FBI Issues Alert on Hacker Threats
The Federal Bureau of Investigation (FBI) has warned about the activities of hacker groups UNC5792 and UNC4221, which are linked to Russian intelligence services. These attackers focus on stealing backup recovery keys from the Signal messaging app. Their targets include government officials, military personnel, journalists, and Ukrainian authorities.
Once a recovery key is obtained, hackers can read victims' message history and maintain access to accounts even after the user changes phones. Notably, the key remains active even if the user creates a new account with the same phone number. This poses a risk because an old key can be used to access future backups. To address this, users are advised to generate a new key in Signal's settings, which prevents the old one from working—though it does not recover data already exposed.
This warning comes amid heightened cyber threats targeting sensitive communications. Signal is widely used by government and military personnel for encrypted messaging, making its users a prime target for espionage.
Cyberattack Threat
The FBI states that UNC5792 and UNC4221 are associated with Russian security units, including the FSB and Russia's military intelligence. The attack campaign targets Signal and WhatsApp users, but the key-related scheme applies only to Signal. The targets include:
- current and former U.S. government officials and those from other countries,
- military personnel,
- politicians,
- journalists and Ukrainian officials.
In March, the FBI reported that thousands of accounts worldwide had been compromised. The hackers use social engineering tactics, including fraudulent messages disguised as Signal support. Two examples of such messages include requests to enable mandatory two-factor authentication and urgent data recovery prompts. These attacks do not break Signal's encryption or exploit app vulnerabilities, which makes them particularly dangerous.
As part of its Rewards for Justice program, the U.S. State Department has offered up to $10 million for information on the UNC5792 group. Intelligence agencies from the Netherlands, Germany, and France have also issued similar warnings. In late 2025, Google reported that UNC5792 exploited Signal's linked devices feature, applying similar methods against WhatsApp and Telegram.
Signal users are urged to remain vigilant. If a message in Signal asks for a recovery key, verification code, or PIN, it should be treated as fraudulent. Signal never contacts users through chats to request such data.
This situation underscores the growing threat of cyberattacks targeting key players in government and media, especially amid geopolitical tensions.
FBI
Users must stay cautious and follow security recommendations to protect their data.
As cyber threats continue to escalate, the risks associated with messaging apps are becoming increasingly apparent. For instance, a recent incident involving Instagram accounts being breached through a chatbot vulnerability highlights the vulnerabilities present in popular platforms. Understanding these threats is crucial for users, especially those in sensitive roles, to safeguard their communications against sophisticated hacking techniques.