Global cybersecurity and state-sponsored hacking

Russia's FSB and GRU Target Signal Backup Keys — Not the Encryption. The $10M Bounty Explains the Difference.

US Rewards for Justice names UNC5792 and UNC4221 for hijacking encrypted messaging accounts of NATO officials — without breaking any cryptography.

Russia's Signal Espionage Campaign: By the Numbers People of Internet Research · Global $10M US bounty offered Rewards for Justice reward for UNC… Thousands Accounts compromised Commercial messaging accounts targ… 5 Russia-linked groups APT44, Turla, UNC5792, UNC4221, UN… peopleofinternet.com

Key Takeaways

The $10 Million Signal

On June 29, 2026, the U.S. State Department's Rewards for Justice program published a $10 million bounty for information leading to the identification of UNC5792 and UNC4221 — two Russia-linked hacking groups that have spent at least three years systematically targeting encrypted messaging accounts belonging to NATO diplomats, U.S. government officials, investigative journalists, and NGOs supporting Ukraine. The same week, the FBI and CISA updated a joint advisory (PSA I-062626-PSA, June 26, 2026), upgrading their earlier March 2026 warning with evidence of a tactical shift: the groups have moved from stealing SMS verification codes to extracting Signal's Backup Recovery Keys — a 64-character credential that unlocks an account's entire encrypted message archive.

The distinction matters because it exposes something uncomfortable for both privacy advocates and surveillance hawks: Russia didn't break Signal. It found the door the user left open.

How the Attack Works

UNC5792 (attributed to Russia's FSB Border Guards, also tracked by Ukraine's CERT as UAC-0195) and UNC4221 (attributed to Russian military services, tracked as UAC-0185) use separate but complementary techniques, catalogued in a February 2025 Google Threat Intelligence Group (GTIG) report titled "Signals of Trouble" that first publicly documented the campaign.

UNC5792 hosts malicious lookalike Signal group-invite pages at domains like add-signal-group[.]com and signal-security[.]online. Legitimate Signal group links include JavaScript that accepts a group invitation. The malicious versions replace that code with Signal's device-linking URI (sgnl://linkdevice?uuid=…), silently registering an attacker-controlled device as a trusted linked endpoint. From that moment forward, the attacker receives a real-time copy of every message the victim sends or receives — no decryption required, because the attacker's device has been enrolled as a legitimate recipient.

UNC4221 runs a separate kit themed around "Kropyva," the artillery-targeting software used by Ukraine's armed forces. It deploys malicious QR codes disguised as Signal security alerts, along with a lightweight JavaScript payload (tracked as PINPOINT) that harvests device info and geolocation data. The group impersonates Signal support to pressure victims into completing "mandatory" account verification steps. The June 2026 FBI advisory flagged a further evolution: both groups are now explicitly targeting Backup Recovery Keys, since a compromised key provides persistent access to the message archive even if the victim creates a new account on the same phone number. A single successful phishing interaction is converted into enduring surveillance capacity.

Five Groups, One Platform

UNC5792 and UNC4221 are not operating alone. The Google GTIG report identified five distinct Russia-aligned threat actors targeting Signal simultaneously. APT44/Sandworm (GRU) has been documented physically linking Signal accounts on captured battlefield devices. Turla (FSB Center 16) deploys a PowerShell script to stage Signal's encrypted SQLite database for exfiltration to internal network shares. UNC1151, a Belarus-linked group, uses Windows robocopy to lift the entire %APPDATA%\Signal directory wholesale. These represent different tradecrafts from different intelligence organs operating in parallel — suggesting Signal access has become a standing collection priority for the Russian state, not an opportunistic side operation targeting individual dissenters.

Signal responded to the GTIG report in early 2025 with hardened iOS and Android releases that make silent device-linking harder to execute. That is meaningful progress. It does not help users who have not updated, who fail to audit their linked devices list, or who are persuaded by social engineering to hand over credentials directly — which is precisely the population these campaigns target.

The Policy Implication: Backdoors Would Make This Worse

The strongest case for government intervention here deserves to be stated clearly: state-sponsored operatives are systematically harvesting sensitive communications from officials conducting legitimate diplomatic and national security work. Regulators in the EU, UK, India, and the US have at various times argued that encryption platforms should maintain lawful-access mechanisms to address exactly these kinds of foreign state threats. The concern is not paranoia.

But the UNC5792 and UNC4221 campaign demonstrates why that argument inverts the problem. The attack does not exploit any flaw in Signal's encryption algorithm. It exploits backup and device-linking features — precisely the category of mechanism that a government-mandated access point would represent. Every server-side key escrow or "ghost user" proposal under active legislative debate essentially industrialises what Russia is attempting manually and at scale. The question regulators must answer is not whether democratic governments deserve lawful access to encrypted communications; it is whether building that access infrastructure makes systematic exploitation by adversaries inevitable. The FBI's own advisory answers it implicitly: it tells users to generate new Backup Recovery Keys immediately to invalidate any compromised credentials. That defensive option only exists because the key architecture remains under user control. Mandate central key escrow, and you transform a targeted phishing problem into a permanent systemic one.

What Should Actually Change

For high-risk users — diplomats, journalists, human rights workers — the immediate action is concrete: audit Signal's Linked Devices screen and revoke anything unrecognised; generate a new Backup Recovery Key now; never share verification codes, PINs, or recovery keys with anyone claiming to represent Signal support; and treat unsolicited QR codes as adversarial by default. iPhone users in high-risk categories should consider Lockdown Mode.

At the platform level, Signal's hardened releases are the right model: frictionless security improvements that protect users without requiring them to understand the underlying threat. More explicit UI warnings when a device-linking QR code is scanned — especially from an external source — would raise the cost of UNC5792-style attacks without any cryptographic tradeoff.

At the policy level, the $10 million bounty is a proportionate and constructive response. It names the actors, publicly quantifies the campaign's scope, and treats messaging-app espionage as a serious national security matter rather than a consumer nuisance. The appropriate follow-on is sustained law enforcement coordination with allies — not a renewed push for encryption backdoors that would hand the next state actor willing to breach a key-escrow server exactly what Russia is currently working to steal one phishing email at a time.

Sources & Citations

  1. Rewards for Justice — UNC5792
  2. FBI/IC3 Advisory PSA I-062626-PSA
  3. Google GTIG — Signals of Trouble
  4. The Record — $10M Reward
  5. BleepingComputer — US Bounty