Threat Intel
You might see, BREAKING NEWS, RUSSIAN Hackers steal SIGNAL BACKUP KEYS, or other such styled headlines. Wow this sounds super interesting right! Magical hackers are stealing keys form the SECURE messaging platform! oh MY! but wait…. maybe, maybe there’s some devil in the details!
The FBI
Ok so the FBI have issued this:
https://www.ic3.gov/PSA/2026/PSA260626
Great, details! What did the baddies do (that’s the technical term by the way!)?
They used the magical unicorn hacker power called: Social Engineering! I know right, the cyber mega 0-day….. oh wait no… they just ask people to, go find their keys, then copy them and send them to the baddies! Turns out mega hacks are complex, expensive, difficult, have lots of chance of failure, so maybe just ask nicely! (I know this is not a new thing)
‘The FBI has identified multiple clusters of Russian Intelligence Services (RIS) cyber threat actors responsible for an ongoing commercial messaging application (CMA) phishing campaign against individuals of high intelligence value. Russian Federal Security Service (FSB) officers embedded with the FSB Border Guards and others working on behalf of the Russian military services continue to target current and former U.S. and international government officials, military personnel, political figures, journalists, and key officials located in Ukraine. RIS cyber threat actors have compromised individual CMA accounts, but not the CMA’s encryption or the application itself. To date, this activity has been publicly tracked as UNC5792 and UNC4221.’
So let’s use some AI power:
“UNC5792 — a suspected Russian espionage cluster that partially overlaps with CERT-UA’s UAC-0195. Its signature TTP is modifying legitimate Signal group invite pages to include malicious links. More precisely, it hosts modified Signal group invitations on actor-controlled infrastructure designed to appear identical to a legitimate Signal group invite, where the normal join-group JavaScript is swapped for the device-linking URI (sgnl://linkdevice?uuid=) so the victim unknowingly links an attacker-controlled device to their account.”
“UNC4221 — tracked by CERT-UA as UAC-0185, an additional Russia-linked actor that has actively targeted Signal accounts used by Ukrainian military personnel. It operates a tailored Signal phishing kit designed to mimic components of the Kropyva application used by the Armed Forces of Ukraine for artillery guidance. As a core component of its tooling, UNC4221 also used a lightweight JavaScript payload tracked as PINPOINT to collect basic user information and geolocation data using the browser’s GeoLocation API.”
And finally:
“The FBI’s “FSB Border Guards” and “Russian military services” framing maps loosely onto these — UNC4221’s battlefield-focused Kropyva targeting and APT44/Sandworm’s close-access QR operations align with GRU/military tasking, while the broader high-value-official targeting is consistent with FSB collection priorities. GTIG has not made a definitive single-service attribution for UNC5792 or UNC4221, so treat the FBI’s RIS framing as the authoritative public attribution rather than a clean GRU-vs-FSB split.”
As always with anything LLM generated, take with a grain, pinch of truck load of salt!
But the key thing here would be: DO NOT GIVE PEOPLE YOUR BACKUP KEYS! no matter how nicely (or not) they ask! They are for you not random people who message you!
Thanks to friends at Bleeping Computer for their article which I saw on twitter:
See, social media isn’t all bad!
