US Puts $10 Million Bounty on WhatsApp Hackers’ Information

US federal authorities are offering a reward of up to $10 million for information that helps identify or locate members of a Russian state-linked cyber group accused of compromising thousands of Signal and WhatsApp accounts.

The attackers have targeted investigative journalists, US government employees, military personnel, political figures, and other individuals considered valuable intelligence targets.

Phishing Campaign

The operation has remained active since at least March, when the FBI warned about phishing campaigns linked to Russian intelligence services.

The attackers send messages that appear to come from automated support services. These messages ask users to click a link or provide verification codes or account passcodes.

When users follow the instructions, they may unknowingly connect an attacker-controlled device to their account. In other cases, the attackers take full control of the account and lock out the owner.

Once connected, the attackers can read new messages sent to the compromised account. However, a Signal security feature prevents them from accessing earlier conversations through this method.

The FBI said the campaign targets people with high intelligence value, including current and former US government officials, military personnel, political figures and journalists.

Campaign Expands

The FBI published an update last week warning that the campaign had evolved.

In addition to posing as support bots and tricking users into linking an attacker-controlled device, the attackers now direct users to create backups of their previous Signal communications.

A follow-up message then asks targets to provide the long passcode used to encrypt backups stored on Signal’s servers. This allows the attackers to access previous Signal conversations.

The FBI identified two Russian government-linked groups behind the campaign as UNC5792 and UNC4221.

One phishing message contains text similar to the following:

Signal is here

Recently, attempts to hack users of our messenger with the connection of third-party devices to the account have become more frequent.

An investigation conducted jointly with the US government and European partners revealed that the attacks on accounts were carried out by hackers from Iran and post-Soviet countries.

In this regard, Signal updates Terms of Service & Privacy Policy, and introduces Mandatory Two-factor Verification for users.

Not to lose your messages and media, set up your Signal Backup (Settings -> Backups -> Enable backups -> View recovery key -> Copy to clipboard -> Next -> Enter the recovery key -> Next -> Continue -> Choose your backup plan).

Click the “Accept” button in the pop-up and stay tuned for security updates on our messenger.

Stay safe and thank you for using the most secure messenger with end-to-end encryption.

If you have any questions, send /help

Another version of the message reads:

Action Required: Data Recovery Needed

Your Signal Account data (messages and media) is at risk of permanent loss due to a sync issue.

To avoid losing your messages and media:

Go to Settings -> Backups -> Configure -> Enable Backups -> View Recovery Key.

Copy the recovery key to your clipboard.

Paste the key into this chat.

This links your existing backup to your account. Failure to do this may result in losing access to your account and all stored data.

$10 Million Reward

On Monday, the US State Department announced a reward of up to $10 million for information about the identities or locations of anyone involved in the campaign.

The reward is available through the State Department’s Rewards for Justice program, also known as RFJ.

The department said the attackers had also abused a Signal feature that allows users to create links inviting other people to group conversations.

“Under this reward offer, RFJ is seeking information on UNC5792, a malicious cyber group associated with the Russian Federal Security Service (FSB) Border Guards and UNC4221, a malicious group of cyber actors working on behalf of the Russian military services,” the State Department said.

It added that UNC5792 had carried out widespread phishing campaigns targeting the Signal and WhatsApp accounts of US government officials, military leaders and allied personnel.

In some cases, members of UNC5792 modified legitimate group invitation pages to redirect users to malicious links. These links connected an attacker-controlled device to the victim’s Signal account.

The State Department said the attackers did not exploit any security weakness in the platforms’ encryption systems. However, the campaign has still compromised thousands of individual accounts on commercial messaging applications.

Phishing Remains Effective

US intelligence officers, diplomats and journalists may appear unlikely to fall for such scams. However, a person who is tired, sleep-deprived or distracted may respond without properly checking a message.

Phishing remains one of the most effective methods for accessing online accounts, despite requiring relatively limited technical skills.

Recovery Key Warning

Users who have already provided their Signal backup key must generate a new backup recovery key.

The FBI said users should create a new key through Signal’s settings. Doing so will invalidate the previous key for future backup downloads.

However, generating a new key cannot prevent an attacker from accessing a backup that has already been downloaded using the original key.

Safety Advice

Legitimate commercial messaging application support services will not ask users to provide verification codes inside the application.

Support services also do not send links asking users to verify or restore their accounts.

Users should never provide a verification code without confirming that the request came through an official communication channel.

Users should also avoid reacting immediately to messages that create a sense of urgency. Even when a request is legitimate, waiting an additional hour or two will rarely result in a penalty.