Alert Number: I-032026-PSA |

Russian Intelligence Services Target Commercial Messaging Application Accounts

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are jointly issuing this public service announcement (PSA) to warn the public about ongoing phishing campaigns by cyber actors associated with the Russian Intelligence Services (RIS) targeting commercial messaging applications (CMAs). RIS actors have compromised individual CMA accounts, but not CMAs' encryption or the applications themselves. The activity targets individuals of high intelligence value, such as current and former U.S. government officials, military personnel, political figures, and journalists.

This global campaign has resulted in unauthorized access to thousands of individual CMA accounts. After compromising an account, malicious actors can view the victims' messages and contact lists, send messages, and conduct additional phishing against other CMA accounts. (Note: reporting shows that the threat actors specifically target Signal accounts but can apply similar methods against other CMAs). CMA users who strengthen their personal cybersecurity and defend against social engineering attempts can reduce the risk of account compromise and limit the effectiveness of the threat actors' current tactics, techniques, and procedures.

A diagram that illustrates two related schemes for accessing CMA accounts. The first, called Linked Device Feature Abuse, starts with actors identifying a target victim, then impersonating a contact of that victim and sending ta malicious link or QR code. The victim then click that link and the actors link their own devices to the victim's CMA account. This results in both the victim and the actors having access to the CMA account. The second scheme is called Account Takeover. After actors identify a target, they will send a phishing message to the victim to elicit a PIN and 2FA code. If the victim supplies this information, they will lose access to their CMA account and the actors will gain control of it.
Figure 1: Two Schemes

How It Works

RIS cyber actors send phishing messages masquerading as automated CMA support accounts. The actors tailor the messages to deceive targets into taking an action, such as clicking a link or providing verification codes or account PINs (see Figure 2). If the user performs any of the requested actions, they unwittingly provide the actors with unauthorized access to their account either by adding the attacker's device as a linked device or through a full account takeover (see Figure 1). As the campaign evolves, actors may use additional techniques, such as malware to infect the victim.

A collection of phishing messages used in these schemes. They are: "Dear user, this is Signal Security support ChatBot. We have noticed suspicious activity on your device, which could have led to data leak. We have also detected attempts to gain access to your private data on Signal. To prevent this, you have to pass verification procedure, entering the verification code to Signal Security Support Chatbot. Don't tell anyone the code. Not even Signal employees.", "Our system has detected a recent login attempt to your account from an unrecognized device or location. As a security measure, we have blocked this attempt and sent a verification code via SMS to your registered phone number. If this was NOT you: To secure your account and block this unauthorized access please reply to this message with the verification code you just received. If this WAS you: You can safely ignore this message. The login attempt will be automatically approved shortly. Thank you for helping us keep your account secure.", "Dear user, We noticed suspicious activity on your device, which have led to data leak. We have also detected attempts to gain access to your private data in Signal. To prevent this, we ask you to pass verification procedure, which will take less than a minute. Please let us know as soon as you are ready. Best regards, Signal support", "Signal Security Team Recently, attempts to hack users of our messenger with the connection of third-party devices to the account have become more frequent. In this regard, Signal updates Terms of Service & privacy policy and introduces Mandatory Two-factor Verification for users. Stay safe and thank you for using the most secure messenger with end-to-end encryption.", "Dear User, this is Signal Security support Chatbot. Another Samsung Galaxy S 10 device is connected to your account. Location: Drohobych, Lvivska oblast, Ukraine - IP: 178.212.97.211 If it were not you, send: /Cancel"
Figure 2: Sample Phishing Messages

Recommendations

Phishing remains one of the most unsophisticated, yet effective means of cyber compromise, often rendering other protections irrelevant including end-to-end encryption. CMA users are urged to be vigilant in identifying potential phishing activity and employing necessary cyber hygiene practices. Users are also reminded to use caution regarding the type of information disseminated and/or discussed on CMAs. While encryption remains effective, phishing allows malicious actors to bypass the encryption entirely by gaining access to user accounts.

The following guidance can be used to identify suspicious messages and help protect yourself from malicious cyber activity:

  • If It Feels Off, Hit Pause: Suspect a scam? Stop all interaction and do not share codes/PINs/passwords. Never share your PIN or two-factor authentication (2FA) codes for an action you did not initiate.
  • Treat Unknown Messages with Suspicion: Unexpected messages from unknown contacts (or even "friends" with odd or unusual requests) may be phishing attempts. Block and report these items to prevent any unauthorized access to your account. If you believe a message may be legitimate, contact the sender through an alternate means of communication to verify before you provide any information.
  • Scrutinize Links Before You Click: Inspect links and files before clicking or opening. Do not click on suspicious links or attachments — it could install malware or enable unauthorized access to your account.
  • Verify Your Group Chats Regularly: Periodically scan participant lists for duplicates or fakes. If duplicate accounts appear, verify the authenticity of chat participants through another form of secure communication outside of the app.
  • Stay Updated and Locked Down: Be aware of the security features available within the CMA you use and familiarize yourself with how they work. Enable message expiration features to automatically delete sensitive messages after a set period. For employer-issued devices, verify that applicable records retention policies allow for this setting to be enabled and that doing so is consistent with law.
  • Report Swiftly: Alert your organization's security team and/or IT department of suspected phishing scams. Additionally, report incidents to the Internet Crime Complaint Center (IC3) at https://www.ic3.gov/ or your local FBI Field Office. For financial or identity fraud, also consider notifying local authorities.
  • Interacting with CMA Support: Most CMA support services only communicate with users via their official email addresses. Legitimate CMA support services will not request verification codes, especially via direct message within the application itself. CMA support services do not send users links to "verify" or "restore" accounts. Always go directly to the app or official website yourself before interacting with CMA support.

Report It

If you or someone you know has fallen victim to this phishing campaign, file a complaint with IC3. For additional information, see FBI's guidance on Spoofing and Phishing as well as a previous Public Service Announcement about how "Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud." Additionally, see CISA's "Phishing Guidance: Stopping the Attack Cycle at Phase One | CISA" and "Mobile Communications Best Practice Guidance."