Ukraine and CERT-UA Document Russian Intelligence Phishing of Messaging Credentials
A Russian-intelligence campaign against messaging-app credentials, documented by Ukraine, uses fake support texts to coax Signal and WhatsApp users into surrendering the codes that unlock their accounts.
Key Takeaways
|
A Russian-intelligence campaign against messaging-app credentials, documented by Ukraine, uses fake support texts to coax Signal and WhatsApp users into surrendering the codes that unlock their accounts.
KYIV — Ukraine on June 28, 2026 published a joint warning, issued by its Security Service (SSU) and the Computer Emergency Response Team of Ukraine (CERT-UA) together with the U.S. Federal Bureau of Investigation (FBI), documenting a long-running Russian-intelligence campaign that phishes the credentials behind encrypted messaging apps. According to the Ukrainian authorities, attackers send text messages crafted to look like a messaging platform's own support service, then steer recipients into disclosing the credentials and recovery codes that would let an outsider take over their accounts. The targets are not limited to organizations and public figures: the SSU said the campaign also reaches personal accounts belonging to ordinary Ukrainian nationals.
The advisory is framed for defenders rather than for a single breach. It describes a method any messaging-app user can recognize and refuse, and it arrives as part of a wider Western response to Russia-aligned targeting of Signal and WhatsApp — a thread The CyberSignal has followed through earlier Signal recovery-key phishing coverage and through Germany's attribution of Signal phishing against lawmakers to Russia.
| At a Glance | |
|---|---|
| Field | Details |
| Disclosed by | SSU and CERT-UA (Ukraine), with the FBI (US) |
| Attribution (reported) | Russian intelligence services; no single named cluster |
| Target apps | Signal and WhatsApp |
| Method | Fake "support" SMS soliciting credentials and recovery codes |
| Audience | Officials, military, journalists, activists, and private nationals |
| Status | Active; sector advisory issued June 28, 2026 |
What Ukraine and CERT-UA Documented
The Security Service of Ukraine said that, together with the FBI, it had uncovered a sustained operation run by Russian intelligence services to break into the messaging accounts of government officials, military personnel, politicians, journalists, and activists across Ukraine, Europe, and the United States. The mechanism described is deliberately mundane: text messages that masquerade as the support service of a messaging platform and urge the recipient to confirm or disclose account information. There is no exotic malware at the center of the account — the lever is the user's own trust in a message that looks like it came from the app itself.
Two details in the Ukrainian account are useful for defenders. First, the SSU noted that the SMS lures are reportedly sent in the morning hours, when people are more likely to react reflexively to an apparently urgent account notice before they are fully alert. Second, the agency emphasized that the campaign is not confined to high-profile organizations or public figures; it also reaches personal accounts belonging to ordinary Ukrainian nationals, which widens the pool of potential targets well beyond the obvious intelligence-value list.
Crucially, the Ukrainian authorities did not pin the campaign on a single named hacking group. They attributed it to Russian intelligence services in general rather than to a specific cluster, and that distinction matters: it is the documented method and the state-level attribution that are confirmed here, not a particular code name. The activity nonetheless rhymes with Russia-aligned waves catalogued elsewhere — research and government reporting have linked similar Signal and WhatsApp targeting to clusters tracked as Star Blizzard, UNC5792 (overlapping with CERT-UA's UAC-0195), and UNC4221 (UAC-0185) — and it fits the same pattern The CyberSignal documented when Germany publicly blamed Russia for Signal phishing aimed at members of parliament.
Defender Posture for Messaging-App Users in High-Risk Roles
The defensive lesson is unusually clean because the attack depends on a single human action. The credentials, confirmation codes, PIN codes, passwords, and account-recovery keys that these messages ask for are exactly the items that a legitimate support service never requests over chat or SMS. Treating any inbound message that solicits one of those items as hostile — regardless of how official the sender appears — closes the path the campaign relies on.
For individuals in high-risk roles, the concrete steps map directly onto the threat. Enable two-factor authentication and a PIN on the messaging app, never share a confirmation code or recovery key with anyone, and refuse to scan QR codes or follow account-linking prompts that arrive from unknown contacts. Both Signal and WhatsApp let a user review the devices currently linked to an account; periodically auditing that list and logging out any unfamiliar session is one of the few ways to detect a successful account-linking takeover after the fact rather than before it.
