Key Takeaways
- The Security Service of Ukraine (SSU) and the FBI uncovered a prolonged Russian‑intelligence operation that hijacks messaging accounts of officials, military personnel, politicians, activists, and private Ukrainian users across Ukraine, Europe, and the United States.
- Attackers send fraudulent SMS messages that pose as the support bot of popular messaging apps, tricking victims into revealing login credentials, backup recovery keys, or two‑factor authentication codes.
- While the SSU did not name a specific hacking group, similar campaigns targeting Signal and WhatsApp have been tied to Russian threat clusters known as Star Blizzard, UNC5792 (UAC‑0195), and UNC4221 (UAC‑0185).
- Protective steps include auditing active sessions, enabling multi‑factor authentication, refusing QR codes or codes from unknown sources, and avoiding suspicious links or files.
- The FBI separately attributed the activity to Russian Intelligence Services (RIS) conducting a commercial‑messaging‑application (CMA) phishing drive aimed at stealing backup recovery keys from high‑value targets.
- CERT‑UA linked a Belarus‑aligned actor, UNC1151 (also called Ghostwriter/UAC‑0057), to a spear‑phishing effort that distributes the OYSTERBLUES information‑stealer via compromised government accounts.
- Together, these findings illustrate a coordinated espionage strategy that exploits trusted messaging platforms to harvest sensitive political, military, and economic data.
- Continuous vigilance, regular security hygiene, and timely threat‑intelligence sharing are essential to mitigate the evolving risk posed by these credential‑phishing campaigns.
Overview of the Joint SSU‑FBI Investigation
The Security Service of Ukraine (SSU), in collaboration with the United States Federal Bureau of Investigation (FBI), announced that they have identified a long‑running cyber‑espionage campaign orchestrated by Russian intelligence services. The operation focuses on infiltrating the messaging accounts of a broad spectrum of targets, including government officials, military personnel, politicians, activists, and ordinary Ukrainian citizens. By compromising these accounts, the attackers aim to exfiltrate sensitive military, political, and economic communications, as well as personal data that could be leveraged for further intelligence‑gathering or influence‑operations. The joint statement emphasized that the threat is not confined to a single nation but extends across Ukraine, Europe, and the United States, reflecting a trans‑national effort to gather strategic information through seemingly innocuous channels.
Tactics Used: SMS Impersonation and Credential Harvesting
The core technique employed by the threat actors involves sending Short Message Service (SMS) messages that masquerade as official support bots from popular messaging applications such as Signal, WhatsApp, or Telegram. These messages typically claim that the recipient’s account requires verification, a security update, or that suspicious activity has been detected, prompting the user to click a link or reply with sensitive information. Victims are coaxed into divulging their login credentials, two‑factor authentication (2FA) codes, PINs, or backup recovery keys. Once obtained, the attackers can seize control of the messaging session, read existing conversations, send messages on behalf of the compromised user, and harvest any attached files or media. The reliance on SMS‑based social engineering exploits the inherent trust users place in official‑looking communications and bypasses many app‑level security controls that rely solely on in‑app verification codes/keys.
Target Profile: Government, Military, Political Figures and Civilians
The campaign’s victim list is deliberately wide‑ranging. High‑profile targets include senior government officials, defense ministry staff, intelligence analysts, and elected representatives whose communications often contain classified or strategically valuable information. Military personnel are also targeted to glean operational plans, troop movements, or logistics details. Politicians and activists are sought after for their insights into policy debates, public sentiment, and potential vulnerabilities that could be exploited in influence campaigns. Notably, the SSU highlighted that the operation is not limited to institutional accounts; numerous personal messaging accounts belonging to everyday Ukrainian nationals have also been compromised. This breadth suggests that the attackers are collecting a mosaic of data—from strategic secrets to personal identifiers—that can be assembled into a comprehensive picture of national security, societal dynamics, and potential leverage points for future operations.
Attribution Challenges and Links to Known Russian Threat Clusters
Although the SSU stopped short of assigning the campaign to a specific hacking group, they noted that the observed tactics, techniques, and procedures (TTPs) align closely with several previously documented Russian threat actors. Campaigns targeting Signal and WhatsApp users have been publicly attributed to clusters tracked as Star Blizzard, UNC5792 (also known as UAC‑0195), and UNC4221 (UAC‑0185). These groups are known for conducting credential‑phishing operations, leveraging SMS and instant‑message lures, and focusing on high‑value targets in governmental and military sectors. The overlap in lure phrasing, infrastructure patterns (such as use of short‑lived domains and disposable SMS gateways), and post‑compromise behavior (exfiltration of chat logs and media) strongly suggests a common provenance or at least a shared playbook among Russian intelligence‑backed units. The SSU’s cautious attribution reflects the difficulty of pinpointing a single actor in a landscape where multiple Russian‑affiliated teams may employ similar methodologies.
