Signal Backup Recovery Keys Targeted by Russian APTs: SOC Detection & Defense Guide

Introduction

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a critical warning regarding an evolution in tactics employed by Russian state-sponsored threat actors. These actors are actively conducting social engineering campaigns designed to steal Signal Backup Recovery Keys.

Unlike traditional real-time interception attacks, the theft of a Backup Recovery Key allows adversaries to decrypt and access a target’s entire historical message archive—even messages deleted from the device. This represents a significant escalation in operational security (OPSEC) risks for journalists, dissidents, and high-value corporate targets. Defenders must treat the Signal Backup Key with the same sensitivity as a private encryption root key. There is no CVE to patch here; the vulnerability lies in user behavior and the trust model of backup restoration. This post outlines the technical mechanics of the threat and provides defensive detection logic for security operations centers (SOCs).

Technical Analysis

Affected Products & Platforms:

• Signal Messenger (Desktop, Android, iOS)
• Critical Asset: The 44-character Signal Backup Recovery Key (distinct from the Signal PIN).

The Attack Vector:

1. Social Engineering (Initial Access): Russian intelligence services (often associated with APT29 or similar clusters) are using highly tailored spear-phishing or "vishing" (voice phishing) attacks. Actors pose as tech support, colleagues, or platform administrators to create a sense of urgency.
2. Credential Harvesting: The goal is to trick the victim into handing over the 44-character Backup Recovery Key.
3. Decryption & Exfiltration: Once the key is obtained, the attacker can download the victim's encrypted backup from cloud storage (if accessible) or restore a local captured backup onto a device they control. This grants them full access to historical messages, attachments, and contacts.

Exploitation Status:

• Confirmed Active Exploitation: The FBI confirms this is an active campaign.
• Technique: Abuse of legitimate functionality (Social Engineering) leading to Data Exfiltration.
• CVE: None. This is a feature-abuse attack targeting the human element.

The Risk: If an actor possesses the Backup Key, they bypass the protections of the live encrypted messaging environment. Access to historical data can reveal organizational secrets, supply chain details, and source handling methods.

Detection & Response

Detecting social engineering is challenging, but SOC teams can hunt for the technical precursors or consequences of Backup Key theft. The primary technical indicator is unauthorized access to the local Signal configuration directory where the key and database are stored. We assume the attacker may use information stealers or authorized tools to harvest this data if the user does not voluntarily provide it, or we hunt for the restoration of backups on anomalous endpoints.

SIGMA Rules

---
title: Potential Signal Backup Key Theft via Config Access
id: 6d8c9a20-1f3e-4b8d-9a1e-2c3b4d5e6f7a
status: experimental
description: Detects non-Signal processes accessing Signal configuration files (config. or db.sqlite), which may indicate an attempt to steal the Backup Recovery Key or message database.
references:
  - https://www.fbi.gov/news/related-links
author: Security Arsenal
date: 2026/04/22
tags:
  - attack.credential_access
  - attack.t1552.001
logsource:
  category: file_access
  product: windows
detection:
  selection:
    TargetFilename|contains: '\Signal\'
    TargetFilename|endswith:
      - 'config.'
      - 'db.sqlite'
  filter_legit_signal:
    Image|endswith: '\Signal.exe'
  filter_system:
    Image|endswith:
      - '\explorer.exe'
      - '\svchost.exe'
  condition: selection and not filter_legit_signal and not filter_system
falsepositives:
  - Administrators manually backing up Signal files
  - Third-party antivirus scanners
level: high
---
title: Linux Signal Configuration Directory Access
id: 8e2d3c41-2a5f-5c9e-0b2f-3d4c5e6f7a8b
status: experimental
description: Detects processes accessing the Signal configuration directory on Linux, potentially indicating backup key scraping.
references:
  - https://www.signal.org/docs/
author: Security Arsenal
date: 2026/04/22
tags:
  - attack.credential_access
  - attack.t1552.001
logsource:
  category: file_access
  product: linux
detection:
  selection:
    TargetFilename|contains: '/.config/Signal/'
  filter_main:
    Image|endswith: '/signal-desktop'
  condition: selection and not filter_main
falsepositives:
  - User manually inspecting config files
  - Backup utilities
level: medium

