Decoding the world of cybersecurity

Signal phishing shifts to recovery keys

US agencies say Russian intelligence-linked actors are trying to obtain Signal backup recovery keys, creating account takeover and historic message exposure risk for high-value targets.

Signal phishing shifts to recovery keys
Summary
  • The FBI and CISA warn that Russian intelligence-linked phishing against commercial messaging applications has evolved to target backup recovery keys.
  • The agencies say compromised recovery keys can expose historic private and group messages and enable future account takeover.
  • The warning is relevant to public bodies, political organisations, media, defence, NGOs, and companies exposed to Russia and Ukraine-related work.

CISA and the FBI have warned that Russian intelligence-linked phishing against commercial messaging applications has evolved to target Signal backup recovery keys, widening account recovery risk around encrypted communications.

The warning says Russian intelligence service cyber threat actors have continued to target current and former international government officials, military personnel, political figures, journalists, and key officials in Ukraine. The agencies say the activity has compromised individual messaging accounts, but not the encryption or the messaging application itself.

The latest development is the targeting of backup recovery material. According to the advisory, the actors continue to elicit verification codes and account PINs, but have also begun using phishing messages designed to persuade victims to provide backup recovery keys. If a targeted user enables message backups and then shares the recovery key, the actor may be able to view historic messages, private and group messages, and take over the victim’s account.

The advisory also warns that a shared recovery key can remain valid even if the user later creates a new account with the same phone number. Generating a new backup recovery key invalidates the previous one for future backup downloads, but does not remove access to any backup already downloaded by the actor.

The targets named by US agencies include international government officials, military personnel, political figures, journalists, and Ukrainian officials. European organisations exposed to Ukraine, Russia, sanctions, defence, energy, diplomacy, humanitarian work, media, or political campaigning will need to treat messaging account recovery as part of identity security rather than personal device hygiene.

The distinction between application compromise and account compromise is important. The agencies do not say Signal’s encryption has been broken. The risk sits in social engineering, account linking, recovery material, and user behaviour. A private messaging account may contain executive conversations, legal advice, source communications, political planning, operational details, or sensitive contact networks. Historic message access can be as damaging as live account control.

Account recovery processes are often outside formal governance even when the conversations they protect carry organisational, political, or national security sensitivity. Corporate email and single sign-on may be tightly managed while executive messaging, mobile backup settings, and recovery flows remain informal. That gap is familiar in sensitive work: a conversation may sit outside managed infrastructure while still carrying institutional risk.

Heavy restrictions on encrypted messaging can push users into weaker channels, especially where speed and trust are operational requirements. More durable control comes from defining which roles and workstreams require hardened messaging practices, how recovery keys are stored, who can approve device linking, and how suspected account compromise is handled.

The FBI and CISA public service announcement includes examples of phishing messages that impersonate support or recovery prompts. If a recovery key has been shared, ordinary password resets or account rebuilding may not be enough unless the backup recovery material itself is invalidated and any downloaded backup exposure is assessed.

×