FBI Warns of Russian Intelligence Hijacking Encrypted Messaging Apps

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint Public Service Announcement (PSA) warning of a sophisticated global phishing campaign conducted by the Russian Intelligence Services (RIS). The operation targets Commercial Messaging Applications (CMAs) to infiltrate the private communications of government officials, military personnel, and journalists.

While the encryption of the applications themselves remains intact, the RIS has successfully compromised thousands of individual accounts through social engineering and feature abuse, specifically focusing on users of the Signal messaging app.

The core of the RIS strategy relies on tricking high-value targets into granting the attackers access to their message history. By impersonating trusted contacts, the actors send malicious links or QR codes that exploit the “linked device” feature common in many messaging apps.

“RIS actors have compromised individual CMA accounts, but not CMAs’ encryption or the applications themselves. The activity targets individuals of high intelligence value, such as current and former U.S. government officials, military personnel, political figures, and journalists.”

Once an account is linked to an attacker’s device, the RIS can view existing message threads, monitor real-time conversations, and harvest contact lists to identify their next targets.

The FBI and CISA have mapped out the “Account Takeover” lifecycle used in this campaign. It begins with the actors identifying a victim and conducting deep reconnaissance to craft a believable persona.

“After compromising an account, malicious actors can view the victims’ messages and contact lists, send messages, and conduct additional phishing against other CMA accounts.”

Because the messages appear to come from a verified friend or colleague, the “success rate of these follow-on attacks is significantly higher.” The attackers use this lateral movement to weave a web of compromise across entire professional and political circles.

A particularly stealthy tactic involves the infiltration of group chats. Attackers may join or create duplicate accounts within a group to lurk and gather intelligence. To combat this, the agencies urge users to be proactive in their digital hygiene.

CISA and the FBI emphasize that while the threat is global, users can significantly reduce their risk by strengthening their personal security settings and remaining skeptical of unsolicited “verification” requests.