Published: · Region: Global · Category: cyber

New Russian-Linked Signal Phishing Tactic Puts Encrypted Chats at Risk

U.S. authorities are warning that hackers tied to Russian intelligence are using a new phishing tactic to steal Signal backup keys, potentially letting them restore victims’ encrypted message history and hijack accounts. The campaign targets government, diplomatic, and tech-sector users — turning one of the world’s most trusted messaging apps into an attack surface for espionage rather than a shield against it.

One of the core promises of secure messaging — that even powerful states cannot easily read your conversations — is being tested not by breaking encryption, but by tricking people into handing over the keys themselves.

On 26 June, cybersecurity alerts described a new phishing technique attributed to actors linked to Russian intelligence that aims squarely at users of Signal, the widely used end‑to‑end encrypted messaging app. According to U.S. law enforcement and cybersecurity agencies, the attackers are contacting targets and asking them to share their Signal Backup Recovery Key, the long code that allows users to restore their message history on a new device.

If the phishing succeeds and the attackers obtain that key, they can restore old backups, read past message histories, and effectively take over the victim’s Signal account. This does not involve breaking Signal’s encryption, but rather abusing an account recovery feature that is only as secure as the user’s willingness to keep the recovery key secret. The warnings say the campaign has struck at government, diplomatic, and software development organizations in multiple countries.

For the people and institutions being targeted, the stakes are obvious. Diplomatic cables, internal government deliberations, and sensitive commercial negotiations increasingly flow through encrypted messaging apps rather than traditional email. A stolen backup key can expose months or years of conversations, revealing not only content but also patterns of contact and timing that are valuable for intelligence analysis and coercion.

This kind of operation is designed to exploit trust in familiar tools. Signal’s reputation as a privacy‑preserving platform may make some users less suspicious when a message appears to come from a colleague or a legitimate support channel. The attackers’ goal is to blur that line just enough, often by combining the Signal lure with other techniques like malicious installers or document files that deliver payloads such as Cobalt Strike Beacon — a tool commonly repurposed by state and criminal actors for deep network penetration.

The broader campaign, dubbed StrikeShark by researchers, reportedly uses a custom downloader known as SharkLoader to deploy Cobalt Strike in targeted environments. Publicly known software vulnerabilities, tampered installers, and DLL hijacking are among the vectors used to gain a foothold before or alongside the Signal‑focused social engineering. Once inside a network, attackers can move laterally, exfiltrate documents, and establish persistent access.

Strategically, the operation illustrates how modern espionage blends technical exploits with psychological manipulation. Rather than sink years into breaking well‑audited encryption algorithms, state-linked actors are concentrating effort on the much softer target: human behavior and the often-overlooked settings that stand between a user and their data. For governments and companies that have encouraged staff to shift sensitive discussions onto encrypted apps, this is a reminder that policy cannot end at installation.

The practical risk is twofold. On one level, compromised Signal accounts can expose individual conversations that put activists, journalists, or officials in danger. On another, they can serve as stepping stones into larger systems, as attackers use trust in one compromised account to send convincing phishing messages to others.

Signs to watch going forward include whether the phishing technique spreads beyond high‑value targets to broader segments of Signal’s user base, whether other messaging platforms report similar backup‑key scams, and how quickly organizations tighten their guidance and technical controls around account recovery features that now sit at the center of a high‑end espionage campaign.

Sources

Related Coverage

GLOBAL

CISA Warning on Cisco VoIP Flaw Puts Corporate Communications in the Crosshairs

U.S. cyber authorities have added a flaw in Cisco’s Unified Communications Manager to their list of actively exploited vulnerabilities, after researchers observed live attacks using a public proof-of-concept. The bug allows unauthenticated attackers to abuse WebDialer features for server-side requests and file writes, putting corporate call and messaging systems at risk of deeper compromise.
GLOBAL

U.S. Ships Radarless F-35Bs, Exposing a Readiness Gap in Its Frontline Fleet

The Pentagon has confirmed delivery of six Marine Corps F-35B jets without radar systems, acknowledging they cannot be considered fully mission capable until a delayed next-generation AN/APG-85 sensor enters production in 2028. The stopgap move shines a light on the strain between U.S. procurement timelines and frontline readiness as Washington leans heavily on the stealth fighter for deterrence from Europe to the Pacific.
SOUTHEAST ASIA

New Chinese-Linked Backdoor Hits Southeast Asian Governments and Energy Firms, Raising Espionage Risk

Security researchers have uncovered a new custom backdoor, dubbed TinyRCT, targeting government and energy networks in Southeast Asia and linked to a Chinese-speaking advanced persistent threat cluster. The campaign deepens concerns that strategic ministries and critical infrastructure in the region are being quietly mapped and monitored as great power competition intensifies.
WARNING

Iran Resumes 16M Barrels of Oil Exports After Blockade Halt

Iranian President Pezeshkian says Iran is resuming exports of 16 million barrels of oil after a 50‑day halt under a U.S. blockade. This represents a short-term release of deferred supply into the market, partially offsetting risk-premium pressure from renewed Hormuz tensions.
FLASH

U.S. Strikes Iran After Hormuz Ship Attack, Ceasefire Broken

The U.S. has conducted retaliatory airstrikes on Iranian missile, drone-storage and coastal radar sites after an IRGC one-way drone hit the Singapore-flagged M/V Ever Lovely exiting the Strait of Hormuz, formally ending the ceasefire framework. This materially elevates near-term risk of further tit-for-tat attacks on commercial shipping and raises the probability of episodic disruptions or insurance-driven slowdowns in Hormuz traffic, supporting a higher risk premium in crude and products.
FLASH

FLASH: CENTCOM Strikes Iran After Hormuz Ship Attack, Ceasefire Collapses

U.S. Central Command says it hit Iranian missile, drone and coastal radar sites in southern Iran around the Strait of Hormuz on June 26 after Tehran’s drone strike on the Singapore‑flagged M/V Ever Lovely. The acknowledged end of the ceasefire at the world’s most critical oil chokepoint sharply raises war risk for Gulf states, global energy markets, and commercial shipping.