Russian UNC5792 Shifts to Signal Recovery Key Theft After Linked-Device Tactic

The updated advisory shows the actors moved from soliciting SMS codes and linked-device invites to walking targets through enabling backups then pasting the recovery key into the same chat window. Once obtained the key decrypts prior backups on any device using the same number even after the victim creates a fresh account. Technical evidence from Google Threat Intelligence Group traces the same UNC5792 infrastructure first seen abusing Signal linked-device registration in early 2025 now extended to WhatsApp and Telegram contact harvesting.

Evidence trails indicate deliberate targeting of Ukrainian officials, U.S. military personnel and journalists rather than mass credential theft. Overlaps with AIVD-MIVD and BfV reporting from the same period document identical social-engineering scripts but stop short of naming specific Russian services. FBI attribution to FSB Border Guards and military units rests on tradecraft markers and infrastructure reuse rather than independent packet-level confirmation.

The pattern reveals state actors treating encrypted-messaging recovery features as persistent access points instead of attempting protocol breaks. Signal's decision to keep the key static until manually regenerated created an unadvertised attack surface that survives phone number changes. This mirrors earlier procurement of commercial phishing kits observed in other RIS operations against privacy tools.

Next phase indicators include expanded use of the same recovery-key script against enterprise-managed Signal instances and possible testing of similar backup flows in competing apps. Defenders should monitor for new in-app messages referencing mandatory data-recovery steps and rotate keys quarterly.