigue
- Enable two-factor authentication on email accounts linked to messaging platforms
- Audit linked devices in Signal (Settings > Account > Linked Devices) and remove any unrecognized entries
- Use hardware security keys for account recovery where supported
Signal-Specific Hardening
Signal Settings > Account > Enable Registration Lock
Signal Settings > Privacy > Screen Security (prevents screenshots)
Signal Settings > Account > Linked Devices (audit regularly)
Signal Settings > Notifications > Show (minimize in-notification content)
Immediately revoke access if a backup recovery key has been shared with any third party — generate a new backup to invalidate the old key.
References
- The Hacker News — Ukraine Says Russian Intelligence Used Fake Support Texts to Steal Messaging Credentials
- BleepingComputer — FBI: Russian Hackers Now Target Signal Backup Recovery Keys
- The Record — Russia Targets Officials' Messaging Accounts