Russian Intelligence Weaponizes Fake SMS Support Messages
Ukraine's Security Service (SSU/SBU) and the United States FBI have jointly disclosed a sustained Russian intelligence operation that uses fraudulent support text messages to steal credentials for Signal, WhatsApp, and Telegram accounts. The campaign has compromised thousands of accounts worldwide, targeting current and former government officials, military personnel, politicians, journalists, and Ukrainian nationals.
The operation does not break end-to-end encryption. Instead, it exploits human trust — social engineering targets into handing over verification codes or recovery keys that grant the attacker full account access while bypassing cryptographic protections entirely.
Attack Methods
Signal: Fake Verification Code Theft
For Signal users, attackers send SMS messages impersonating the platform's official support bot. Messages warn of "suspicious activity" or a "possible data leak" and instruct the victim to verify their account. The attacker has already requested a verification code from Signal on the victim's number — when the victim enters that code plus their PIN into the fake form, the attacker gains full account access on an attacker-controlled device.
More recently, the FBI and CISA have noted attackers specifically targeting Signal backup recovery keys. A stolen recovery key allows full message history restoration and persistent access even if the victim changes devices.
WhatsApp: Linked Devices Abuse
For WhatsApp, attackers abuse the platform's Linked Devices feature. Victims receive messages prompting them to add what appears to be a legitimate secondary device. When the victim approves the pairing QR code presented in the fake message, an attacker-controlled device is silently linked. The victim remains logged in and may not notice — but all past and future messages are now accessible to the attacker.
Telegram: Credential Harvesting via Fake Portals
Telegram-targeting variants direct victims to phishing pages impersonating Telegram's official web login, harvesting session credentials directly.
Attribution
Ukrainian and US authorities attribute this campaign to Russian Intelligence Services (RIS), with specific threat clusters identified:
| Threat Actor | Other Names | Affiliation |
|---|---|---|
| Star Blizzard | SEABORGIUM, Callisto Group | FSB (Russian Federal Security Service) |
| UNC5792 | UAC-0195 | Russian military services |
| UNC4221 | UAC-0185 | Russian military services |
The US State Department's Rewards for Justice program is offering up to $10 million for information on UNC5792 operators.
Targets
The campaign focuses on high-value individuals whose communications carry strategic value:
- Current and former US government officials
- International government officials and diplomats
- Military and defense personnel
- Politicians and political campaign staff
- Journalists and civil society figures
- Ukrainian nationals and diaspora
The scope is global — intelligence services in the Netherlands (AIVD/MIVD), Germany (BfV/BSI), and France (ANSSI) have all issued overlapping warnings about the same campaign patterns.
Why This Works
The attack is effective precisely because it does not attack cryptography — it attacks people. Signal and WhatsApp's encryption is unbroken. The attacker tricks the user into handing over a credential (verification code, recovery key, session token) that then grants legitimate access to the account.
Key insight: No amount of encryption protects an account if the user is persuaded to hand the attacker a valid key.
Protective Measures
| Action | Priority |
|---|---|
| Enable Registration Lock / PIN on Signal — prevents account re-registration without your PIN | Critical |
| Review Linked Devices in WhatsApp and Telegram — remove any unrecognized devices immediately | High |
| Never share verification codes with anyone via SMS, email, or in response to unsolicited messages | Critical |
| Be suspicious of any "support" message — Signal, WhatsApp, and Telegram do not proactively contact users via SMS | High |
| Use a hardware security key as a second factor where supported | Medium |
| Enable screen lock on messaging apps — adds a barrier if a device is compromised | Medium |
How to Check Linked Devices
Signal: Settings → Account → Linked Devices
WhatsApp: Settings → Linked Devices
Telegram: Settings → Devices → Active Sessions
Remove any device you do not recognize immediately.
Incident Response
If you suspect your account has been compromised:
- Revoke linked devices immediately using the platform's device management screen
- Change your Signal PIN / Registration Lock and re-enable it
- Generate new backup keys if your Signal backup recovery key was potentially exposed
- Notify your organization's security team — particularly if you communicate on behalf of a government, military, or NGO
- Report to CISA (US government entities) or your national CERT
References
- The Hacker News — Ukraine Says Russian Intelligence Used Fake Support Texts
- The Record / Recorded Future — Russia Ukraine Messaging Campaign
- TechCrunch — Dutch Intelligence Warning on Russian Signal Campaign
- The Next Web — FBI Warns on Signal Recovery Key Theft