The FBI and CISA have updated a March 2026 advisory to warn that threat actors linked to Russian Intelligence Services (RIS) have refined their Signal phishing campaign. Where earlier attacks focused on stealing verification codes, account PINs, or linking attacker-controlled devices to victims’ accounts, the updated alert describes a new objective: obtaining Signal Backup Recovery Keys.

How the Attack Works

The campaign, publicly tracked under the designations UNC5792 and UNC4221 and attributed to officers connected with Russia’s Federal Security Service (FSB) Border Guards and actors supporting the Russian military, impersonates automated Signal support accounts. Targets receive an initial phishing message falsely claiming that Signal is rolling out mandatory two-factor verification in response to an alleged wave of attacks by hackers from Iran and post-Soviet countries. The message instructs recipients to enable Signal’s Secure Backups feature and copy their recovery key.

A follow-up message, again posing as Signal support, warns of an imminent data loss due to a synchronization issue and prompts the target to paste their recovery key directly into the chat.

Once an attacker holds the recovery key, they can restore the victim’s encrypted backup, including private and group message histories, to a device they control. The agencies note that Signal’s end-to-end encryption itself is not broken; the attack relies entirely on social engineering.

The Key Does Not Expire Automatically

A critical detail highlighted in the updated advisory: creating a new Signal account on the same phone number does not invalidate a previously stolen recovery key. Victims must explicitly generate a new Backup Recovery Key through Signal’s backup settings to block future use of the compromised key. However, the agencies caution that any backup already downloaded by an attacker using the old key remains accessible regardless of subsequent key rotation.

Targeted Individuals

The FBI states the campaign continues to focus on individuals of high intelligence value, including:

  • Current and former US and international government officials
  • Military personnel and political figures
  • Journalists and key officials located in Ukraine

Recommended Actions

Security professionals should advise high-risk users to take the following steps:

  • Never share a Signal Backup Recovery Key with any party, legitimate Signal support will never request it.
  • If exposure is suspected, generate a new recovery key immediately through Signal’s backup settings.
  • Review linked devices in Signal settings and remove any unrecognized entries.
  • Treat any unsolicited message claiming to be from Signal support as a phishing attempt.

The updated advisory reinforces that legitimate messaging application support teams do not contact users through in-app messages to request security credentials of any kind.