Russian actors send fake messaging support SMS to harvest Signal and WhatsApp credentials from Ukrainian officials
SSU-FBI joint disclosure reveals Russian intelligence adapting SMS support impersonation to steal encrypted messaging credentials at scale. The tactic aligns with documented cluster tradecraft and exploits Ukraine's dependence on commercial apps for sensitive traffic. Independent confirmation remains limited to technical indicators rather than named actor attribution.
The campaign delivered SMS lures claiming to originate from Signal or WhatsApp support, directing targets to disclose confirmation codes or scan malicious QR codes. SSU documented repeated waves against both institutional and personal accounts without naming a specific group, while FBI linked parallel commercial messaging phishing to Russian intelligence actors seeking backup keys. Technical patterns match prior activity by Star Blizzard and UNC5792 clusters, which previously used credential-harvesting lures against similar Ukrainian targets. The shift to direct SMS support impersonation bypasses email filters and exploits wartime reliance on encrypted messengers for operational coordination. Procurement records and prior CERT-UA alerts show Russian services have iteratively refined access operations against the same target pool since 2022, moving from spear-phishing documents to low-friction messaging vectors. This reduces attribution signatures while increasing volume against dispersed personal devices. Next indicators will appear in updated session-log reviews by Ukrainian agencies and any new FBI flash alerts on recovery-key theft within 90 days.
CERT-UA: At least two additional UNC clusters will publish SMS recovery-key lures against Ukrainian MoD domains before December 2026.
Sources (2)
- [1]Primary Source(https://ssu.gov.ua/ua/news/1/category/2/view/11999)
- [2]Supporting Source(https://www.fbi.gov/contact-us/field-offices/washington-dc/news/russian-intelligence-cyber-threat-actors-targeting-commercial-messaging-applications)