Back to Insights
Threats5 min read26 June 2026

GRU Phishing Campaign Targets Signal's Backup Recovery Key — And the Key Never Expires

The FBI and CISA have updated their advisory on Russian intelligence operators targeting Signal users, warning that attackers have shifted tactics from linked-device hijacking to stealing the Backup Recovery Key — a credential that grants permanent, silent access to a user's full message history.

EF
Elena FischerThreat Intelligence Analyst
A close-up editorial photograph of a person's hands holding a smartphone displaying a blurred messaging app settings scr

Russian military intelligence operators are now targeting Signal users' Backup Recovery Keys, according to a refreshed advisory from the FBI and CISA, in a campaign that grants attackers durable, effectively irrevocable access to private communications.

What Changed — and Why It Matters

The original advisory, published in March 2025, described a technique built around Signal's linked-device feature. Operators sent targets malicious QR codes disguised as legitimate account invitations. Scanning the code silently paired an attacker-controlled device to the victim's Signal account, mirroring every message that arrived afterward. Damaging. But also revocable: a victim who audited their linked devices in Signal's settings could sever the connection immediately.

The new campaign targets something stickier. Signal's Backup Recovery Key is the credential that decrypts a user's locally stored backup. Anyone who possesses that key can restore the full backup — including prior private and group message history — on hardware entirely under their control. The FBI and CISA advisory notes the key carries no built-in expiry and produces no user-facing alert when someone else uses it. Rotating it requires deliberate, manual steps that most ordinary users would never think to take unprompted.

The analogy to web security is apt. Stealing a linked-device connection is like stealing a session cookie — it dies the moment the user logs out or checks their settings. Stealing the Backup Recovery Key is closer to stealing a long-lived API token. The victim's continued presence in their own account does nothing to invalidate the attacker's access.

How the Social Engineering Works

The delivery mechanism is the recognizable part. GRU-linked operators have impersonated trusted contacts, military coordination platforms, and NGO administrative tools to construct plausible pretexts. The end goal of every lure is identical: convince the target to open Signal's settings, locate the Backup Recovery Key, and transmit it somewhere — a chat reply, a web form, a screenshot uploaded to a cloud service.

Named targets include journalists, Ukrainian military personnel, diplomats, and staff at defense-adjacent NGOs. That population is not random. These are individuals who handle sensitive communications and who may be conditioned to respond quickly to messages that arrive with apparent operational urgency.

The Verizon 2024 Data Breach Investigations Report found that the human element contributed to 68 percent of breaches analyzed — a figure that has barely moved in years. Phishing remained the dominant initial-access vector. Campaigns like this one are not exotic; they are the statistical norm dressed in more targeted clothing.

The Real Failure Is Not Cryptographic

Signal's encryption protocol is not breaking here. The Signal Protocol continues to function exactly as designed. What is failing is the human convention layered on top of it — the assumption that users understand what a Backup Recovery Key is, where it lives in their settings, and why handing it to a stranger is equivalent to handing over every message they have ever sent.

Most people who have never been explicitly trained on this distinction will treat a recovery key the same way they treat a Wi-Fi password: something to share when asked, by someone who sounds like they have a reason to ask. That gap between cryptographic strength and operational security awareness is where GRU operators are working.

This is precisely the kind of procedural failure that security-awareness training is designed to close. Knowing that phishing exists is not the same as recognizing the specific social script — "verify your Signal account," "confirm your backup credentials" — that precedes a key handover. Scenario-based training that walks users through realistic credential-phishing attempts builds the reflexive skepticism that technical controls alone cannot provide.

What Defenders Should Do Now

The CISA advisory and the nature of this attack point toward four immediate actions for anyone managing communications security for at-risk personnel.

Treat the Backup Recovery Key as a root credential. It belongs in a dedicated password manager or written on paper and stored physically. It does not belong in a chat thread, a cloud note, a screenshot, or an email. Brief your users on this explicitly — most have never seen the key and do not know what it does.

Audit linked devices on a regular schedule. In Signal settings, under Linked Devices, every entry that was not personally authorized by the account holder should be treated as hostile and removed immediately. Build this into a routine, not a reaction.

If compromise is suspected, rotate immediately. Signal allows users to generate a new Backup Recovery Key. Do it. Then assume every backup encrypted under the old key is in the hands of the adversary. Reconstruct what was exposed and notify any counterparties whose conversations were affected.

Recognize that the technique generalizes. The current named target set is specific — Ukrainian military, diplomats, journalists. But the method of coaxing a user into reading a recovery credential aloud or pasting it into a form is not geographically or professionally bounded. Any organization whose personnel use Signal for sensitive communication should brief their teams now, not after an incident.

Organizational Controls That Address This Gap

Three controls stand out as directly relevant.

First, a defined policy for handling cryptographic credentials. Most organizations have password policies. Far fewer have explicit guidance on backup and recovery keys for encrypted messaging platforms. That gap needs to close. Organizations managing compliance obligations can find applicable control frameworks at Train2Secure's standards library.

Second, phishing simulation exercises that include messaging-platform pretexts. Standard phishing simulations test email. This campaign operates through Signal itself, and through impersonation of trusted contacts. Training programs need to model the actual threat surface.

Third, incident response playbooks that include steps specific to encrypted messaging compromise. If a Backup Recovery Key is disclosed, the response is not "change your password." It requires key rotation, enumeration of exposed history, and notification of affected contacts. Most IR playbooks do not address this scenario. They should.

The GRU is not breaking Signal. It is breaking the gap between what Signal's security model assumes about user behavior and what users actually do when they receive an urgent, plausible-sounding request from someone they believe they know. Closing that gap is a training and policy problem — and it is solvable.

How this could have been prevented

  • Train at-risk users to treat Signal's Backup Recovery Key with the same discipline as a root password — never share it via chat, screenshot, or web form under any circumstances.
  • Run phishing simulations that model messaging-platform pretexts, not just email, so personnel recognize the specific social scripts GRU operators use.
  • Establish a written policy defining which credentials qualify as cryptographic root credentials and how they must be stored and rotated.

Train2Secure offers scenario-based phishing simulations and policy templates designed to close exactly the human-behavior gaps this campaign exploits.

Start free — no card required

Frequently asked questions

What is Signal's Backup Recovery Key and why is it valuable to attackers?

The Backup Recovery Key is the credential that decrypts a user's local Signal backup. An attacker who obtains it can restore the full message history — including past private and group conversations — on hardware they control. Unlike a linked-device connection, the key has no built-in expiry and leaves no obvious alert in the victim's account.

How do GRU operators convince targets to hand over the key?

Operators impersonate trusted contacts, military coordination tools, or NGO administrative platforms and create urgency around account verification or backup confirmation. The social engineering is designed to lead the target into Signal's settings, where the key is displayed, and then to paste or read it back to the attacker.

Is Signal's encryption broken by this attack?

No. The Signal Protocol itself is functioning as designed. This attack exploits human behavior — specifically, the gap between users' understanding of what a recovery key is and how carefully it should be guarded — rather than any cryptographic weakness.

What should I do if I think my Signal Backup Recovery Key was compromised?

Generate a new key immediately through Signal's settings. Assume any backup encrypted under the old key is in adversary hands. Identify which conversations were in that backup and notify counterparties whose communications may now be exposed.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress