- The FBI has linked an ongoing messaging app phishing campaign to Russian intelligence cyber actors
- The phishing campaign targets government officials, military personnel, journalists and Ukraine-based officials
- The attackers pose as customer support staff to steal verification codes, PINs and recovery keys
The FBI has announced that clusters of Russian intelligence services cyberthreat actors are behind an ongoing phishing campaign targeting users of a commercial messaging application, or CMA.
The Potomac Officers Club’s 2026 Intel Summit on Sept. 24 will bring together intelligence community leaders and industry executives to discuss AI, cyber capabilities and the technologies shaping the future of intelligence operations. Register today.
Who Is Being Targeted by Russian Cyber Groups?
According to the federal alert released by the FBI and the Cybersecurity and Infrastructure Security Agency Friday, the phishing campaign targets current and former U.S. and international government officials, political figures, military personnel, journalists and officials in Ukraine. It has been attributed to Russian Federal Security Service officers embedded with the FSB Border Guards and other individuals working on behalf of Russian military services. The bureau said threat actors have breached individual CMA accounts, though the application’s encryption and core platform remain uncompromised.
The agencies initially released a public service announcement in March warning that Russian intelligence-linked cyber actors were targeting CMA users.
How Does the Phishing Campaign Work?
The FBI said the attackers impersonate automated customer support accounts to persuade victims to disclose verification codes, account PINs and backup recovery keys. If successful, the actors can access historical private and group messages and take control of compromised accounts. The bureau warned that a compromised backup recovery key remains valid even if a victim creates a new account using the same phone number.
What Mitigation Steps Did the FBI Recommend?
To reduce the risk of future account takeovers, the FBI advised affected users to generate a new Backup Recovery Key in the application’s settings, thereby invalidating the previously exposed key for future backup downloads. The bureau cautioned, however, that changing the recovery key does not prevent attackers from accessing any account backups already obtained before the key was replaced.
