The FBI and CISA have been tracking Russian intelligence groups, specifically UNC5792 and UNC4221, for a while now. We saw warnings back in March 2026 about their phishing campaigns aimed at hijacking Signal accounts. What's new, and what the updated advisory from today highlights, is a critical shift: these groups are now specifically trying to coax targets into giving up their **Signal backup recovery keys**. Those initial attacks focused on stealing SMS verification codes or account PINs, or even tricking users into linking an attacker's device to their account. Google's Threat Intelligence Group first documented UNC5792 abusing Signal's linked-device feature in early 2025, so this isn't new territory for them. For the latest information on these evolving threats, you can consult official CISA cybersecurity advisories.
An Evolving Threat to High-Value Targets
What's new, and what the updated advisory from today highlights, is a shift. These groups are now specifically trying to coax targets into giving up their **Signal backup recovery keys**. A minor credential is the master key to your past conversations. These campaigns aren't random, either. They're laser-focused on individuals of high intelligence value: current and former U.S. and international government officials, military personnel, political figures, journalists, and key officials in Ukraine. The intelligence gathered from such compromises could be used for espionage, blackmail, or to disrupt critical operations. Thousands of accounts worldwide have already been compromised, underscoring the scale and sophistication of these persistent threats.
Exploiting Trust, Not Encryption
Here's how they're doing it. The attackers craft sophisticated phishing messages that impersonate "Signal support." These messages come through Signal itself, which adds a layer of perceived legitimacy, making them incredibly difficult to distinguish from genuine communications. They skillfully play on common user anxieties or perceived security updates, leveraging social engineering tactics to bypass technical safeguards.
One common scenario involves a message claiming a "mandatory two-factor rollout" is needed due to attacks from specific regions. It then prompts you to enable Signal Secure Backups and copy your recovery key. Another tactic warns of "data loss" from a synchronization issue, urging you to copy your recovery key and paste it into the message to "fix" it. These messages often create a sense of urgency, pressuring users to act quickly without critical thought, thereby compromising their **Signal backup recovery keys**.
This is where the distinction matters. Signal's end-to-end encryption (E2EE) remains solid. The messages themselves are encrypted between sender and receiver, ensuring privacy in transit. The attackers aren't breaking the crypto. Instead, they're exploiting a legitimate *feature*: Signal's encrypted backup system. When you enable secure backups, Signal encrypts your message history and stores it, often in cloud services like Google Drive or iCloud. The recovery key is the only way to decrypt and restore that backup, making it a single point of failure if compromised.
Think of it like this: Signal built a bank vault (E2EE) that's incredibly secure. But they also gave you a safety deposit box key (the recovery key) to access your personal records if you ever lose your main vault access. The attackers aren't blowing up the vault; they're tricking you into handing over your safety deposit box key, which then grants them unfettered access to your most private communications.
Your Entire History, Exposed
The practical impact of a compromised recovery key is severe and far-reaching. Once an attacker has that key, they can restore your entire message history – private chats, group conversations, everything – onto their own device. They effectively gain access to your past communications as if they were you, potentially uncovering sensitive intelligence, personal secrets, or strategic discussions. And it's not just historical data; they can also take over your account, sending messages as you and further compromising your network.
What makes this particularly nasty is the persistence of the threat. If your **Signal backup recovery key** is stolen, simply creating a new Signal account with the same phone number *doesn't* invalidate the old key. The attacker can still use it to download any backups made with that key. To truly mitigate the risk, you have to generate a *new* Backup Recovery Key through Signal's settings. This invalidates the old key for *future* backup downloads, but the damage for past data is already done.
This is a confidentiality breach of the highest order, especially for the high-value targets these groups are after. The stolen data can be used for long-term intelligence gathering, blackmail, or to identify and compromise other individuals in the target's network. The insidious nature of this attack lies in its ability to bypass robust encryption by exploiting human trust, making user vigilance paramount.
Protecting Your Signal Backup Recovery Keys: What You Need to Do
The FBI and CISA are clear: Signal's encryption isn't broken. This is a social engineering problem, and it requires user vigilance. Protecting your **Signal backup recovery keys** is as crucial as safeguarding your most sensitive passwords.
First, understand how legitimate Signal support works. They will *only* communicate with you through official company email addresses. They will *never* ask for verification codes or recovery keys within the application itself. They also won't send you links asking you to verify or restore your account. If you get a message like that, it's a phishing attempt – immediately block the sender and delete the message.
If you suspect your recovery key has been compromised, the non-negotiable step is to generate a new one immediately. Go into Signal's settings, navigate to 'Chats and media', then 'Chat backups'. If backups are enabled, you'll see an option to 'Generate new recovery key'. Follow the prompts to create and securely store this new key. Remember, this only protects *future* backups; any data already downloaded by an attacker using the old key remains compromised.
Beyond that, practice strong overall security hygiene. Enable a Signal PIN and screen lock for added protection. Consider using disappearing messages for sensitive conversations. Regularly review your linked devices in Signal settings to ensure no unauthorized devices are connected. Educate your contacts about these threats, as their compromise could indirectly affect you.
Report any suspicious activity. The FBI's Internet Crime Complaint Center (IC3), your local FBI field office, or CISA are the places to go. The State Department's Rewards for Justice program is even offering up to $10 million for information on UNC5792, which shows how seriously they're taking this. This isn't just about "don't click suspicious links." It's about understanding the mechanisms behind the security features you rely on. Your recovery key is a powerful credential. Treat it with the same care you would your bank account password. The attackers are adapting, and so must we.
