A joint advisory from the FBI and CISA reveals that Russian intelligence-linked hackers have shifted tactics in their ongoing campaign against Signal users. Moving beyond hijacking active sessions, attackers now focus on stealing the Signal Backup Recovery Key to achieve permanent, undetectable access to a target's entire encrypted message archive.
The updated warning, detailed in a report by The Hacker News, outlines a purely social-engineered attack. Threat actors impersonate support staff or trusted contacts, using urgent pretexts like "account verification" to trick users into surrendering their unique recovery key. This key, designed to restore message history on a new device, becomes a master key for the attacker.
Once compromised, the key grants the ability to decrypt past messages and take over the account, bypassing Signal’s end-to-end encryption. Crucially, the breach persists; standard security responses like changing passwords are ineffective, and the key remains valid indefinitely until manually rotated by the user. This transforms a temporary surveillance opportunity into a potential permanent archive breach.
For organizations, particularly those in Hong Kong managing high-risk personnel, this underscores a critical operational vulnerability. "The persistence is the key threat," explained a Hong Kong-based RegTech founder specializing in secure communications, speaking on condition of anonymity. "Exfiltrating a backup key isn't a one-time breach; it's an open window to sensitive archives. It forces a complete rethink of what constitutes a critical secret beyond standard passwords."
The attack highlights how the strength of encryption can be circumvented by exploiting human judgment. The Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong promotes principles of data security and appropriate technical measures, but this threat demands specific, procedural countermeasures.
Security experts emphasize that the primary defense is elevating the Backup Recovery Key to the status of a top-tier secret. Organizations must update security training to treat this key with the same gravity as a master password or an offline hardware token. A strict protocol should be implemented: the key must be stored securely offline, never shared digitally, and any unsolicited request for it treated as an immediate red flag.
Furthermore, IT teams should establish out-of-band verification processes for security-related requests and conduct regular audits of linked devices on company Signal accounts. As this campaign demonstrates, defending modern encrypted communications requires hardening the human element as rigorously as the software itself.
FBI 與 CISA 聯合發布的警告指出,與俄羅斯情報機關有關聯的黑客,在針對 Signal 用戶的持續行動中已改變策略。攻擊者不再劫持現有的對話環節,轉而集中竊取 Signal 備份還原密鑰,以達至對目標整個加密訊息存檔進行永久且不被察覺的訪問。
根據 The Hacker News 報導詳細闡述的最新警告,這是一種純粹利用社會工程學的攻擊。威脅行為者冒充客服人員或受信任的聯絡人,以「賬戶驗證」等緊急藉口欺騙用戶,使其交出獨一無二的還原密鑰。這把密鑰本意是在新裝置上還原訊息記錄,如今卻變成了攻擊者的萬能鑰匙。
一旦密鑰被破解,攻擊者便能解密過往訊息並接管賬戶,從而繞過 Signal 的端到端加密機制。至關重要的是,這種入侵具有持續性;更換密碼等標準安全措施並無效果,而密鑰在用戶手動更換前將無限期保持有效。這使得暫時的監視機會,變成了潛在的永久存檔洩露。
對於組織,特別是香港管理高風險人員的機構而言,這突顯了一項關鍵的營運漏洞。「持久性是主要威脅,」一位專注於安全通訊、位於香港的監管科技(RegTech)創辦人匿名解釋道。「竊取備份密鑰並非一次性入侵,而是為敏感存檔打開了一扇持久的窗戶。這迫使我們重新思考,除了標準密碼外,哪些才構成關鍵機密。」
這類攻擊凸顯了加密技術的強大之處,可能因利用人類判斷力的弱點而被繞過。香港個人資料私隱專員公署(PCPD)提倡數據安全和恰當技術措施的原則,但此威脅需要具體且程序化的應對措施。
安全專家強調,主要的防禦措施是將備份還原密鑰的地位提升至最高機密等級。組織必須更新安全培訓,以對待主密碼或離線硬件令牌同等的嚴重性對待此密鑰。應實施嚴格的協議:密鑰必須安全離線儲存,絕不進行數字形式共享,任何未經索求的索取請求都應被視為即時的危險信號。
此外,IT 團隊應建立針對安全相關請求的帶外驗證流程,並定期審計公司 Signal 賬戶上連結的裝置。正如這場行動所示,捍衛現代加密通訊,需要像強化軟件本身一樣,嚴格地加強「人」這一環節的防護。