An updated advisory from the FBI and Cybersecurity and Infrastructure Security Agency (CISA) confirms Russian intelligence operatives have updated their playbook for compromising Signal accounts. They now specifically target the Backup Recovery Key, a move that grants attackers a persistent, long-term gateway to a user's entire encrypted message history.

The joint alert, a follow-up to a March 2026 warning, details this tactical evolution. Adversaries are no longer primarily focused on intercepting temporary verification codes. Instead, they prioritize stealing the victim's 60-digit Signal Backup Recovery Key—the cryptographic secret required to restore an account and its full message history to a new device. Possession of this key allows for asynchronous decryption of message archives at any future time, eliminating the need for attackers to maintain active phishing infrastructure or direct victim interaction.

The agencies emphasize that the attack does not compromise Signal's end-to-end encryption. Rather, it exploits the very trust-based account recovery system designed for user convenience. Social engineering via phishing campaigns remains the primary vector, luring targets to fraudulent login pages designed to harvest the critical key.

"The human element is the pivotal vulnerability here," the advisory states, noting that the platform's sophisticated encryption is circumvented through user manipulation.

To counter this threat, the FBI and CISA outline critical, actionable defenses. First, all Signal users should immediately enable the "Registration Lock" feature in the app settings. This control mandates a user-set PIN to register an account on a new device, creating a vital secondary barrier that can block an attacker armed only with a stolen key.

Second, users must treat recovery keys as their most sensitive secrets. The agencies strongly advise storing them offline—such as written and secured in a physical location—and never sharing them through any digital channel. Any unsolicited communication requesting a recovery key or prompting for login verification should be considered malicious.

The shift in tactics represents a strategic focus on the backup and recovery mechanisms of secure communications platforms. For IT and security teams, this underscores the need to update user training to cover this specific social engineering scheme and to highlight the new, persistent nature of the threat.

While the advisory does not reference specific regions, the threat model is globally relevant to any individual or organization relying on encrypted messaging. It serves as a potent reminder that the security of such systems ultimately hinges on a combination of technical controls and vigilant user behavior.

美國聯邦調查局(FBI)與網絡安全和基礎設施安全局(CISA)聯合發布的一份更新通告確認,俄羅斯情報人員已更新其入侵Signal帳戶的策略。他們現在將目標明確指向備份還原密鑰(Backup Recovery Key),此舉能為攻擊者提供一個長期、持續的後門,使其可存取用戶完整的加密訊息紀錄。

這份於2026年3月警告後的聯合安全通告,詳細說明了此戰術演進。對手已不再主要集中在截取臨時驗證碼。取而代之的是,他們優先竊取受害者那60位數的Signal備份還原密鑰——這是將帳戶及其完整訊息歷史記錄還原到新裝置所需的密碼學秘密。持有此密鑰,攻擊者可在未來任何時間點異步解密訊息存檔,無需再維持活躍的釣魚基礎設施或與受害者直接互動。

通告強調,此攻擊並未破壞Signal的端到端加密機制。相反,它利用的是設計上為了便利用戶而建立的基於信任的帳戶恢復系統。透過釣魚活動進行的社會工程學攻擊仍是主要入侵途徑,誘騙目標至偽造的登入頁面,從而收割關鍵密鑰。

通告指出:「人為因素是此處的關鍵漏洞」,並說明平台精密的加密技術是透過用戶操縱而被規避的。

為了應對此威脅,FBI與CISA列出了關鍵且可行的防禦措施。首先,所有Signal用戶應立即在應用程式設定中啟用 「註冊鎖」(Registration Lock) 功能。此控制措施要求用戶設定一組PIN碼才能在新裝置上註冊帳戶,從而建立一道至關重要的次級屏障,可有效阻止僅持有被竊取的密鑰的攻擊者。

其次,用戶必須將還原密鑰視為最敏感的機密。機構強烈建議將其離線儲存——例如手寫下來並存放於實體安全位置——切勿透過任何數碼渠道分享。任何要求提供還原密鑰或提示進行登入驗證的未經請求通訊,均應視為惡意行為。

此策略轉變顯示攻擊焦點已轉向安全通訊平台的備份與恢復機制。對資訊科技和安全團隊而言,這突顯了更新用戶培訓的必要性,需涵蓋此特定社會工程學攻擊方案,並強調此威脅新的、持久性的本質。

雖然通告未提及特定區域,但此威脅模型對全球任何依賴加密通訊的個人或組織均具相關性。它有力地提醒,此類系統的安全性最終取決於技術控制措施與警覺的用戶行為相結合。