Russian groups hijack Signal, WhatsApp from US officials

Key Takeaways

• The U.S. State Department’s Rewards for Justice program is offering up to $10 million for information about UNC5792 and UNC4221
• Russian state-linked actors have compromised thousands of Signal and WhatsApp accounts through evolving phishing schemes
• The campaign highlights the broader rise in nation-state targeting of secure messaging platforms, with identity workflows increasingly in focus

Federal authorities are escalating their response to a months-long campaign that has compromised thousands of Signal and WhatsApp accounts belonging to U.S. government officials, military personnel, investigative journalists, and other high-value targets. The U.S. State Department said its Rewards for Justice program is now offering up to $10 million for information that helps identify or locate individuals involved in operations run by Russian state-linked groups UNC5792 and UNC4221.

The activity has been under scrutiny since March, when the FBI published an advisory warning that attackers associated with Russian intelligence services were distributing messages disguised as automated support notices. These messages pushed recipients to click a link or provide verification codes. In many cases, a moment of distraction was enough for victims to unknowingly link an attacker’s device to their account. Once linked, the actors could read all new incoming messages. A safety feature built into Signal prevented them from accessing previous chats, at least initially.

The FBI’s update last week outlined an evolution in the operation. Instead of only soliciting verification codes, the attackers now encourage victims to perform a full Signal backup using a detailed and convincing set of instructions. Shortly after, they request the long passcode that encrypts the backup stored on Signal’s servers. That change in flow opened access to past conversations. Authorities identified UNC5792 and UNC4221 as the groups responsible for this phase.

This type of phishing thrives not because it uses highly innovative malware, but because it targets human routines. Messages sent by these actors often mimic the tone and cadence of legitimate support communications. Some of the lures cite supposed investigations conducted with U.S. and European partners. Others warn of data loss. A few even invoke terms like "Mandatory Two-factor Verification," attempting to cloak social engineering behind familiar security language.

While these tactics sound old-fashioned, analysts have been warning that this blend of social engineering and account-recovery manipulation is increasingly central to state-sponsored operations. The latest Gartner research cited in public reports indicates that state-sponsored activity accounts for more than 20% of advanced persistent threat operations directed at critical infrastructure. Secure messaging and collaboration platforms are part of that target surface, especially now that governments rely on them for sensitive, real-time coordination.

The European Union Agency for Cybersecurity has repeatedly emphasized the role of phishing as an initial access vector. According to the ENISA Threat Landscape report, phishing is involved in more than 40% of observed cyber incidents in Europe, and messaging apps have become a common delivery point for these cues. Adversaries now focus more energy on identity workflows instead of platform encryption, which is far harder to breach.

In Monday’s announcement, the State Department noted that in some cases UNC5792 actors altered legitimate Signal group invite pages to redirect users to malicious URLs. These pages then linked a device controlled by the attackers to the victim’s account. Crucially, authorities stressed that the group did not exploit weaknesses in Signal or WhatsApp encryption. The weak spot was people, not cryptography. That said, identity and recovery flows within these apps still represent an area where vendors will likely face increasing scrutiny.

The broader enterprise landscape has been tracking similar concerns. A 2023 study by Forrester found that 63% of organizations using end-to-end encrypted messaging tools for business functions rank account takeover via social engineering as a top-three risk. This 63% metric underscores the vulnerability of the human layer, even when organizations select these platforms specifically for their trusted encryption algorithms.

NIST has tried to move that conversation forward through its Cybersecurity Framework and the SP 800-63 identity guidelines. Both place heavy emphasis on identity verification, phishing-resistant authentication, and stronger recovery mechanisms. These recommendations are aligned with CISA’s 2024 guidance for secure communications in the public sector, which calls for consistent identity controls and more deliberate verification steps when linking devices or restoring accounts.

Actors like UNC5792 and UNC4221 exploit high-stress environments and user fatigue. A single moment of urgency or distraction is often enough to prompt victims to hand over verification codes or backup keys. The FBI has urged anyone who shared a backup passcode to immediately generate a new one, although it also noted that doing so does not invalidate any previous download the attacker may have already taken.

Secure messaging vendors like Signal, WhatsApp, and Wickr have been tightening controls around account recovery and device linking, but the challenge keeps shifting. Social engineering adapts faster than most platform updates. Enterprises deploying these apps for sensitive work, whether remote leadership coordination or field operations, often need additional guardrails to align with their own security baselines.

There is also a cultural element to consider. Many users still believe they can spot phishing attempts instinctively. Yet the most effective lures are often crafted to appear routine, familiar, and rushed. Some involve minor variations of a legitimate process. Others simply build on anxiety about data loss or account lockouts. A quick yes can be all it takes to compromise a line of communication that was assumed to be private.

While the State Department’s reward highlights the seriousness of the current campaign, it also reflects an ongoing shift in how governments view secure messaging ecosystems. These tools are now essential public sector infrastructure, especially amid distributed teams and rapid incident response cycles. Nation-state interest in compromising them is not going away. The real question is how quickly vendors, agencies, and enterprises can adapt their identity and authentication flows to match the sophistication of these targeting operations.

Even with improved technical defenses, training and verification habits tend to determine outcomes. Analysts expect account-takeover campaigns to remain a consistent tactic as long as attackers see people as the simpler route into systems that are otherwise hardened. Whether the Rewards for Justice offer accelerates attribution in this case remains to be seen, but it sends a clear signal that these campaigns are not being treated as routine incidents anymore.