Organizations supporting these users can reinforce the same behavior at scale. Because the lure is an SMS that impersonates a platform's support bot, awareness messaging should name the specific deception — that no messaging app texts you to ask for your code or recovery key — rather than offering generic anti-phishing advice. The morning-hour timing the SSU described is a reminder that urgency is the manipulation; building a habit of pausing on any account-security message, especially first thing in the day, is itself a control.
The US Reward and FBI Advisory Cross-Reference
The Ukrainian disclosure does not stand alone. One day later, on June 29, 2026, the United States paired a State Department reward of up to $10 million with an FBI advisory addressing the same family of Russia-aligned phishing against Signal and WhatsApp, a development The CyberSignal covers separately in its report on the US $10 million reward and FBI advisory. Read together, the two announcements describe a single coordinated threat from two vantage points: Kyiv documenting the method on the ground, and Washington attaching financial and investigative weight to the actors behind it.
The FBI's contribution sharpens one element that the Ukrainian advisory keeps general. U.S. reporting has tied the broader commercial-messaging-application phishing effort to Russian Intelligence Services and, in earlier notices, to a recovery-key variant in which the lure walks a target through enabling Signal backups and then pasting the Recovery Key into the chat — a maneuver that grants persistent access to message history even after a device change. The CERT-UA SMS lure and the FBI's recovery-key technique are best understood as two delivery methods serving the same goal: capturing the secret that unlocks an account.
For defenders, the value of the cross-reference is corroboration. When an allied service documenting attacks inside its own borders and a U.S. agency attaching a multimillion-dollar bounty describe the same targets, the same apps, and the same trust-exploiting method within a day of each other, the threat moves from a single-source claim to a well-established, multi-government finding worth acting on immediately.
Five-Eyes Coordination Context
The SSU-FBI partnership behind this advisory is one node in a denser web of cross-border coordination that has defined the Western cyber posture toward Russia-aligned activity in 2026. The same period has seen allied governments move in concert on adjacent fronts, including a Five Eyes frontier-AI cybersecurity statement that signaled shared priorities across the intelligence-sharing alliance. The throughline is that no single country now publishes attribution in isolation; warnings are increasingly issued jointly, or in rapid succession, to compound their deterrent and defensive effect.
That coordination is consequential for the credibility of a finding like this one. A bilateral Ukraine-US advisory, landing beside a U.S. reward offer and within a broader cadence of allied statements, is far harder to dismiss as politically convenient than a unilateral claim would be. It also accelerates defensive uptake: indicators and behavioral guidance that surface through one government's channel are quickly mirrored through others, shortening the time between disclosure and protective action for organizations that follow any one of them.
The targeting profile reinforces why the alliance treats messaging-app compromise as a strategic problem rather than a consumer-security nuisance. The same Russia-aligned ecosystem has been documented attempting to weaponize mainstream AI assistants against Ukrainian targets — coverage The CyberSignal carried in its report on GreyVibe's abuse of ChatGPT and Gemini in attacks on Ukraine — which underscores that messaging credentials are one prize among several in a sustained, well-resourced intelligence effort.
Open Questions
Several points remain genuinely open, and the advisory's own restraint is the reason. Because the SSU and CERT-UA declined to name a single cluster, the precise operator — or the mix of operators — behind this specific SMS campaign is not publicly confirmed; the clusters catalogued in related reporting are context, not the established attribution of this particular wave. Readers and defenders should treat the named groups as illustrative of the broader pattern rather than as a confirmed byline for these texts.
The scale of successful compromise is likewise unstated. The Ukrainian advisory documents the method and the breadth of targeting, but it does not quantify how many accounts have actually been taken over through this SMS vector, nor how the success rate compares with the recovery-key variant the FBI has described. Those figures may emerge in later reporting, and where they do, The CyberSignal will weigh them against what is confirmed today.
What is confirmed is enough to act on now. Two governments, working together, have documented a Russia-aligned campaign that phishes Signal and WhatsApp credentials through fake support texts, targets a wide audience from officials to private citizens, and aligns with a same-week U.S. reward and FBI advisory on the identical threat. For anyone in a high-risk role, the prudent reading is to assume the lures are already in circulation, to refuse any message that asks for a code or recovery key, and to audit linked-device lists now rather than after an account goes quiet.