Signal’s Secure Backup key, once stolen, can unlock new accounts, and Russian state hackers are already abusing it in a global wave of phishing attacks, the US cyber authorities warn.

A Signal Secure Backup key is all it takes to hijack the underlying Signal account and its history, with no additional authentication or confirmation. Russian intelligence services have been running a global phishing campaign tricking VIPs into revealing this 64-character string.

Even a new Signal account, created after the initial compromise with the same phone number, will be unlocked using the same key, the FBI (Federal Bureau of Investigation) and CISA (Cybersecurity and Infrastructure Security Agency) warn in a new advisory.

Current and former US and international government officials, military personnel, political figures, journalists, and key officials located in Ukraine are being targeted by Russian hackers.

The attack is as simple as it gets: the hackers mimic Signal’s automated support account, asking victims to protect their accounts by creating “Signal Backup” and pasting the code into the chat.

Cybernews attempted to retrace the attack by installing Signal on a separate device without a SIM card – entering a phone number and the 64-character recovery key fully restored the entire account, including the message archive, without any prompt on the original device, phone number verification, or additional authentication. The original device was simply disconnected in the process.

“If a victim inadvertently shares their Backup Recovery Key, that same key remains valid even if they create a new account following the compromise using the same phone number. Consequently, the actor could potentially use the compromised key to take over the new account in the future as well,” the FBI said in the public service announcement.

This means that it’s paramount to rotate the compromised Signal Secure Backup key when creating a new account with the same phone number.

Signal introduced free and paid cloud backup options last year, in addition to device-only backups. The feature is opt-in and disabled by default. However, the documentation lacks a sufficient warning that this key alone is sufficient to restore the Signal account.

FBI attributes the attacks to multiple clusters of Russian Intelligence Services, which include Russian Federal Security Service (FSB) officers embedded with the FSB Border Guards and others working on behalf of the Russian military services.

The new account takeover tactic is an evolution of the previous phishing tactic that tricks victims into inadvertently linking hackers’ devices to their accounts.

Two ways to let attackers in

Russian state hackers have recently been abusing two phishing schemes to spy on their victims’ Signal accounts.

Both start with a message from a fake support account pretending to be “Signal Security Support ChatBot,” “Signal Security Team,” or similar, warning of “suspicious activity,” unrecognized login attempts, or urging the user to protect the account with two-factor verification.

In the first variant, victims are provided with links or QR codes that abuse Signal’s device linking feature. If the victim follows the instruction, the attacker's device gets added to the account and receives all subsequent messages.

The updated scheme now contains no links or QR codes, but simply urges victims to protect their accounts. If they follow the provided instructions, attackers can obtain PINs or other security codes, gaining complete access to the account.

The latest attacks used a phishing message claiming that “an investigation conducted jointly with the US government and European partners revealed that the attacks on accounts were carried out by hackers from Iran and post-Soviet countries.”

“In order not to lose your messages and media, set up your Signal Backup,” the attackers urged in the messages, which included instructions.

Phishing is one of the most unsophisticated yet effective means of cyber compromise, allowing hackers to bypass advanced protections such as end-to-end encryption. However, attackers might obtain the secrets by other means, such as compromising users with infostealer malware.

How to protect yourself?

If the Signal backup key is compromised, the FBI urges users to generate a new Backup Recovery Key in the app’s Settings.

“This action will invalidate the previous key for all future backup downloads. However, please note that this does not prevent the actor from having already downloaded a backup of the original account,” the FBI said in the advisory.

The Signal app prompts users to disable backups when creating a new recovery key, and later prompts to re-enable the feature to re-upload a backup.

The agencies also advise never sharing any verification codes, PINs, or recovery keys in any chats, as no legitimate app support will ever ask for them via direct message. Treat unknown contacts with suspicion, scrutinize links, and avoid clicking them. Regularly check linked devices and group chats for potential intruders.

The FBI also recommends using expiration features that automatically delete sensitive messages after a set period.

---

Unlock more exclusive Cybernews content on YouTube.