Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label signal. Show all posts
signal
Backup CISA Cyber Security FBI Phishing signal

FBI Warns Russian-Linked Hackers Have Shifted Signal Phishing Campaign to Steal Backup Recovery Keys

 


The U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued an updated public service announcement warning that Russian intelligence-linked threat actors have expanded an ongoing phishing campaign targeting Signal users. Rather than attempting to intercept authentication codes alone, the attackers are now seeking victims' Signal Backup Recovery Keys, enabling them to restore encrypted cloud backups and gain access to historical conversations.

The latest advisory builds on an alert released in March 2026, when the agencies disclosed that Russian-backed operators were targeting users of commercial messaging applications, particularly Signal, through carefully crafted phishing campaigns. Those earlier attacks focused on compromising accounts by deceiving users into handing over verification codes, account PINs, or linking unauthorized devices to their Signal accounts, instead of defeating the application's end-to-end encryption.

According to the FBI, the threat actors have refined their social engineering techniques by impersonating automated Signal support accounts and introducing a new objective: convincing users to disclose the recovery keys that protect their encrypted backups.

The agencies said the campaign continues to concentrate on individuals considered to be of intelligence value, including current and former U.S. government officials, government personnel from allied nations, military members, political figures, journalists, and officials located in Ukraine.

The activity has been attributed to Russian Intelligence Services (RIS), including officers associated with Russia's Federal Security Service (FSB) Border Guards and additional actors operating on behalf of the Russian military. Security researchers publicly track the activity under the designations UNC5792 and UNC4221.

Phishing campaign evolves beyond account hijacking

The updated advisory describes a notable change in the attackers' methods. Earlier phishing attempts largely sought one-time verification codes, Signal PINs, or persuaded victims to connect attacker-controlled devices to their accounts. The current campaign instead attempts to obtain the cryptographic recovery key used by Signal's Secure Backups feature.

To begin the attack, the operators pose as Signal's support team and distribute fraudulent messages claiming the messaging platform is introducing mandatory two-factor verification following an alleged increase in attacks carried out by hackers from Iran and post-Soviet countries. The messages falsely state that the security changes require users to configure Signal Backups in order to avoid losing conversations and media files.

Victims are instructed to navigate through the application's backup settings, enable Secure Backups, reveal the Backup Recovery Key, copy it to the clipboard, and complete what appears to be a legitimate setup process.

Signal's Secure Backups feature allows users to store encrypted copies of conversations on the company's cloud infrastructure. Those backups remain protected through end-to-end encryption, with the Backup Recovery Key serving as the only credential capable of decrypting and restoring the archived data. Because Signal does not retain this key, anyone who obtains it can restore the encrypted backup onto another device.

After victims complete the initial steps, the attackers send a second phishing message while continuing to impersonate Signal support. This follow-up communication claims the user's account is experiencing a synchronization problem and warns that stored messages and media could be permanently lost unless immediate action is taken.

The fraudulent notification instructs users to revisit the backup settings, copy the Backup Recovery Key once again, and paste it directly into the conversation under the pretense of preventing data loss.

If victims comply, the attackers obtain the recovery key and use it to restore the encrypted backup on devices under their control. This grants access to previously archived communications, including private conversations and group chats.

The FBI emphasized that these attacks do not compromise Signal's encryption itself. Instead, they rely entirely on social engineering techniques that manipulate users into voluntarily surrendering the credentials needed to decrypt their own backups.

Compromised recovery keys remain a risk even after creating a new account

The updated advisory also highlights a recovery scenario that affected users may easily overlook.

According to the FBI, creating a new Signal account with the same phone number does not invalidate a Backup Recovery Key that has already been stolen. If attackers previously acquired the key, they may still be able to access any encrypted backups downloaded before the compromise was discovered.

To prevent future backup restorations using a compromised credential, users should generate a new Backup Recovery Key through Signal's backup settings. Creating a replacement key invalidates the previous one for subsequent backup downloads. However, the agencies cautioned that this action cannot revoke access to backups that attackers have already restored using the stolen key.

Agencies urge users to remain cautious of unsolicited support messages

The FBI and CISA reminded users that legitimate messaging platform support teams communicate only through official company email channels. They do not request verification codes through the application itself, nor do they send unsolicited messages instructing users to verify accounts, restore backups, or disclose recovery credentials.

Anyone who believes they may have interacted with the phishing campaign is encouraged to report the incident to the FBI's Internet Crime Complaint Center (IC3), a local FBI field office, or CISA.

