Russian Hackers Target Signal Backup Recovery Keys

Technical Mechanics of the Signal Backup Phishing Campaign

Understanding the exact execution path of this campaign is critical for enterprise defenders who must protect executives and sensitive communication flows. The attackers do not rely on software exploits or code execution; instead, they exploit design-intended configuration options inside Commercial Messaging Applications (CMAs). By focusing on the secure backup infrastructure, the threat actors achieve a persistent, deep level of access that is difficult to detect through standard endpoint logging.

Phase 1: Initial Contact and Support Masquerade

The threat actors initiate a direct conversation inside the target messaging application. The sender account is carefully configured to masquerade as an automated system account, utilizing names such as "Signal Support" or "Security Alert" and copying legitimate corporate branding elements. The initial messages convey a false sense of urgency, typically claiming that the user must immediately resolve a synchronization error or complete a mandatory security upgrade to prevent permanent account suspension or data loss. In some variations, the lure claims that foreign cyberattacks require immediate verification of account ownership.

Phase 2: Social Engineering and Key Extraction

Once the victim responds, the impersonated support bot delivers step-by-step technical instructions. The victim is guided to navigate to the backup configuration menu within the application settings. The instructions direct the user to enable secure backups, view the generated 64-character alphanumeric recovery key, and copy it to their clipboard. Under the pretense of verifying the backup connection or linking the secure instance, the attacker instructs the user to paste the entire 64-character key directly into the active chat session. Since many users do not realize the recovery key is meant to be kept entirely private, they inadvertently hand over the cryptographic access key to their entire communication history.

Phase 3: Archive Reconstruction and Persistent Access

With the 64-character backup recovery key in their possession, the threat actors execute the final phase of the attack chain. They download the victim's encrypted backup file and use the stolen key to decrypt the archive on an attacker-controlled device. This allows the threat actors to reconstruct historical communications, including private direct messages, active group chats, contact lists, and media attachments shared over the preceding weeks. Because a Backup Recovery Key does not expire, the access is highly persistent; the threat actors can continue to access subsequent backups until the key is actively deleted and rotated by the legitimate owner.

Threat Actor Profiles and Attribution

Threat intelligence analysts have linked this coordinated campaign to specialized cyber-operations units operating on behalf of the Russian Intelligence Services (RIS). Prominent tracking clusters associated with this activity include UNC5792 (overlapping with the Ukrainian tracking identifier UAC-0195) and UNC4221 (also known as RottenShrew or UAC-0185). These threat groups are known for targeting organizations and individuals of high intelligence value globally.

Historically, groups like UNC4221 have deployed advanced capabilities alongside social engineering. For instance, the group has distributed custom phishing utilities masquerading as legitimate military planning applications and utilized JavaScript payloads like PINPOINT to collect precise geolocation data from targets. The transition to targeting backup recovery keys demonstrates an ongoing evolution, showing that these actors will pivot to targeting application-specific access credentials when traditional malware delivery or device-linking techniques fail to bypass mature endpoint defenses.

Enterprise Risk and Operational Impact

For organizations operating in regulated sectors, the compromise of an executive's messaging archive is highly disruptive. It exposes sensitive corporate development discussions, mergers and acquisitions data, legal deliberations, and critical operational planning to foreign intelligence entities. Furthermore, because messaging backups often contain shared files, passwords, and sensitive system coordinates, a single compromised key can serve as an initial foothold for lateral movement into corporate IT environments.

Organizations must determine if their domains or identities have already been caught in broader data exposures. If the domain already looks exposed, use the Dark Web Scanner before requesting a full report. Identifying early indicators of compromised accounts and domain-level risks is vital for preempting targeted spearphishing attacks.

Defensive Mitigation and Incident Response

Detecting this compromise requires a shift from traditional file-system analysis to application-level audits, because the unauthorized data reconstruction occurs entirely on remote, attacker-controlled systems. Security teams must ensure that their personnel are trained to validate their session states and application configurations manually.

The primary validation step is to audit linked devices. Within the application, users must navigate to Settings and select Linked Devices to review every connected session. Any unfamiliar desktop or secondary device must be immediately unlinked. In addition, users must look for visual indicators, such as messages from unverified senders that display a "Name not verified" warning badge beneath the profile name, which is a key sign of a support impersonation attempt.

If an employee has shared their Backup Recovery Key, the incident response team must enforce the following remediation steps immediately:

• Deactivate the Compromised Key: Navigate to Settings, access the Backups menu, and select "Turn Off and Delete Backup" to immediately purge the existing archive from the cloud and invalidate the compromised key.

• Generate a New Key: Re-enable the backup function to generate a completely new 64-character recovery key. Store this key in a secure, offline password manager, and never share it in any chat window.

• Enable Registration Lock: Access Account Settings and turn on Registration Lock. This prevents attackers from attempting to register the target's phone number on a secondary device without knowing the account's private PIN.

• Enforce Disappearing Messages: Configure default message expiration timers on all sensitive corporate and personal chat threads to ensure that historical data footprints are kept to a absolute minimum.

Securing the enterprise against modern state-sponsored groups requires continuous and proactive threat tracking. For enterprises looking to defend against advanced adversarial persistence, establishing ongoing Dark Web Monitoring is critical to capturing leaked credentials and exposed assets before they are leveraged in targeted spearphishing campaigns. Furthermore, simulating these highly targeted spearphishing campaigns through realistic Red Team Operations ensures that high-value executives and security personnel can recognize conversational phishing tactics before an incident occurs.