US offers $10M reward over Signal attacks on NATO officials
A Russian cyber operation has conducted a widespread phishing campaign targeting the Signal and WhatsApp accounts of US government officials. The government is willing to offer a reward of up to $10 million for information leading to the arrest of UNC5792’s key players.
-
The US is offering up to $10 million for information leading to the identification or arrest of members of the Russian-linked hacking group UNC5792.
-
The group allegedly targeted Signal and WhatsApp accounts used by US government officials, diplomats, NATO personnel, and organizations supporting Ukraine.
-
The hackers relied on phishing and social engineering, abusing legitimate account-linking features rather than breaking Signal's encryption.
-
Compromised accounts were then used to target additional victims, helping spread the campaign.
-
The FBI also warned that Russian intelligence is attempting to steal Signal Backup Recovery Keys, which could allow attackers to regain access to accounts even after victims create new ones.
The US Department of State is seeking information on UNC5792, a malicious hacking group associated with the Russian Federal Security Service (FSB).
According to the US government, UNC5792 has targeted Signal and WhatsApp accounts of government officials, including diplomatic personnel and foreign affairs officials, defense and national security personnel, policy analysts and advisors, NATO member-state officials and diplomats, non-governmental organizations providing support and assistance to Ukraine, and academic researchers in security studies and Russian affairs.
After compromising an account, the threat actor was able to send messages and launch phishing campaigns against other accounts.
“Using social engineering techniques, these malicious cyber actors exploit legitimate device-linking features in these secure messaging applications to gain unauthorized access to sensitive government communications, contact lists, and group conversations,” the US Department of State says in a press release.
In some cases, members of UNC5792 altered legitimate group invite pages to redirect users to a malicious URL that linked a UNC5792-controlled device to the victim’s Signal account.
“Although these malicious cyber activities did not exploit any security vulnerability in the platforms’ encryption protections, they have compromised thousands of individual commercial messaging application accounts,” the Department of State continues.
To put a stop to these account hijackings, the US government is offering a $10 million reward for information leading to the whereabouts or arrest of members of UNC5792. This includes names, locations, domain names, server locations, blockchain transactions, and money flows.
Check if your data has been leaked
In a recently updated Public Service Announcement (PSA), the FBI warned that Russian Intelligence Services (RIS) are currently on the lookout for Backup Recovery Keys of Signal accounts.
“If a victim inadvertently shares their Backup Recovery Key, that same key remains valid even if they create a new account following the compromise using the same phone number. Consequently, the actor could potentially use the compromised key to take over the new account in the future as well,” the FBI warns.
Unlock more exclusive Cybernews content on YouTube.
