The U.S. Department of State has announced a reward of up to $10 million for information leading to the identification or location of members of UNC5792.
This is a Russian state-linked hacking group accused of targeting Signal and WhatsApp accounts belonging to U.S. government officials, military personnel, journalists, and other high-value individuals.
The reward, offered through the Rewards for Justice (RFJ) program, accompanies an updated FBI and CISA warning that the campaign has evolved to steal Signal Backup Recovery Keys, allowing attackers to access victims' encrypted message archives in addition to taking over their accounts.
According to the State Department, UNC5792 is associated with officers embedded in the Russian Federal Security Service (FSB) Border Guards and works alongside UNC4221, another cluster linked to Russian military intelligence. Authorities say the groups conduct phishing operations that abuse legitimate account-linking features in commercial messaging applications rather than exploiting flaws in the apps' end-to-end encryption.
The attacks have affected thousands of accounts and primarily target current and former U.S. government officials, diplomatic staff, military leaders, NATO personnel, intelligence partners, journalists covering Russia and Ukraine, NGOs supporting Ukraine, and academic researchers focused on Russian affairs.
The FBI and CISA said Russian intelligence operators continue to impersonate messaging app support teams through phishing messages that request one-time verification codes, account PINs, or, more recently, Signal Backup Recovery Keys.
If attackers obtain a victim's Backup Recovery Key after the user enables encrypted cloud backups, they can access historical messages, attachments, private chats, and group conversations. The agencies warn that the key remains valid even if the victim creates a new Signal account using the same phone number. To invalidate a stolen key, users must generate a new Backup Recovery Key in Signal's settings, but this does not prevent attackers from accessing any backups they may have already downloaded.
The updated advisory expands on an FBI and CISA warning issued in March, which detailed how Russian intelligence actors abused Signal's linked-device feature and social engineering to hijack accounts without compromising the platform's encryption. In May, security researchers and targeted users also reported phishing campaigns impersonating Signal Support to steal Backup Recovery Keys shortly after Signal introduced encrypted cloud backups.
FBI
The State Department now seeks information on UNC5792 members, their identities, intelligence affiliations, technical infrastructure, domains, hosting providers, funding sources, cryptocurrency wallets, financial networks, and contractors supporting the operation.
The FBI and CISA recommend treating unsolicited messages claiming to be from Signal or other messaging platform support teams as fraudulent. Users should never share verification codes, PINs, or Backup Recovery Keys through chat messages and should verify any account-related requests through official communication channels. Victims are encouraged to report incidents to the FBI's Internet Crime Complaint Center (IC3), their local FBI field office, or CISA.
Leave a Reply