The **FBI** and **CISA** have released an urgent update regarding an ongoing phishing campaign linked to **Russian Intelligence Services (RIS)**. This campaign, previously focused on hijacking **Signal** accounts, has now adapted its techniques to steal **Signal Backup Recovery Keys**, granting attackers access to victims' entire message histories. This new advisory builds upon a March 2026 warning that highlighted RIS targeting of commercial messaging applications, particularly **Signal**, through phishing efforts designed to compromise accounts without directly breaking end-to-end encryption. "**RIS** cyber threat actors continue to masquerade as automated CMA support accounts in updated phishing messages but have evolved their tactics to attempt to elicit victims' Backup Recovery Keys," states an **FBI PSA** published today. The campaign persistently targets individuals deemed to be of high intelligence value. This includes current and former U.S. and international government officials, military personnel, political figures, journalists, and key officials located in Ukraine. Attribution for this activity points to **Russian Intelligence Services**, specifically officers embedded within Russia's **Federal Security Service (FSB)** Border Guards and other actors operating on behalf of the Russian military. The campaign is publicly tracked under the identifiers **UNC5792** and **UNC4221**. ### New Phishing Tactic Targets Signal Backups While earlier iterations of the campaign concentrated on stealing verification codes, account PINs, or tricking users into linking attacker-controlled devices to their **Signal** accounts, the latest alert reveals a significant tactical shift. Threat actors continue to impersonate **Signal** support teams. They send phishing messages falsely claiming that **Signal** is implementing mandatory two-factor verification due to an alleged wave of attacks from hackers in Iran and post-Soviet countries. An initial phishing message typically reads: "Recently, attempts to hack users of our messenger with the connection of third-party devices to the account have become more frequent." "An investigation conducted jointly with the US government and European partners revealed that the attacks on accounts were carried out by hackers from Iran and post-Soviet countries. In this regard, **Signal** updates Terms of Service & Privacy Policy, and introduces Mandatory Two-factor Verification for users." "Not to lose your messages and media, set up your **Signal** Backup (Settings -> Backups -> Enable backups -> View recovery key -> Copy to clipboard -> Next -> Enter the recovery key -> Next -> Continue -> Choose your backup plan). Click the 'Accept' button in the pop-up and stay tuned for security updates on our messenger." When a user follows these deceptive instructions, their **Signal** messages are backed up using **Signal's Secure Backups** feature. This stores encrypted copies of conversations on **Signal's** cloud servers. The data is end-to-end encrypted using a recovery key, which should never be shared, as anyone possessing it can restore the backed-up data to their own devices. Subsequently, the threat actors send a second phishing message, still posing as **Signal** support, warning of potential data loss due to a synchronization issue. "Your **Signal** Account data (messages and media) is at risk of permanent loss due to a sync issue," the second message states. Users are then prompted to navigate to their Backup settings, copy their recovery key to the clipboard, and paste it into the message to prevent data loss. However, once the recovery key is provided, attackers can restore the backup to their own devices, gaining full access to the victim's historical messages, including private and group conversations. ### Post-Compromise Recovery Challenges The updated advisory also highlights a critical recovery scenario that users might overlook after an account compromise. The **FBI** warns that if an attacker obtains a user's **Backup Recovery Key**, simply creating a new **Signal** account with the same phone number does not invalidate the stolen key. To mitigate ongoing risk, users *must* generate a new **Backup Recovery Key** through **Signal's** backup settings. This action invalidates the previous key for future backup downloads. However, the agencies caution that generating a new key will not prevent attackers from accessing any backups they may have already downloaded using the compromised key. Users are reminded that legitimate messaging application support teams will only communicate via official company email addresses, will never request verification codes within the application, and will not send links asking users to verify or restore their accounts. Anyone who suspects they have been targeted by this campaign is strongly encouraged to report the incident to the **FBI's Internet Crime Complaint Center** (**IC3**), a local **FBI** field office, or **CISA**.