US offers $10 million for info on group behind Signal and WhatsApp hacking spree

Federal authorities have announced a reward of up to $10 million for information that leads to the identification or location of a Russian state cyber group. This group has compromised thousands of Signal and WhatsApp accounts belonging to investigative journalists and US government employees.

The operation has been active since at least March, when the FBI published an advisory warning of ongoing phishing campaigns targeting high-value targets by attackers associated with Russian intelligence services. The messages masquerade as automated support communications, asking users to click a link or provide verification codes or account passcodes. If the user complies, the attacker's device is linked to the account, or the account is completely taken over and the user is locked out.

As a result, attackers can read any new messages sent to the compromised account. However, a safety feature built into Signal prevents attackers from reading any previous conversations. The messages are sent to "individuals of high intelligence value, such as current and former US government officials, military personnel, political figures, and journalists."

Last week, the FBI published an update stating that the campaign had evolved. In addition to pretending to be support bots, the messages also urge users to create a backup of all previous communications following provided directions. A follow-up message then instructs targets to send the long passcode used to encrypt backups stored on Signal servers. With that, attackers gain access to past Signal conversations.

The update identified two Russian government groups responsible, tracked as UNC5792 and UNC4221. One example message claims that attacks were carried out by hackers from Iran and post-Soviet countries and urges users to set up Signal backup.