
The Security Service of Ukraine (SSU) said it, together with the U.S. Federal Bureau of Investigation (FBI), uncovered a long-running campaign orchestrated by Russian intelligence services to break into the messaging accounts of government officials, military personnel, politicians, and activists in Ukraine, Europe, and the U.S.
The systematic cyber attacks aimed at stealing sensitive information from the victims.
“The goal of these ‘hacks’ is to gain access to sensitive military, political, and economic information exchanged by users, as well as to steal their personal data,” the agency warned in a post shared on Telegram.
To pull off the operation, the attackers send SMS messages that masquerade as the messaging platform’s support bot and urge users to disclose their account credentials.
The SSU noted that these attacks include not only organizations, officials, or public figures, but also personal accounts belonging to Ukrainian nationals. It did not attribute the campaign to a specific hacking group.
Attribution to Known Russian Threat Clusters
Similar attack waves directly aimed at Signal and WhatsApp users have been attributed to Russian threat activity clusters tracked as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185).
The development comes as the FBI attributed Russian Intelligence Services (RIS) cyber threat actors to an ongoing commercial messaging application (CMA) phishing campaign aimed at high-value targets, seeking to deceive them into handing over their backup recovery keys.
Late last month, the Computer Emergency Response Team of Ukraine (CERT-UA) attributed to the Belarus-aligned threat actor known as UNC1151 (aka Ghostwriter and UAC-0057) a spear-phishing campaign that targeted government organizations using compromised accounts to deliver an information stealer called OYSTERBLUES.
Recommended Mitigations
To counter the risk posed by these threats, users and organizations are advised to take the following steps:
- Periodically review active messaging app sessions and log out of unrecognized connections
- Enable two-factor authentication on all messaging accounts
- Refrain from scanning QR codes received from unknown users
- Never disclose confirmation codes, PIN codes, passwords, or account recovery keys
- Avoid clicking suspicious links or opening files from unknown or dubious chats
Given the breadth of targets — spanning government, military, and civilian accounts across multiple countries — the campaign underscores the continued use of social engineering via mobile messaging platforms as a primary vector in state-sponsored espionage operations.