FBI Warns: Russian APTs Target Signal Backup Keys via Phishing

Russian Intelligence Actors Target Signal Backup Recovery Keys

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued an updated warning regarding ongoing malicious activity by Russian intelligence APT groups. These actors are specifically targeting users of the secure messaging application, Signal, employing sophisticated phishing tactics to acquire Signal Backup Recovery Keys. This highly effective TTP allows attackers to gain unauthorized access to a user’s entire message history and maintain persistent control over the compromised account.

This updated advisory builds upon a previous warning issued in March, indicating an evolution in the adversary’s methodology. The core addition to their attack chain is the coercion of targets into voluntarily disclosing their Signal Backup Recovery Key, according to The Hacker News. The implications of this are severe: once the key is obtained, the attacker can restore the account’s backup on their own device, granting them unfettered access to private and group communications. Crucially, the compromised key remains functional, meaning the threat actor retains long-term access unless specific remediation steps are taken.

Technical Overview of the Attack

The attack begins with highly targeted phishing campaigns, designed to trick high-value individuals or those with access to sensitive information into divulging their Signal Backup Recovery Key. While the specific lures are not detailed in the public advisory, these are typically crafted with high precision, often impersonating legitimate entities or services to establish credibility.

Upon successful acquisition of the Signal Backup Recovery Key, the attacker can:

• Restore Account Backups: The key enables the restoration of the victim’s Signal account history on a new device controlled by the adversary. This includes all encrypted private and group chat messages.
• Access Sensitive Communications: Attackers gain visibility into past and ongoing confidential discussions, compromising the integrity of secure communications.
• Full Account Takeover: Beyond historical data, the attacker can effectively take over the account, potentially sending messages, joining groups, and impersonating the legitimate user.
• Persistent Access: The critical aspect of this attack is the enduring validity of the recovery key. Unlike a one-time login token, the key allows for repeated access and restoration, granting the attacker a persistent foothold in the victim’s communication sphere.

This method bypasses Signal’s strong end-to-end encryption by targeting the user’s ability to restore their own encrypted data, essentially turning a recovery mechanism against the user.

Impact and Implications for Defenders

This campaign poses a significant threat, particularly to individuals and organizations that rely on Signal for sensitive, secure communications. The primary targets are expected to be those of intelligence value to Russian APT groups, including government officials, journalists, activists, and employees of critical infrastructure sectors.

The compromise of a Signal account can lead to:

• Espionage and Intelligence Gathering: Access to secure communications directly supports intelligence collection efforts.
• Reputational Damage: Impersonation of a compromised user can lead to the spread of misinformation or unauthorized actions.
• Further Compromises: Information gleaned from messages could facilitate lateral movement by identifying other targets, vulnerabilities, or internal organizational structures.
• Loss of Trust: Erosion of confidence in secure communication platforms if users perceive them as vulnerable.

Russian Intelligence Signal Account Takeover Mitigation Strategies

Defenders must prioritize immediate and robust actions to protect against this sophisticated threat. Proactive measures and user education are paramount to thwarting these advanced phishing attacks and preventing unauthorized access to sensitive communications. Here is how to protect Signal backup recovery key from compromise:

• Never Share Your Signal Backup Recovery Key: This is the single most critical recommendation. Signal’s recovery key is akin to a master password for your entire communication history. Educate all users that Signal will never ask for this key, nor will any legitimate service or individual.
• Enable and Protect Your Signal PIN: While the recovery key is for backups, a strong Signal PIN adds an essential layer of security for registration and profile changes. Ensure a strong, unique PIN is set and not reused across other services.
• Enhanced Phishing Awareness Training: Regularly update and conduct security awareness training, focusing specifically on advanced phishing techniques. Users should be highly suspicious of any unsolicited requests for sensitive information, especially recovery keys or passwords, regardless of how legitimate the request appears.
• Vigilance for Suspicious Activity: Users should be trained on phishing Signal backup recovery key detection. Look for unusual login prompts, requests from unknown senders, or communications that seem slightly off. Even if a message appears to come from a known contact, verify through an alternative secure channel if it asks for sensitive information.
• Regular Review of Linked Devices: Periodically check your Signal settings for ‘Linked Devices’. Remove any unrecognized devices immediately. This can help detect if an account has been restored on an attacker’s device.
• Consider Disabling Cloud Backups (with caution): While not explicitly mentioned by the FBI/CISA, if you have Signal backups enabled and stored in the cloud, ensure those cloud accounts are also secured with strong, unique passwords and multi-factor authentication. Disabling cloud backups entirely reduces the attack surface for the recovery key, but also means manual backup management is critical to prevent data loss.

Organizations should incorporate these points into their security policies and incident response plans, especially for high-risk personnel. Staying informed about evolving threat actor TTPs and consistently reinforcing security best practices are key to defending against nation-state adversaries.