A joint warning from the FBI and Ukraine’s Security Service has revealed a large scale Russian cyber espionage campaign that used fake support messages to gain access to private conversations on Signal, WhatsApp, and Telegram.
Quick Summary – TLDR:
- The FBI and Ukraine’s Security Service uncovered a long running Russian campaign targeting messaging app users.
- Attackers sent fake support texts to trick victims into handing over verification codes and recovery keys.
- Government officials, military personnel, journalists, politicians, and activists across Ukraine, Europe, and the United States were targeted.
- Security experts say the attacks relied on social engineering rather than flaws in the messaging apps themselves.
What Happened?
The Security Service of Ukraine, also known as the SSU, and the FBI have jointly exposed a sustained Russian intelligence operation aimed at compromising messaging accounts belonging to high value targets. The campaign focused on stealing sensitive military, political, and economic information by gaining access to private chats and personal data.
According to the agencies, Russian intelligence services have been running these operations for years and continue to target individuals and organizations across multiple countries.
Russian Operatives Used Fake Support Messages
The campaign relied on a simple but highly effective technique. Attackers sent SMS messages that appeared to come from the support teams of messaging platforms such as Signal and WhatsApp. These messages warned users about suspicious activity on their accounts and urged them to share verification codes, passwords, PINs, or recovery keys.
Once the victim provided the requested information, the attackers could take control of the account and monitor conversations in real time.
The SSU said the messages often arrived in the early morning hours when people are more likely to be tired and less cautious. Security experts describe this approach as a form of social engineering that exploits human behavior rather than software weaknesses.
Signal Recovery Keys Became a Major Target
The FBI recently warned that Russian operators have shifted their attention toward Signal Backup Recovery Keys. Unlike one time verification codes that expire quickly, recovery keys can provide long term access to a user’s message history.
This means attackers may continue to access conversations even if the victim changes devices or creates a new account using the same phone number.
The advisory also highlighted the abuse of linked device features. Attackers used malicious QR codes and fake support portals to connect victim accounts to devices under their control. Once linked, they could receive new messages at the same time as the account owner without raising immediate suspicion.
Campaign Reached Beyond Government Targets
While government officials and military personnel remain key targets, the campaign has expanded significantly.
The SSU said the attacks also targeted journalists, activists, politicians, and ordinary citizens. The broad targeting suggests that Russian intelligence is interested in any private communication that could provide strategic or operational value.
Security researchers have linked similar activities to Russian threat groups including Star Blizzard, UNC5792, and UNC4221, all of which have been associated with Russian intelligence operations in previous investigations.
The latest findings also come after Ukrainian authorities blamed the Belarus aligned group UNC1151, also known as Ghostwriter, for a separate spear phishing campaign that targeted government organizations and delivered information stealing malware.
Authorities Urge Users to Review Their Accounts
The FBI and the SSU are urging users to take immediate steps to protect their messaging accounts.
Recommended actions include:
- Review all active sessions and remove unknown devices.
- Enable two factor authentication and use a strong PIN.
- Never share verification codes, passwords, or recovery keys.
- Avoid clicking suspicious links or opening unexpected files.
- Do not scan QR codes received from unknown sources.
- Report suspicious activity to cybersecurity authorities.
Security officials stressed that the encryption used by messaging platforms remains secure. The real weakness lies in convincing users to voluntarily hand over the keys to their accounts.
SQ Magazine Takeaway
I think this campaign is a reminder that modern cyber espionage is no longer only about finding software flaws. Attackers are increasingly targeting people instead of technology because human error is often easier to exploit than breaking encryption. If government officials, journalists, and military personnel can be fooled by a simple text message, ordinary users should assume they are also potential targets and take account security far more seriously.
