Thousands of Victims Tricked Into Giving Attackers Account Access, Say Officials
Recent reports indicate that Russian military hackers have successfully compromised thousands of individuals by exploiting their trust and tricking them into granting access to their messaging accounts. Victims primarily use popular applications like Signal and WhatsApp, which are known for their robust end-to-end encryption, designed to protect user communications. However, a recent alert from the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reveals that these hackers have adapted their tactics to circumvent the security features these apps provide.
The deceptive tactics employed by the hackers involve phishing campaigns that pose as automated support bots of these messaging applications. Rather than exploiting vulnerabilities within the platforms themselves, these Russian intelligence operatives are using social engineering techniques to manipulate users into providing sensitive information. Attackers have been masquerading as customer support accounts, successfully luring unsuspecting users into divulging their backup recovery keys and account PINs, crucial information that grants complete access to their messaging accounts.
According to the alert issued on June 29, 2026, the FBI noted, "The threat actors have compromised individual CMA accounts, but not the CMA’s encryption or the application itself." This statement emphasizes that the hackers are not breaching the encryption technology but rather taking advantage of users’ lack of knowledge or caution concerning security practices.
Recent variations of phishing messages have taken a more aggressive stance, attempting to convince users to back up their messages under the pretext of technical support, thereby allowing the attackers to seize control of the accounts. Once hackers gain access, they can view not only the historical messages but also private and group conversations, creating avenues for further exploitation.
The alert points out that if a victim unwittingly shares their backup recovery key, it remains valid even if they establish a new account using the same phone number. This scenario leaves victims vulnerable even after attempting to regain control. To mitigate risks, users are advised to create a new backup recovery key within their app settings, thereby invalidating the old one. However, it’s important to note that this action does not prevent the actor from having already downloaded a backup of the original account before the change was made.
Both the FBI and CISA have updated their warnings regarding these “unsophisticated, yet effective” phishing attacks, reaching out to individuals who might suspect they have become targets to report the incidents to the authorities. As these tactics gain traction, attackers are also focusing their efforts on high-value targets across various jurisdictions, including the United States, Ukraine, Australia, and several European nations.
The methods employed by the Russian hackers primarily involve impersonating Signal support chatbots to manipulate users into providing their codes. Another strategy includes exploiting the “linked devices” function within Signal and WhatsApp, further demonstrating the complexities involved in cyber threats today. Dutch intelligence agencies have raised concerns that these hackers are adapting and evolving their tactics constantly to manipulate increasingly varied users.
Adding to the intricacies of this situation, attackers have been known to alter legitimate "group invite" pages and redirect users to malicious URLs. By doing so, they can link an attack-controlled device to the victim’s Signal account, leading to further unauthorized access.
The scope of the compromise is alarming, with reports indicating that thousands of accounts have been infiltrated, garnering unauthorized access to sensitive government communications and personal data. Officials assert that the ultimate goal of these hacking efforts is to collect sensitive military, political, and economic information exchanged among users and to pilfer personal data for ulterior motives.
Phishing attempts typically arrive as SMS messages from supposed "support teams," often targeted in the morning when victims are possibly more susceptible due to their mental and emotional states.
High-profile targets have not been spared from these attacks; in March, suspected Russian hackers compromised the WhatsApp accounts of an Australian member of parliament and three of their staff members. An Australian official confirmed in May that all evidence attributed the attacks to a nation-state hacking group targeting officials across multiple countries.
Once a single account is compromised, attackers frequently utilize it as a launching pad for further intrusions, disguising themselves as the victim to target additional individuals.
The feds have also taken steps in response, with the U.S. Department of State offering rewards of up to $10 million for information that could lead to the identification or capture of individuals associated with two hacking groups believed to be behind these incidents. These groups are linked to Russian intelligence services and include specific factions such as UNC5792 and UNC4221.
Signal has proactively issued alerts urging users to remain vigilant against such phishing campaigns. They have asserted that individuals from their support team will never solicit sensitive information like verification codes or PINs through direct messages.
Moreover, the Security Service of Ukraine (SBU) has provided guidelines for users of end-to-end encrypted messaging applications. The agency suggests that users regularly monitor active connections to their accounts and enable two-factor authentication while emphasizing that sharing any verification codes, PIN codes, or recovery keys can lead to significant breaches of privacy.
In a continuously evolving landscape marked by sophisticated cyber threats, the responsibility of remaining secure falls significantly on users who must stay informed, vigilant, and cautious to protect their personal and sensitive information.