SSU and FBI Uncover Russian Cyber Espionage Operation Against Officials and Military Personnel

Ukraine’s SSU and the FBI Just Confirmed Russian Intelligence Has Been Systematically Hacking Messenger Accounts for Years.

The Security Service of Ukraine (SSU), working jointly with the FBI, has formally exposed a sustained Russian intelligence campaign targeting the messaging accounts of government officials, military personnel, politicians, and activists across Ukraine, Europe, and the United States.

The operation is ongoing. The goal isn’t disruption; it’s intelligence collection.

“Cyber ​​experts of the Security Service of Ukraine together with the Federal Bureau of Investigation exposed Russian special services in systematic cyberattacks on messengers of officials, military personnel, politicians and activists from Ukraine, Europe and the USA.” read the alert by SSU.

“The purpose of these ‘hacks’ is to gain access to sensitive information of a military, political and economic nature that was exchanged between users, as well as to steal their personal data.”

The attack method is low-tech by design. Operators send SMS messages impersonating platform support bots, asking targets to hand over account credentials, confirmation codes, PINs, or account recovery keys. The SBU notes that these messages tend to arrive in the morning hours, when targets are physically and emotionally less guarded. Timing is a social engineering choice, not an accident.

The scope is broader than most people assume.

“The SBU emphasizes that Russian special services and hackers associated with them attack not only organizations, officials or public figures, but also personal accounts of Ukrainians.” continues the alert.

This isn’t a targeted elite program. It’s a mass collection operation with a tiered approach: high-value targets get more sophisticated techniques, ordinary citizens get the SMS impersonation play. The SBU didn’t attribute the campaign to a specific group by name, but prior reporting from Google, the FBI, and CISA ties similar activity to clusters tracked as UNC5792 and UNC4221, both linked to FSB operations, as well as Star Blizzard.

The FBI’s June 26 advisory added a new technique to what the March warning described. Russian operators have evolved from chasing one-time verification codes to specifically targeting Signal Backup Recovery Keys, which unlock an account’s entire message history and remain valid even if the user creates a new account with the same phone number afterward. This is a meaningful escalation: a stolen verification code expires, a stolen Recovery Key doesn’t.

QR codes are another active vector the SBU specifically calls out. Scanning a QR code received from an unknown bot or user can silently link the attacker’s device to the victim’s account, a technique Google’s Threat Intelligence Group documented against Signal’s linked-devices feature in early 2025.

“Russian hackers use a variety of tools and methods for such cyberattacks. For example, to extract passwords to an account, the enemy most often uses SMS messages on behalf of ‘support teams.'” states SSU.

The variety matters: blocking one delivery mechanism doesn’t stop the campaign, because the operators rotate techniques and targeting lists continuously.

The SBU’s practical guidance covers the basics that still fail most users in practice. Check active sessions in your messenger regularly and end anything you don’t recognize. Enable two-factor authentication with a complex alphanumeric PIN, not a four-digit code. Never provide confirmation codes, PINs, passwords, or recovery keys to anyone, regardless of how legitimate the request appears. Don’t scan QR codes from unknown sources. Don’t follow suspicious links even from accounts you know, because that account may already be compromised. Anyone who receives a suspicious message in a messenger can report it to the SBU’s Cybersecurity Situation Center at [email protected].

Last week, the FBI and CISA updated their March 2026 warning about Russian intelligence phishing campaigns, and the new advisory adds a detail that wasn’t in the original: the operators have shifted their primary objective from stealing verification codes to stealing Signal Backup Recovery Keys.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)