KQL (Microsoft Sentinel)

// Hunt for unusual file access patterns targeting Signal configuration directories
DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath has @"Signal" 
| extend FilePath = FolderPath + FileName
| where FilePath has @"config." or FilePath has @"db.sqlite"
| where InitiatingProcessFileName != "Signal.exe"
| where InitiatingProcessFileName != "explorer.exe"
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FilePath, ActionType
| order by Timestamp desc

Velociraptor VQL

-- Hunt for Signal config files and check for recent modifications or access
SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs="/*/.config/Signal/config.")
WHERE Mtime > now() - 24h
   OR Atime > now() - 24h

Remediation Script (PowerShell)

# Signal Security Audit: Check for recent modifications to Signal Config
# This script checks the integrity of the local Signal installation directory.

$SignalPath = "$env:AppData\Signal"
$ConfigFile = Join-Path $SignalPath "config."
$TimeThreshold = (Get-Date).AddHours(-24)

Write-Host "[+] Initiating Signal Security Audit..." -ForegroundColor Cyan

if (Test-Path $SignalPath) {
    Write-Host "[+] Signal installation detected at: $SignalPath" -ForegroundColor Green
    
    if (Test-Path $ConfigFile) {
        $File = Get-Item $ConfigFile
        
        if ($File.LastWriteTime -gt $TimeThreshold) {
            Write-Host "[!] ALERT: Signal config. was modified in the last 24 hours." -ForegroundColor Red
            Write-Host "    Last Write Time: $($File.LastWriteTime)" -ForegroundColor Red
            Write-Host "    Action: Verify if user authorized backup changes or settings updates." -ForegroundColor Yellow
        } else {
            Write-Host "[+] No recent modifications to config. detected." -ForegroundColor Green
        }

        # Check for non-standard processes holding handles (Basic check)
        Write-Host "[+] Checking for open handles on Signal config (requires Admin rights)..." -ForegroundColor Cyan
        # Note: Handle enumeration requires admin privileges and specific tools like Sysinternals Handle.exe
        # This is a placeholder for administrative verification logic.
    } else {
        Write-Host "[-] Config file not found. User may not be registered." -ForegroundColor Yellow
    }
} else {
    Write-Host "[-] Signal Desktop installation not found in standard AppData path." -ForegroundColor Gray
}

Write-Host "[+] Audit Complete." -ForegroundColor Cyan

Remediation

Immediate defensive actions are required to mitigate this threat:

1. User Awareness & Education:

   • Explicitly inform high-risk users (Journalists, Executives, Security Teams) that no legitimate Signal support representative will ever ask for their Backup Recovery Key or 30-digit PIN.
   • Treat the Backup Key with the same confidentiality as a password.

2. Enable Registration Lock (Signal PIN):

   • While this attack targets the Backup Key, enabling Registration Lock (Settings > Account > Registration Lock) prevents attackers from easily registering the victim's phone number on a new device, adding a layer of friction even if they possess the SMS code.

3. Audit Active Devices:

   • Users should navigate to Settings > Linked Devices and remove any unrecognized devices immediately.

4. Secure Local Storage:

   • Ensure full disk encryption (BitLocker/FileVault) is enabled. If an endpoint is compromised, disk encryption prevents raw extraction of the db.sqlite file.

5. Incident Response Plan:

   • If a Backup Key is compromised, the user must:
     1. Generate a new Backup Key (Settings > Chats > Chat Backups > Generate Backup Key).
     2. Invalidate the old key (this effectively invalidates the old encrypted backup).
     3. Re-register their device if necessary.

Advisory Sources:

• FBI Flash Alert (Implicit Reference)
• Signal Documentation on Backups

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub