UNC5792 and UNC4221 are Russian intelligence-linked cyber threat groups targeting US and allied government and military personnel through phishing campaigns on commercial messaging applications such as Signal and WhatsApp. They impersonate automated support accounts to trick victims into sharing verification codes and Backup Recovery Keys, which allow persistent account takeover including access to historical messages. The US government has publicly offered rewards for information on these actors, linking UNC5792 to the Russian FSB Border Guards and UNC4221 to Russian military services. The attackers abuse legitimate device-linking features to compromise sensitive communications and use hijacked accounts to conduct further phishing attacks. Mitigation requires generating new Backup Recovery Keys to invalidate compromised keys, though attackers may retain previously downloaded backups.

The threat actors gain unauthorized access to sensitive government communications, contact lists, and group conversations on secure messaging platforms. This compromises confidentiality and integrity of communications involving US government officials, military leaders, allied personnel, journalists, and political figures. Compromised accounts are used to propagate further phishing attacks, increasing the scope of compromise. Historical conversations may be accessed and exfiltrated, potentially exposing sensitive information even after account recovery. The association with Russian intelligence services indicates a state-sponsored espionage campaign targeting high-value individuals.

Users of affected messaging applications should generate new Backup Recovery Keys to invalidate previously compromised keys, thereby evicting attackers from their accounts. However, this does not prevent attackers from having already downloaded backups of original accounts. Organizations should follow guidance from CISA and FBI alerts regarding these threat actors. No official patch or fix applies as this is a social engineering and account compromise threat rather than a software vulnerability. Vigilance against phishing attempts impersonating support accounts is critical.