The US government has announced a substantial incentive, offering rewards of up to million for information regarding individuals associated with two cyber threat groups linked to Russian intelligence. These groups, identified as UNC5792 and UNC4221, have been actively targeting a wide range of individuals, including current and former US government officials, military leaders, journalists, political figures, and key personnel in Ukraine.
Cyber Tactics and Phishing Campaigns
Recent alerts from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI reveal that these cyber actors have been conducting sophisticated phishing campaigns aimed at commercial messaging applications (CMAs). By masquerading as automated support accounts for these applications, the hackers entice victims into clicking malicious links or sharing verification codes, thereby gaining unauthorized access to their accounts on platforms such as Signal and WhatsApp.
In a concerning update, CISA and the FBI have indicated that the attackers have evolved their tactics. They are now requesting victims to provide their Backup Recovery Keys, which are essential for accessing historical conversations, including both private and group messages. The agencies caution that if a victim inadvertently shares their Backup Recovery Key, it remains valid even if they create a new account using the same phone number. This means that the threat actors could potentially exploit the compromised key to take over the new account in the future.
To mitigate the risks posed by these hackers, users are advised to generate a new Backup Recovery Key, which will invalidate the previous one. However, it is important to note that this action does not prevent the attacker from having already downloaded a backup of the original account.
Connections to Russian Intelligence
Both UNC5792 and UNC4221 are linked to the Russian intelligence services (RIS). The US government has specifically associated UNC5792 with the Russian Federal Security Service (FSB) Border Guards and UNC4221 with Russian military services. Utilizing social engineering techniques, these malicious actors exploit legitimate device-linking features within secure messaging applications to gain unauthorized access to sensitive communications, contact lists, and group conversations.
Furthermore, the compromised accounts have been used to launch phishing attacks against other high-value targets. In certain instances, the attackers have modified ‘group invite’ pages to connect their own devices to victims’ Signal accounts.
In its pursuit of justice, the US government is keen to gather information that could lead to the identification of the actors behind UNC5792, including their names, locations, and biographies. Additionally, the government seeks insights into their affiliations with RIS, the entities that support them, their infrastructure and tools, as well as their funding sources and financial networks, which encompass banking accounts and cryptocurrency wallets.
Related: Russian APT Deploys ‘StockStay’ Backdoor Against Ukrainian Targets
Related: Russian Initial Access Broker Behind FortiBleed Campaign
Related: Russian Spies Are Aggressively Seeking Western Technology as Sanctions Bite, Officials Say
Related: Russia-Linked ‘GreyVibe’ Attackers Use AI to Supercharge Cyberattacks
