Dernière minute
ITIran, colpito sito a Bushehr. Trump chiama Netanyahu per coordinare prossime mosseARتصعيد عسكري متبادل بين أمريكا وإيران.. وتوتر في الأردن ولبنانITRepubblica journalists stunned by Orfeo's resignation, demand industrial planARالأنظار تتجه نحو مواجهة المغرب وفرنسا في ربع نهائي كأس العالمRUМИД РФ: Киев пытается усилить террор против мирного населения РоссииESFrancia y Marruecos abren los cuartos de final con un duelo de poder a poderBRCarga de remédios contra câncer avaliada em R$ 4,6 milhões é roubada em SPBRMulher morre 25 dias após sofrer queimaduras em terreiro de candomblé no RioBRChuva e vento danificam orla e levam à contenção emergencialRUЗахарова: ВСУ "охотятся" на рейсовые автобусы с помощью дроновITIran, colpito sito a Bushehr. Trump chiama Netanyahu per coordinare prossime mosseARتصعيد عسكري متبادل بين أمريكا وإيران.. وتوتر في الأردن ولبنانITRepubblica journalists stunned by Orfeo's resignation, demand industrial planARالأنظار تتجه نحو مواجهة المغرب وفرنسا في ربع نهائي كأس العالمRUМИД РФ: Киев пытается усилить террор против мирного населения РоссииESFrancia y Marruecos abren los cuartos de final con un duelo de poder a poderBRCarga de remédios contra câncer avaliada em R$ 4,6 milhões é roubada em SPBRMulher morre 25 dias após sofrer queimaduras em terreiro de candomblé no RioBRChuva e vento danificam orla e levam à contenção emergencialRUЗахарова: ВСУ "охотятся" на рейсовые автобусы с помощью дронов
Newsgather
BackUS Offers $10 Million Reward for Information on Russian Cyber Group Hacking Signal, WhatsApp Accounts
US Offers $10 Million Reward for Information on Russian Cyber Group Hacking Signal, WhatsApp Accounts
En développement
Ars Technica29.06.2026Defense5 dk okumaUnited States

US Offers $10 Million Reward for Information on Russian Cyber Group Hacking Signal, WhatsApp Accounts

Thousands of accounts belonging to US government employees and investigative reporters have been compromised by groups linked to Russian intelligence.

L'essentiel

Federal authorities are offering up to $10 million for information on a Russian state cyber group, tracked as UNC5792 and UNC4221, which has compromised thousands of Signal and WhatsApp accounts of US government officials, military personnel, political figures, and journalists since at least March through sophisticated phishing campaigns.

Résumé généré par IA

Pourquoi c'est important

Federal authorities are offering a reward for information on a Russian state cyber group that has compromised thousands of Signal and WhatsApp accounts belonging to investigative reporters and US government employees, with the operation active since at least March.

Taille de police

Federal authorities are offering a reward of up to $10 million for information leading to the identification or location of a Russian state cyber group that has compromised thousands of Signal and WhatsApp accounts belonging to investigative reporters and US government employees.

The operation has been active since at least March, when the FBI published an advisory warning of ongoing phishing campaigns targeting high-value targets by attackers associated with Russian intelligence services. Messages masquerading as automated support communications ask that users click a link or provide verification codes or account passcodes. In the event the user complies, they unknowingly link the attacker’s device to their account or have their account completely taken over and are locked out.

Thousands of accounts already compromised

With that, the attackers can read any new messages sent to the compromised account. A safety feature built into Signal, however, prevents the attackers from reading any previous conversations. The messages are sent to “individuals of high intelligence value, such as current and former US government officials, military personnel, political figures, and journalists.”

Last week, the FBI published an update that said the campaign had evolved. In addition to trying to post as support bots trying to trick recipients into linking their account to an attacker device, the messages also urge users to create a backup of all previous communications following the directions here. A follow-up message then instructs the targets to send the long passcode that’s used to encrypt backups stored on Signal servers. With that, the attackers have access to past Signal conversations. The update said two Russian government groups responsible were tracked as UNC5792 and UNC4221.

One message has text similar to this:

Signal is here

Recently, attempts to hack users of our messenger with the connection of third-party devices to the account have become more frequent.

An investigation conducted jointly with the US government and European partners revealed that the attacks on accounts were carried out by hackers from Iran and post-Soviet countries.

In this regard, Signal updates Terms of Service & Privacy Policy, and introduces Mandatory Two-factor Verification for users.

Not to lose your messages and media, set up your Signal Backup (Settings -> Backups -> Enable backups -> View recovery key -> Copy to clipboard -> Next -> Enter the recovery key -> Next -> Continue -> Choose your backup plan).

Click the “Accept” button in the pop-up and stay tuned for security updates on our messenger.

Stay safe and thank you for using the most secure messenger with end-to-end encryption.

If you have any questions, send /help

Other text looks like this:

Action Required: Data Recovery Needed

Your Signal Account data (messages and media) is at risk of permanent loss due to a sync issue.

To avoid losing your messages and media:

Go to Settings -> Backups -> Configure -> Enable Backups -> View Recovery Key.

Copy the recovery key to your clipboard.

Paste the key into this chat.

This links your existing backup to your account. Failure to do this may result in losing access to your account and all stored data.

On Monday, the US State Department said it was offering up to $10 million for information on the identities or locations of any of the people involved in the campaign. The reward is being offered under the State Department’s Reward for Justice program, or simply RFJ. The post said that in some cases, the attackers were abusing a Signal feature that allows users to create links to invite others to group discussions.

“Under this reward offer, RFJ is seeking information on UNC5792, a malicious cyber group associated with the Russian Federal Security Service (FSB) Border Guards and UNC4221, a malicious group of cyber actors working on behalf of the Russian military services,” Monday’s post read. “UNC5792 has conducted widespread phishing campaigns targeting Signal and WhatsApp accounts of US government officials, military leadership, and allied personnel.” The post continued:

In some instances, UNC5792 actors altered legitimate “group invite” pages to redirect users to a malicious URL that linked a UNC5792-controlled device to the victim’s Signal account. Although these malicious cyber activities did not exploit any security vulnerability in the platforms’ encryption protections, they have compromised thousands of individual commercial messaging application accounts.

The RFJ went on to say that the campaign has already compromised thousands of messenger accounts.

It may be hard for many to fathom the possibility of US intelligence officers, diplomats, or journalists falling for the scam. The fact remains that it only takes a moment for someone who is fatigued, sleep-deprived, or otherwise unguarded to act on the messages. Phishing remains one of the most effective means of gaining access to accounts, despite the relatively unsophisticated technical prowess required.

If someone provides their backup key in their response, they must generate a new backup recovery key. “To mitigate this risk, the user must generate a new Backup Recovery Key within the Settings control; this action will invalidate the previous key for all future backup downloads,” the FBI said in last week’s advisory. “However, please note that this does not prevent the actor from having already downloaded a backup of the original account.”

Messenger users should note that:

Legitimate CMA support services will not request verification codes within the application.

CMA support services do not send users links to “verify” or “restore” accounts.

They should never provide a verification code without confirming the request comes from a legitimate CMA communication channel.

As always, it’s a good idea to resist taking on the feeling of urgency that’s often conveyed in such messages. There is rarely a penalty for waiting an extra hour or two to act, even when responding to legitimate requests.

Questions ouvertes

  • What specific information was compromised from the accounts?
  • How many accounts exactly have been compromised?
  • Will the reward lead to the identification of UNC5792 and UNC4221 members?

Sujets liés

This article was originally published by Ars Technica.

Articles liés

Plus sur ce sujetcybersecurity