- Russian Intelligence are targeting Signal accounts of officials based in Ukraine
- They pose as Signal support services and ask users to submit their Backup Recovery Keys
- Using these keys, the hackers can hijack the users account and any other accounts created using the same mobile phone number
The FBI has warned Russian Intelligence Services are posing as commercial messaging application support services in order to steal Backup Recovery Keys belonging to targets of high value in the military and government of the US, Europe, and Ukraine.
In a joint warning alongside the CISA and the Security Service of Ukraine (SSU), the FBI outlined the new phishing campaign which seeks to access messaging accounts in order to perform intelligence gathering of secret information.
Specifically, the FBI provided sample phishing lures targeting users of the Signal messaging app. If the hackers successfully lure a victim into sharing their Backup Recovery Key, they can access the account's message history, private and group messages, and fully take over the victim's account.
Russian Intelligence pose as Signal support services
In the FBI warning, the phishing techniques are further detailed. The Russian Federal Security Service (FSB) are targeting government officials, military personnel, political figures, journalists, and key officials from the US and Europe located in Ukraine.
The attackers send emails that appear to be automated messages from Signal, asking users to turn on their message backup using their Backup Recovery Key. Victims are provided with false instructions that instead send the Backup Recovery Key to the attacker, who can then use the key to take over the victim’s account.
In order to establish urgency and trust that the message is legitimate, the attackers posed the phishing message as a protection against recent hacking attempts from “Iran and post-Soviet countries.” In another sample message, the attacker's message says that the victim’s account data “is at risk of permanent loss due to a sync issue.”
If a victim shares their unique Backup Recovery Key, it allows the attacker to hijack their current Signal account alongside any subsequent accounts made with the same phone number.
For users who may fear their Backup Recovery Key has been compromised, users are instructed to use Signal settings to create a new Backup Recovery Key. This new key will invalidate all previous Backup Recovery Keys and prevent account takeover if the previous key was leaked.
In order to avoid falling victim to phishing messages, there are several ways to stay safe:
- Support services will generally only communicate with users via an official company email address. Always carefully check communications from the legitimate email address.
- Customer support will never request that you supply your Backup Recovery Key via the application
- You will never be asked to verify or restore your account via an automated customer support message
In order to further protect your Signal account, or other accounts, against phishing, users should consider the following:
- Use a passkey wherever possible. This will use your device’s built in biometric verification methods to authenticate your login.
- Use phishing resistant multi-factor authentication where possible
- Always double check messages and emails are legitimate, and are using an official company email
- Never supply your Backup Recovery Keys unless you are actively attempting to regain access to your account via a legitimate service
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
