This threat involves a phishing campaign attributed to Russian Intelligence Services targeting Signal users to steal their Backup Recovery Keys. The attackers impersonate Signal support teams and send messages claiming new mandatory two-factor verification, instructing users to enable backups and share their recovery keys. With the stolen recovery key, attackers can decrypt and access the victim's historical Signal messages stored in Signal's Secure Backups. The campaign targets individuals of high intelligence value, including government and military personnel, journalists, and political figures. The FBI and CISA emphasize that legitimate Signal support never requests recovery keys or verification codes via messaging. Users must generate new recovery keys after compromise to invalidate old keys for future backups, but this does not affect backups already accessed by attackers.

If successful, attackers gain access to victims' historical Signal messages and media by decrypting backups using stolen recovery keys. This compromises the confidentiality of private and group conversations. The campaign specifically targets high-value individuals, potentially exposing sensitive communications. The compromise persists even if the victim creates a new Signal account with the same phone number unless a new recovery key is generated. However, attackers retain access to any backups already downloaded with the stolen key.

No official patch is applicable as this is a phishing campaign exploiting user behavior. Users should be educated that legitimate Signal support never requests recovery keys or verification codes via messages or links. Users who suspect compromise should immediately generate a new Backup Recovery Key via Signal's settings to invalidate the old key for future backups. Reporting suspected incidents to the FBI's IC3, local FBI field offices, or CISA is recommended. Vigilance against phishing attempts impersonating Signal support is critical.