Russian Intelligence Uses Fake Support Texts to Hijack Messaging Accounts

The Security Service of Ukraine and the FBI uncover a coordinated Russian campaign targeting high-value messaging accounts via deceptive support bots.
Image Credit / The Hacker News

A joint SBU and FBI investigation exposes a Russian cyber-espionage campaign using fake support texts to hijack officials’ messaging accounts.

A joint investigation by the Security Service of Ukraine (SSU) and the United States Federal Bureau of Investigation (FBI) has uncovered a sophisticated, long-running cyber-espionage campaign orchestrated by Russian intelligence services. The operation shifts away from malware-heavy payloads, relying instead on high-precision social engineering to break into the encrypted messaging accounts of government officials, military personnel, politicians, and civil activists across Ukraine, Europe, and the United States.

According to original reports, the primary goal of the offensive is to exfiltrate highly sensitive military strategies, economic forecasts, and internal political communications. Rather than trying to break the underlying end-to-end encryption protocols of secure communication applications, the attackers are bypassing technical defenses entirely by tricking users into volunteering their account credentials.

The Anatomy of the Support Bot Mirage

The mechanics of the operation rely heavily on artificial urgency and brand impersonation. Targets receive SMS text messages or in-app alerts carefully designed to mimic official security warnings from the messaging platform’s automated support desk or tech helper bots.

As detailed in an official briefing, these deceptive alerts are systematically deployed during specific times, most frequently in the early morning hours. Threat actors capitalize on this window when victims are waking up, betting that physical and emotional fatigue will lower their traditional cybersecurity defenses.

The messages typically warn the target of a catastrophic “imminent data loss” or claim that a mandatory security patch is required to keep the account active. To “fix” the issue, the fake support bot provides a link or instructions coaxing the user into disclosing critical account configuration logs, verification codes, or personal account identification numbers (PINs).

Chasing the Keys to the Kingdom

While the SSU’s warning encompasses broad commercial messaging platforms, a simultaneous technical advisory from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) clarifies a dangerous evolution in the threat actors’ playbook. The core of the updated strategy focuses specifically on capturing Signal Backup Recovery Keys.

As documented by tracking tools, state-backed threat groups are no longer just looking for short-lived, one-time SMS verification codes. Instead, they walk victims through a step-by-step social engineering script that instructs them to enable chat backups, copy their unique 30-digit alphanumeric backup recovery key, and paste it directly into the fraudulent support chat.

Once an attacker secures this recovery key, they gain permanent access to the victim’s entire historical archive of decrypted private messages and group conversations. Even if a compromised official deletes their account and registers a new profile under the same phone number, the compromised key remains valid, giving foreign intelligence a continuous backdoor into their private communications.

Attributing the Digital Scourge

Western and Ukrainian intelligence agencies have mapped these overlapping infrastructure chains to prominent state-sponsored threat clusters. The ongoing campaign has been linked directly to Russian Intelligence Services (RIS), encompassing specialized units within the Federal Security Service (FSB) and the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). The activity directly aligns with groups tracked globally as Star Blizzard, UNC5792, and UNC4221.

To neutralize the active threat, the SSU and FBI are urging public figures and private citizens alike to treat any direct message from an embedded “support bot” as inherently hostile. Users are advised to continuously audit linked devices within app settings, mandate strong hardware-based two-factor authentication, and remember that legitimate communication networks will never request a backup recovery key or a verification code under any circumstances.

About the Author

Jennifer Sakmufuwo Baba

Jennifer Sakmufuwo Baba is a tech analyst and writer covering artificial intelligence, fintech, and emerging technologies at TechRegard. Based in Nigeria, she's passionate about translating complex tech developments into compelling, accessible stories for diverse audiences. Her work focuses on how technology shapes innovation across Africa and globally.