The FBI and CISA are warning {that a} phishing marketing campaign concentrating on Sign customers with ties to Russian intelligence is evolving to steal Sign backup restoration keys and provides attackers entry to victims’ historic messages.
This up to date public service announcement is an replace to a March 2026 advisory that warned that menace actors had been concentrating on customers of economic messaging functions, particularly Sign, by way of phishing campaigns aimed toward hijacking accounts relatively than breaking end-to-end encryption.
“RIS cyberattackers proceed to impersonate automated CMA assist accounts in up to date phishing messages, however they’re evolving their ways to attempt to extract victims’ backup restoration keys,” an FBI PSA launched in the present day warns.
In line with the FBI, the marketing campaign continues to focus on people of excessive intelligence worth, together with present and former U.S. and worldwide authorities workers, army personnel, politicians, journalists, and key officers residing in Ukraine.
These companies attribute this exercise to the Russian Intelligence Service (RIS), which incorporates personnel from the Russian Federal Safety Service (FSB) Border Guards and different actors performing on behalf of the Russian army. This marketing campaign is publicly tracked as UNC5792 and UNC4221.
New Phishing Ways Goal Sign Backup
Whereas the preliminary advisory centered on phishing messages that try to steal verification codes, account PINs, or trick customers into linking attacker-controlled gadgets to their Sign accounts, the up to date alert says attackers are evolving their ways.
In line with the FBI, attackers proceed to impersonate Sign’s assist crew and ship phishing messages falsely claiming that Sign is introducing obligatory two-factor authentication following a collection of assaults by hackers from Iran and former Soviet Union international locations.
The primary phishing message says, “Just lately, we’ve seen a rise in makes an attempt to hack Messenger customers by connecting third-party gadgets to their accounts.”
“An investigation performed collectively with the U.S. authorities and European companions revealed that the assaults on the accounts had been carried out by hackers from Iran and the international locations of the previous Soviet Union. On this regard, Sign has up to date its Phrases of Service and Privateness Coverage and launched obligatory two-factor authentication for customers.”
“Arrange Sign backup to keep away from shedding your messages and media (Settings -> Backup -> Allow backup -> Present restoration key -> Copy to clipboard -> Subsequent -> Enter restoration key -> Subsequent -> Proceed -> Choose a backup plan). Click on the (Agree) button within the pop-up and look forward to safety updates in Messenger.”
As soon as the goal follows these directions, Sign messages will probably be backed up utilizing Sign’s safe backup function, and an encrypted copy of the dialog will probably be saved on Sign’s cloud servers.
Your knowledge is encrypted end-to-end utilizing the restoration key you created within the steps above. Anybody with the important thing can use it to get better backup knowledge in your machine, so by no means give it to anybody else.
The menace actor then sends a second phishing message posing as Sign Assist, warning that there’s a threat of information loss resulting from synchronization points.
A second Sign message reads, “Because of sync points, you’re liable to completely shedding your Sign account knowledge (messages and media).”
The menace actor will then ask you to go to your backup settings, copy the restoration key to your clipboard and paste it right into a message to forestall lack of saved knowledge.
Nevertheless, when you present the restoration key, it is possible for you to to revive the backup to your individual machine and entry the sufferer’s historic messages, together with personal and group conversations.
The up to date advisory additionally warns of restoration situations that customers could miss after their accounts are compromised.
The FBI warns that if an attacker obtains a consumer’s backup restoration key, creating a brand new Sign account utilizing the identical telephone quantity won’t invalidate the previous stolen key.
As an alternative, customers should generate a brand new backup restoration key by way of Sign’s backup settings. It will invalidate the earlier key for future backup downloads.
Nevertheless, the company warns that producing a brand new restoration key won’t stop an attacker from utilizing a compromised key to entry backups you may have already downloaded.
The up to date advisory reminds customers that assist groups for reputable messaging functions solely talk by way of official firm e-mail addresses, don’t request verification codes throughout the utility, and don’t ship hyperlinks asking customers to confirm or restore their accounts.
Anybody who believes they’ve been victimized by this marketing campaign is inspired to report incidents to the FBI’s Web Crime Criticism Middle (IC3), their native FBI subject workplace, or CISA.
Safety groups doc 54% of profitable assaults and concern a warning on solely 14%. The remaining strikes invisibly by way of the atmosphere.
Picus’ whitepaper exhibits check your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
