Signal Backup Recovery Key Russian intelligence

Signal Backup Recovery Key Russian intelligence theft is now formally attributed by three governments. The FBI, CISA, and Ukraine’s Security Service (SSU) jointly disclosed on June 26–27, 2026 that FSB-linked UNC5792 and GRU-linked UNC4221 are stealing these keys via fake support SMS messages — granting persistent access to complete message archives even after victims reset their devices or change their phone numbers. Any organization using Signal for sensitive communications needs to take one specific action today.
What Happened
Signal Backup Recovery Key theft is the specific new technique documented in FBI/CISA advisory PSA I-062626 (June 26, 2026): Russian intelligence actors tracked as UNC5792 (assessed as linked to the FSB Border Guards) and UNC4221 (assessed as linked to GRU military intelligence services) have evolved their Signal phishing operation to target Backup Recovery Keys directly.
The attack does not exploit a Signal vulnerability. Signal’s end-to-end encryption remains intact. The attack is social engineering against the backup layer — the separate mechanism that allows account restoration to a new device.
The tactic: targets receive an SMS message impersonating official Signal support. The message warns of a sync error threatening the recipient’s message history. To “protect” their data, recipients are instructed to open Signal Settings, copy their Backup Recovery Key, and paste it into the reply. Once that key is handed over, the attacker can restore the target’s complete message archive — all private and group conversations — to a device under their control.
The detail that changes incident response: creating a new Signal account on the same phone number does not invalidate a stolen Backup Recovery Key. The key survives phone number rotation. Victims who follow standard device-reset procedures believe they are protected — they are not. The attacker retains the ability to download message archive backups indefinitely, until the victim explicitly generates a new key.
On June 27, Ukraine’s SSU published a joint confirmation of the same campaign, identifying UNC5792 and UNC4221 as responsible and specifying confirmed target categories: government officials, military personnel, politicians, journalists, and civil society contacts across Ukraine, Europe, and the United States.
Why It Matters
End-to-end encryption is not broken. Signal’s cryptography is sound. But the backup layer is a separate attack surface that enterprise messaging security policies rarely address explicitly.
For DACH organizations using Signal as a secure channel for leadership communications, M&A discussions, sensitive HR matters, or board-level conversations: Backup Recovery Key lifecycle management is now a security control that must be documented and enforced. If a key was compromised — and that cannot be ruled out if anyone on your team received a suspicious support message in the past six months — historical message archives remain exposed until the key is explicitly rotated.
The threat actor profile matters here. UNC5792 and UNC4221 are not financially motivated cybercriminals — they are signals intelligence operations targeting sensitive communications from high-value individuals. If your organization works in defense supply chains, critical infrastructure, policy, or cross-border M&A activity, you are within the target profile described in the advisory.
For NIS2-regulated organizations using Signal for internal communications: if anyone in a key role may have been targeted, this exposure should be assessed for Article 23 reporting obligations. A compromised backup key is a data confidentiality incident, even if no malware was installed and no device was technically breached.
What You Should Do Now
- Generate a new Backup Recovery Key now. Open Signal → Settings → Account → Backups → Generate New Recovery Key. This single action invalidates the old key for all future backup downloads. It does not affect message delivery, existing contacts, or conversation history on your current device.
- Warn your team. Signal does not send unsolicited support messages. Any SMS claiming to be from Signal support and asking for account credentials, a recovery key, or any account verification input is an attack. The message can look highly legitimate — the ask is the indicator.
- Add key rotation to your offboarding and incident response procedures. Every time a device is handed over, lost, or an employee departs: rotate the Backup Recovery Key. Add this to your standard checklist alongside wiping the device.
- Retroactive assessment. If anyone in your organization received a suspicious Signal support SMS in the past six months and cannot confirm they did not respond, treat the old key as compromised and rotate immediately. Historical data already exfiltrated cannot be recovered, but the exposure window closes the moment the key rotates.
DIESEC Perspective
Secure messaging platforms solve one specific problem: transit encryption. They do not solve the full messaging security problem, which includes account recovery mechanisms, device management, and the human factor — which this attack exploits directly. Organizations deploying Signal for sensitive communications should treat it as one layer of a defense-in-depth strategy, not a complete solution. Backup key lifecycle management, device policy, and user awareness for social engineering targeting secure channels all need to be explicitly defined. If your organization needs help assessing your current secure communications posture, contact the DIESEC team.
Sources: The Hacker News — FBI/CISA Advisory | The Hacker News — Ukraine SSU Confirmation | FBI PSA I-062626
Published: 2026-07-01 | Category: Nation-State & APT | ~4 min read

