Threat from Hacker Groups UNC5792 and UNC4221
The Federal Bureau of Investigation (FBI) has issued a warning about malicious cyber groups UNC5792 and UNC4221, which are linked to Russian intelligence agencies including the FSB and Russia's military intelligence. These groups are actively targeting Signal messenger backup recovery keys. Their attacks focus on government officials in the United States and other nations, military personnel, politicians, journalists, and Ukrainian authorities.
Attack Methods and Consequences
The hackers employ social engineering tactics, often impersonating Signal's support team. They trick victims into enabling backup features, displaying their recovery key on screen, and then sending that key in a chat. Once they obtain the recovery key, attackers can read the victim's entire message history and maintain access even after a phone change. The recovery key remains valid after device replacement, meaning if a user creates a new account with the same phone number, the old key can still grant access to future backups.
The FBI first mentions groups UNC5792 and UNC4221 in its document, noting that the attack campaign does not break Signal's encryption or exploit app vulnerabilities. According to the FBI, a broader campaign in March compromised thousands of accounts worldwide. Meanwhile, the U.S. State Department has offered rewards of up to $10 million for information on UNC5792 through its Rewards for Justice program.
Intelligence agencies from the Netherlands, Germany, and France have also warned about similar activities. Google reports that in early 2025, UNC5792 exploited Signal's linked devices feature and later applied similar methods against WhatsApp and Telegram. Targets include current and former U.S. officials, international government personnel, military members, politicians, journalists, and Ukrainian authorities. Known social engineering techniques—such as impersonating mandatory two-factor authentication prompts or urgent data recovery requests—highlight the growing threat from these hacker groups.
This situation underscores the critical importance of cybersecurity amid modern global threats, particularly in the context of the war in Ukraine and tense Russia-West relations. Cyberattacks on government structures can have serious consequences for both national security and personal privacy. The need for proactive cybersecurity measures becomes increasingly evident as attackers continuously refine their methods.
As cyber threats evolve, it's crucial to remain vigilant against various hacking techniques. Recently, a separate incident involving exploits of Meta's AI chatbot has highlighted how attackers are increasingly targeting social media platforms to compromise user accounts. Understanding these tactics can help individuals and organizations better protect their sensitive information from malicious actors.