Decoding the world of cybersecurity

Russian phishing targets Signal recovery keys

US agencies warn Russian intelligence-linked actors are soliciting Signal backup recovery keys, shifting secure messaging risk towards account recovery, user verification, and communications governance.

Russian phishing targets Signal recovery keys
Summary
  • The FBI and CISA say Russian intelligence-linked actors continue to target commercial messaging applications.
  • The campaign has evolved to solicit Signal backup recovery keys from high-value targets.
  • The advisory is relevant to government, defence, media, political, and executive communications security in Europe.

The FBI and CISA have warned that Russian intelligence-linked actors are continuing to target commercial messaging applications, with tactics now including attempts to solicit Signal backup recovery keys from high-value targets.

The advisory says the activity has targeted current and former US and international government officials, military personnel, political figures, journalists, non-governmental organisation staff, think tank researchers, and key officials in Ukraine. The agencies say the campaign has evolved from QR code and device-linking lures to direct requests for Signal backup recovery keys.

The risk is not that Signal’s encryption has been broken. The advisory says individual messaging accounts have been compromised, not the applications or their cryptographic protections. The operational exposure sits in account and recovery-process compromise: if a target can be persuaded to share a backup recovery key or link a device, the attacker may gain access to historical private and group messages or take control of the account.

The FBI’s Internet Crime Complaint Center has published the public service announcement on Russian intelligence targeting of messaging applications, including examples of phishing language and recommended mitigations.

The European relevance is clear from the target set. The advisory identifies international officials and key Ukrainian targets, and the same communications patterns exist across European governments, defence-adjacent organisations, political parties, media, civil society, law firms, advisers, and companies supporting Ukraine. Secure messaging apps are often used precisely because conversations are sensitive, fast-moving, and not suited to formal email channels.

Many organisations have mature policies for email, corporate devices, collaboration platforms, and document storage, while expectations around messaging apps can be looser. Executives, policy teams, journalists, campaign staff, researchers, and incident-response groups may use commercial messaging for convenience, speed, or perceived security. When account recovery becomes the target, the weakest point may be human trust rather than the platform’s encryption.

Backup and recovery mechanisms deserve particular attention. Users are trained to protect passwords and sometimes multi-factor prompts, but recovery keys can be treated as administrative clutter. A convincing message that appears to come from a platform, colleague, support channel, or urgent security notice can exploit uncertainty around how backup features work. The FBI and CISA examples show how attackers can frame recovery-key requests as safety guidance.

High-risk groups need clear rules on device linking, backup recovery, account migration, verification of contacts, and reporting suspicious prompts. They also need practical support when travelling, changing phones, joining sensitive groups, or handling crisis communications. A policy that simply bans unauthorised tools may be ignored if official alternatives are slower or less usable.

After a messaging account is compromised, the exposed information can extend beyond one user. Group chats can reveal contact networks, sensitive operational details, meeting plans, source identities, legal strategy, procurement discussions, and internal deliberations. Attackers may use that information for further phishing, impersonation, intelligence collection, or pressure campaigns.

The advisory’s careful wording is useful because it avoids implying that encrypted messaging is unsafe as a category, while making clear that account-level compromise can still defeat the confidentiality users expect. European organisations with political, defence, policy, media, or Ukraine-related exposure need controls around recovery-key handling, device-link approval, high-risk user training, and fast reporting when account behaviour changes.

Secure messaging remains valuable, but the account, the device, the recovery process, and the user’s judgement all sit inside the protected system.

×