CISA and FBI Warn Russian Intelligence Escalates Phishing Campaigns Against Messaging Apps
The FBI and CISA issued an updated joint advisory warning that Russian intelligence services are intensifying phishing campaigns targeting commercial messaging applications used by government and critical infrastructure personnel.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released an updated public service announcement on June 26, 2026, warning that Russian Intelligence Services (RIS) continue to aggressively target users of commercial messaging applications through sophisticated phishing campaigns. The advisory, which updates earlier guidance from March 2026, provides fresh intelligence on rising tactics, real-world phishing message samples, and enhanced mitigation recommendations.
According to the joint advisory, RIS threat actors are conducting targeted phishing operations aimed at compromising accounts of individuals working in government, defense, and critical infrastructure sectors. By gaining unauthorized access to these messaging accounts, the attackers can monitor sensitive communications, steal credentials, pivot into organizational networks, and collect intelligence. The advisory specifically notes that the updated guidance includes new examples of phishing messages detected in recent campaigns, offering defenders concrete indicators to recognize threats.
The latest advisory emphasizes that the threat has evolved since the initial March warning, with RIS actors refining their social engineering techniques to bypass existing security awareness training. The phishing attempts often masquerade as legitimate account security notifications or trusted contacts, tricking targets into disclosing credentials or approving multifactor authentication prompts. The FBI and CISA strongly recommend that organizations implement phishing-resistant multifactor authentication and adopt aggressive account monitoring policies to detect unauthorized access.
CISA and the FBI urge organizations to follow the detailed mitigations in the advisory, including enabling strong account protections such as hardware security keys, verifying suspicious account recovery requests, and educating users about the specific phishing lures described in the warning. The agencies also recommend that critical infrastructure organizations review and restrict access to messaging platforms based on operational necessity.
This escalation reflects a persistent and high-priority effort by Russian intelligence to exploit widely used commercial tools for espionage. The advisory serves as an urgent reminder for both public and private sector entities to reassess their security posture around communication platforms, which are often viewed as trusted utilities but have become prime targets for state-sponsored compromise.
The FBI and CISA have updated their advisory warning that Russian intelligence phishing campaigns now specifically target Signal Backup Recovery Keys, enabling attackers to restore account backups and read message histories persistently. The updated notice adds two tracking names, UNC5792 and UNC4221, and ties the activity to multiple Russian intelligence services including FSB officers and military units. The State Department's Rewards for Justice program has offered up to $10 million for information on UNC5792, and the advisory warns that the recovery key remains valid even after a user creates a new account, necessitating generation of a fresh key in Settings.