US posts $10 million reward in Russian messenger phishing campaign

The U.S. government is offering up to $10 million for information that helps identify or locate people behind a Russian-linked campaign targeting Signal and WhatsApp users. The State Department said the operation has compromised thousands of messaging accounts, including accounts tied to U.S. government officials, military leaders, allied personnel and journalists.

The reward was announced Monday through the State Department’s Rewards for Justice program. The department named two groups, UNC5792 and UNC4221, and said UNC5792 is associated with the Russian Federal Security Service’s Border Guards while UNC4221 works on behalf of Russian military services.

The FBI warned in March that attackers connected to Russian intelligence services were sending phishing messages to high-value targets. According to the bureau, the messages pose as automated support notices and try to get recipients to click links, share verification codes or provide account passcodes.

If a target follows the instructions, the attackers can connect their own device to the victim’s account or take over the account entirely, the FBI said. Once linked, the attackers can read new messages sent to the compromised account.

Attackers shifted tactics, FBI says

The FBI said last week that the campaign had changed. In addition to trying to link attacker-controlled devices to victims’ accounts, the messages now tell some Signal users to create backups of earlier conversations and then send the backup recovery passcode.

That step matters because Signal’s design blocks a newly linked device from seeing older conversations, according to the FBI advisory. If a user gives attackers the recovery key for a Signal backup, the attackers may be able to access prior messages stored in that backup.

The State Department said some UNC5792 activity involved altering real Signal group-invite pages so users were sent to malicious links. Those links connected a device controlled by the attackers to the victim’s Signal account, according to the department.

Federal officials said the campaign did not rely on breaking the encryption protections in Signal or WhatsApp. The compromise came through social engineering: messages designed to make users believe they were responding to legitimate account security or recovery requests.

The FBI’s examples describe messages that claim Signal is adding mandatory two-factor verification or that a user’s messages and media are at risk of being lost. The instructions then direct the user to find a recovery key and send it back in the chat, according to the bureau.

What users should do

The FBI said anyone who has sent a Signal backup recovery key in response to such a message should create a new backup recovery key in Signal’s settings. The bureau said that action invalidates the old key for future backup downloads, though it would not stop an attacker from using a backup already obtained.

Federal guidance also tells users to treat in-app support messages with suspicion. The FBI said legitimate support services for messaging apps do not ask for verification codes inside the app and do not send links to “verify” or “restore” accounts.

• Do not send verification codes, account passcodes or backup recovery keys through chats.
• Confirm account-security requests through official support channels before acting.
• Be cautious of messages that create urgency around account loss, backups or security changes.

The State Department said the reward applies to information on the identities or locations of people involved with UNC5792 or UNC4221. The offer is part of Rewards for Justice, a program used to seek tips involving national security threats.

This story draws on original reporting from Ars Technica.