Federal authorities are offering a reward of up to $10 million for information leading to the identity or location of a Russian state cyber group that compromised thousands of Signal and WhatsApp accounts of investigative journalists and US government employees.
This operation has been active since at least March, when the FBI published an advisory warning of ongoing phishing campaigns targeting high-value targets by attackers associated with Russian intelligence services. Messages disguised as automated support communications ask users to click on a link or provide a verification code or account passcode. If the user complies, they unknowingly link the attacker’s device to their account or have their account completely taken over and locked out.
Thousands of accounts have already been compromised
With this, attackers can read any new messages sent to the compromised account. However, a security feature built into Signal prevents attackers from reading any previous conversations. The messages are sent to “individuals with high intelligence value, such as current and former U.S. government officials, military personnel, political figures, and journalists.”
Last week, the FBI published an update saying that the campaign had evolved. In addition to attempting to post as a support bot to trick recipients into linking their account to an attacked device, the messages also urge users to create a backup of all previous communications by following the instructions provided here. A follow-up message then instructs the target to send the longer passcode that is used to encrypt the backup stored on the Signal server. With this, attackers have access to previous Signal conversations. The update said the two Russian government groups responsible were tracked as UNC5792 and UNC4221.
A message contains text like this:
signal is here
Recently, attempts to hack users of our messenger by connecting third-party devices to the account have become more frequent.
An investigation conducted jointly with the US government and European partners revealed that the attacks on the accounts were carried out by hackers from Iran and post-Soviet countries.
In this regard, Signal updates its terms of service and privacy policy, and introduces mandatory two-factor verification for users.
To never lose your messages and media, set up your Signal backup (Settings -> Backup -> Enable Backup -> View Recovery Key -> Copy to Clipboard -> Next -> Enter Recovery Key -> Next -> Continue -> Choose your backup plan).
Click the “Accept” button in the pop-up and stay tuned for security updates on our messenger.
Stay safe and secure thanks to using the most secure messenger with end-to-end encryption.
If you have any questions, send/help
Other text looks like this:
<a href