The advisory accentuates the fact that well-designed encryption remains effective only when the credentials protecting it remain under the user's control. Rather than attempting to break modern cryptography, state-sponsored threat actors are increasingly directing their efforts toward manipulating trusted users into revealing the keys that unlock their own protected data.

Read more »
VPN
Canada Data Privacy signal surveillance technology VPN

Signal and Other Firms Oppose Canada's Proposed Surveillance Law

 




A developing number of technology companies are raising concerns over Canada's proposed lawful access legislation, arguing that some provisions could force them to choose between complying with government requirements and maintaining the privacy standards promised to users.

The debate centers on Bill C-22, a proposed law that would expand the government's ability to obtain digital information during investigations. The legislation would allow regulations requiring certain service providers to preserve specified metadata for up to one year and maintain technical capabilities that could assist law enforcement and intelligence agencies in accessing information when legally authorized.

Among the companies voicing opposition is Signal, the encrypted messaging platform known for its strong privacy protections. During a recent parliamentary committee hearing, Signal representatives warned that the bill, in its current form, could fundamentally alter how secure communication services operate. The company stated that if compliance ultimately required weakening user protections, it would consider leaving the Canadian market rather than changing its security model.

Several technology firms and privacy advocates have expressed concern that the legislation's language could create pressure to build or preserve technical access mechanisms within encrypted systems. Critics argue that any capability designed to bypass or weaken security protections could eventually become a target for cybercriminals or other malicious actors.

Legal experts have also questioned the broader implications of the proposal. Some argue that service providers have a responsibility to protect customer information and maintain secure systems, while the bill could require additional government involvement in digital infrastructure that may conflict with those obligations.

Under the proposed framework, certain telecommunications and communications providers would be required to maintain capabilities that support lawful access requests. The legislation would also allow the Public Safety Minister to issue orders requiring providers to develop specific technical capabilities, even if they do not fall within the category of designated core providers. Those orders would not be publicly disclosed, and approval would come through the Intelligence Commissioner rather than a traditional court warrant process.

Industry representatives have warned that compliance could involve significant operational costs. Companies may be required to redesign systems, expand data retention capabilities, and implement new technical controls. Some experts believe those costs could ultimately be passed on to consumers.

VPN providers have emerged as some of the bill's most vocal critics. NordVPN has publicly stated that it would not compromise its encryption or privacy protections and may reevaluate its Canadian presence if the legislation proceeds without substantial revisions. Windscribe, a Canadian-based VPN provider, has also indicated that it could relocate operations rather than modify core privacy features.

DuckDuckGo confirmed that its VPN service could be withdrawn from Canada if the bill becomes law in its current form. Meanwhile, executives at networking company Tailscale have warned that the legislation could affect international business decisions, investment flows, and where future infrastructure is deployed.

Many of the companies opposing the bill note that they do not routinely store logs containing user metadata such as IP addresses or location information. They argue that introducing mandatory retention requirements would require major changes to their existing privacy practices.

The concerns extend beyond smaller privacy-focused firms. Representatives from Apple and Google recently told lawmakers that the proposal could create uncertainty around encryption protections. Apple pointed to actions it previously took in the United Kingdom after government demands related to access to encrypted cloud data. Google similarly warned that the legislation could challenge longstanding commitments to end-to-end encryption.

Meta has also criticized the bill, arguing that some provisions could be interpreted in ways that require providers to weaken encryption or modify security architectures. The company further stated that the legislation lacks clear mechanisms for challenging problematic government orders, creating uncertainty about how the powers could be used in practice.

Canadian officials have defended the proposal as a necessary modernization of investigative authorities. Public Safety Minister Gary Anandasangaree recently indicated that amendments are being prepared to clarify that the legislation is not intended to undermine encryption. However, the government has signaled that it plans to retain the proposed one-year metadata retention requirement, arguing that investigators often need historical records to support complex criminal investigations.

Civil liberties organizations remain unconvinced. A recent analysis published by researchers at Citizen Lab and the Canadian Civil Liberties Association argued that the sections dealing with metadata retention and ministerial orders should be removed entirely. The report contends that the current framework grants broad government authority while providing limited judicial oversight and accountability mechanisms.

As lawmakers continue to reassess the legislation, the dispute highlights a growing challenge facing governments worldwide: balancing investigative powers and national security objectives with encryption, privacy protections, and the cybersecurity expectations of users and service providers.

Read more »
Subscribe to: Posts (Atom)