The U.S. Department of State has announced a reward of up to $10 million for information that helps identify or locate members of two Russian cyber-espionage groups — UNC5792 and UNC4221 — through its Rewards for Justice program.
Both groups are assessed to be linked to Russia's Federal Security Service (FSB), with ties to border guard intelligence and military services. Their campaigns specifically target encrypted messaging platforms — Signal and WhatsApp — to compromise high-value individuals.
Who Is Being Targeted
The groups have focused their operations on:
- Government officials and diplomats
- Military and intelligence personnel
- Journalists and political dissidents
- Activists and civil society figures
The targeting pattern is consistent with intelligence collection priorities, particularly around individuals whose encrypted communications would be of strategic value to the Kremlin.
Attack Method: Phishing Signal Backup Keys
Rather than attacking the encryption of Signal itself, the groups exploit the human element. The attack chain works as follows:
- Attackers impersonate Signal support agents via phishing messages
- Victims are tricked into completing a fake two-factor verification prompt
- The prompt actually collects the victim's Signal Backup Recovery Key
- With the backup key, attackers gain persistent access to message history — even if the victim later changes devices or creates a new account with the same phone number
The technique is particularly dangerous because backup keys remain valid across account migrations. A victim who doesn't know their key was stolen has no indication their messages are being read.
WhatsApp Attack Variants
Similar social engineering approaches have been applied to WhatsApp, where attackers attempt to harvest account credentials or session tokens through fake verification flows.
Significance
This reward announcement marks an escalation in how the U.S. government is publicly naming and attributing Russian cyber operations against communications platforms. By offering a $10 million bounty — the same tier typically reserved for state-sponsored ransomware actors — the State Department is signaling that targeting encrypted messaging at scale constitutes a serious national security threat.
What Users Should Do
- Do not share backup keys or recovery codes with anyone, including apparent customer support
- Enable registration lock on Signal (Settings → Account → Registration Lock)
- Treat any unsolicited verification request as a phishing attempt
- Report suspicious contact to your organization's security team