Ukraine’s Security Service and the FBI have jointly disclosed a sustained Russian intelligence campaign targeting the encrypted messaging accounts of government officials, military leaders, journalists, and activists across Ukraine, Europe, and the United States — with the operation’s most recent phase shifting from verification code theft to the direct capture of Signal and WhatsApp backup recovery keys.
Two Russian Intelligence-Linked Groups Behind the Messaging Account Compromise Campaign
The joint disclosure identifies two distinct threat groups driving the campaign. UNC5792 is linked to Russia’s Federal Security Service, specifically the FSB Border Guards division. UNC4221 is linked to Russian military intelligence services, the GRU. Both groups have been conducting sustained targeting of encrypted messaging platform accounts as part of intelligence collection operations against high-value individuals connected to governments and policy circles.
The targeting scope is broad: current and former US government officials, military leaders, allied personnel, key Ukrainian officials, politicians, journalists, and activists across the European continent are all named as focus areas. The breadth of targets reflects an intelligence collection posture oriented toward gaining persistent access to communications among decision-makers and their networks rather than a narrow operational objective.
From SMS Code Phishing to Signal Backup Recovery Key Theft
The campaign began with a straightforward phishing approach: both UNC5792 and UNC4221 posed as automated support accounts for messaging platforms, sending messages that prompted victims to share their SMS-based verification codes. That initial vector gave the groups access to accounts but only for as long as the victim was using the same device — a device change or account re-registration could cut off access.
The tactic documented in the June 2026 joint disclosure represents an escalation. The groups now specifically request victims’ Signal and WhatsApp Backup Recovery Keys. Unlike verification codes, backup recovery keys are designed for account continuity across device changes. An attacker holding a victim’s backup recovery key can restore the full message history to a new device and maintain persistent access to the account even after the victim changes phones, re-registers, or believes they have secured their account.
Government Officials and Military Leaders Across Three Regions Targeted
The geographic and professional scope of targets across Ukraine, Europe, and the United States places this campaign squarely in the category of intelligence operations focused on Western government and military communications. Activists and journalists are also named as targets, reflecting a broader objective of monitoring civil society actors connected to Ukraine-related policy discussions and reporting.
The combination of Signal and WhatsApp as platforms is deliberate. Both applications are widely used for sensitive communications among the population groups UNC5792 and UNC4221 are targeting, and both offer end-to-end encryption that cannot be intercepted at the network layer — making account-level access through backup key theft the most direct path to the communications content Russian intelligence seeks.
What the Joint Disclosure Means for High-Risk Messaging App Users
The SBU and FBI advisory joint disclosure serves as a direct warning to individuals in the targeted categories. The shift to backup recovery key theft fundamentally changes the risk profile for high-value messaging app users. Securing an account through multi-factor authentication or device management controls does not protect against an attacker who already holds the backup recovery key — that key functions as a complete account recovery credential that bypasses standard authentication.
The phishing mechanism used by both groups — impersonating automated platform support accounts — is consistent with the difficulty users face distinguishing between legitimate service notifications and attacker-crafted lures, particularly when the fake support messages arrive through the same application channel the real service would use.
Both Signal and WhatsApp have backup and account security settings that control whether backup keys are generated and stored, and through which paths they can be transmitted. The advisory from the SBU and FBI underscores that individuals in sensitive roles should treat any unsolicited message requesting a verification code or backup key as a credential theft attempt, regardless of how the message is formatted or what sender identity it displays.
The UNC5792 and UNC4221 campaign continues a pattern of Russian intelligence operations that adapt messaging platform targeting as those platforms gain adoption among government and military users — directly countering the security guarantees that drive sensitive communications away from traditional email and voice channels.
