A joint advisory from the FBI and CISA warns that a Russian-linked hacking group has shifted its tactics. The campaign now targets Signal users' static Backup Recovery Keys, allowing for persistent, passive access to archived conversations.
Previously tracked as UNC5792, the group focused on hijacking active Signal sessions via malicious QR codes. The new approach is more durable. It steals the 60-digit recovery key, which acts as the sole credential to decrypt a user's cloud-stored chat backup.
The core vulnerability is procedural, not cryptographic. Signal's end-to-end encryption remains intact, but the backup mechanism creates a single point of failure. When a user enables backups, an encrypted database is stored on a service like Google Drive. Possession of the recovery key is all that is needed to decrypt it.
Attackers use sophisticated phishing lures disguised as official Signal communications. These direct victims to a fake login portal. Once credentials are entered, the page prompts for the recovery key, claiming it's needed to "reactivate" the account.
With the key, an attacker can decrypt the existing backup from the victim's cloud storage. This grants long-term, read-only access to historical messages without needing further access to the victim's device or account. Access remains until the user manually generates a new key.
The advisory states the campaign is highly targeted, focusing on individuals in geopolitical and defense sectors within Ukraine and Europe. However, the technique is broadly applicable, highlighting that the attack surface is human susceptibility to phishing and gaps in credential management.
This incident underscores that the security of encrypted communication platforms relies critically on user vigilance and secure handling of recovery credentials. Robust technical encryption must be complemented by careful practices around cloud backups and phishing defenses.
美國聯邦調查局(FBI)及網絡安全和基礎設施安全局(CISA)聯合發出警告,指一個與俄羅斯有關聯的黑客組織已改變其攻擊策略。該活動現針對Signal用戶的靜態備份復原金鑰,從而實現對存檔對話記錄的持續、被動式存取。
該組織此前被追蹤為UNC5792,主要透過惡意二維碼劫持活躍的Signal會話。新方法則更具持久性:黑客竊取由60位數字組成的復原金鑰——此金鑰是解密用戶雲端儲存聊天備份的唯一憑證。
其核心漏洞在於操作流程,而非加密技術。Signal的端到端加密機制依然完好,但備份機制卻造成了單點故障。當用戶啟用備份功能時,加密資料庫將儲存在Google Drive等雲端服務上。攻擊者只需取得復原金鑰,便足以解密所有內容。
黑客採用高度偽裝的網絡釣魚誘餌,模仿Signal官方通訊格式,將受害者引導至偽造的登入頁面。一旦輸入帳戶憑證,頁面便會要求輸入復原金鑰,聲稱此舉是為了「重新啟動」帳戶。
取得金鑰後,攻擊者即可解密受害者雲端儲存空間中的現有備份。這使得攻擊者能夠長期、以唯讀模式存取歷史訊息,無需再進一步接觸受害者的裝置或帳戶。此存取權限將持續至用戶手動生成新金鑰為止。
聯合警告指出,該活動高度針對烏克蘭及歐洲地緣政治與國防領域的特定人士。然而,此攻擊技術具有廣泛適用性,凸顯出攻擊面源於人類對網絡釣魚的易感性以及憑證管理方面的漏洞。
此事件再次證明,加密通訊平台的安全性在很大程度上依賴於用戶的警惕性以及對復原憑證的安全管理。強大的技術加密必須輔以雲端備份的謹慎操作及有效的防釣魚措施。