Recommended Defensive Measures for Users and Organizations
To mitigate the risk posed by these credential‑harvesting attempts, the SSU and FBI advise a series of practical security hygiene steps. Users should routinely review active sessions within their messaging apps and terminate any unfamiliar or unverified connections. Enabling two‑factor authentication (2FA) wherever possible adds a critical barrier, though users must remain vigilant against 2FA‑bypass tactics that seek to capture one‑time codes. It is essential never to scan QR codes or enter confirmation codes, PINs, passwords, or recovery keys received from unsolicited or unknown contacts. Likewise, clicking on links or opening file attachments from dubious chats should be avoided unless the source can be independently verified. Organizations are encouraged to enforce strict mobile‑device management policies, deploy anti‑phishing training that includes SMS‑based lures, and monitor for anomalous authentication attempts or unexpected device registrations. By combining technical controls with user awareness, the likelihood of successful credential theft can be substantially reduced.
FBI’s Attribution of Russian Intelligence Services to CMA Phishing Campaign
In a parallel development, the FBI attributed the observed activity to Russian Intelligence Services (RIS) conducting an ongoing commercial‑messaging‑application (CMA) phishing campaign. According to the bureau, the operation specifically targets high‑value individuals—such as senior officials, defense contractors, and corporate executives—by attempting to coax them into surrendering their backup recovery keys for messaging platforms. Possession of these keys enables attackers to restore an account on a new device without needing the password, effectively granting persistent access even if the victim later changes their login credentials. The FBI’s assessment underscores that the goal extends beyond opportunistic data theft; it aims to establish long‑term, covert channels for exfiltrating sensitive communications and facilitating future espionage or influence operations. The attribution aligns with broader U.S. government assessments that Russian state‑linked actors continue to exploit trusted communication platforms as low‑cost, high‑impact vectors for intelligence collection.
CERT‑UA’s Link to Belarus‑Aligned UNC1151 and the OYSTERBLUES Stealer
The Computer Emergency Response Team of Ukraine (CERT‑UA) added another layer to the threat landscape by linking a Belarus‑aligned threat actor, designated UNC1151 (also known as Ghostwriter or UAC‑0057), to a spear‑phishing initiative that distributes the OYSTERBLUES information‑stealer. In this campaign, compromised government accounts are used as trusted senders to deliver malicious links or attachments to other officials within the same or allied institutions. Once a victim interacts with the lure, OYSTERBLUES is deployed, harvesting credentials, browser data, cryptocurrency wallets, and other sensitive information from the infected system. The use of hijacked legitimate accounts increases the likelihood that recipients will trust the message, thereby improving the success rate of the malware delivery. CERT‑UA’s findings illustrate how credential‑phishing and malware distribution can be combined in a multi‑stage operation, first gaining access to messaging platforms and then leveraging that foothold to deploy more persistent espionage tools on victims’ devices.
Broader Implications for Messaging Security and Cyber Espionage
Taken together, these disclosures reveal a sophisticated, multi‑pronged espionage strategy that treats messaging applications as both a conduit for intelligence gathering and a launchpad for further malicious activity. By exploiting the inherent trust users place in official‑looking SMS messages and in‑app notifications, attackers bypass many traditional defenses that focus on email or web‑based phishing. The persistence of such campaigns—despite widespread awareness of smishing (SMS phishing) tactics—highlights the need for continuous adaptation in both technology and user behavior. For nation‑states and corporations alike, the compromise of messaging channels can lead to the loss of classified negotiations, diplomatic cables, strategic military plans, and proprietary economic data, all of which can be exploited to gain geopolitical or economic advantage. Moreover, the linkage to Belarus‑aligned actors underscores the increasingly collaborative nature of cyber threat ecosystems, where state‑supported groups share tools, infrastructure, and TTPs to amplify their impact.
Conclusion: Ongoing Vigilance Required
The joint SSU‑FBI advisory, supplemented by FBI and CERT‑UA attributions, serves as a stark reminder that messaging platforms remain a fertile ground for cyber‑espionage. While technical safeguards such as session audits, two‑factor authentication, and link‑scanning solutions are vital, they must be complemented by rigorous user education that stresses skepticism toward unsolicited requests for credentials or recovery keys—regardless of how official they appear. Organizations should integrate mobile‑threat monitoring into their broader security operations centers, ensuring that anomalous authentication events trigger immediate investigation. As Russian intelligence services and their allies continue to refine their lures and infrastructure, maintaining a proactive, layered defense posture will be essential to safeguard the confidentiality and integrity of the communications that underpin modern governance, defense, and commerce.