Beyond the Password: Russian Intel Harvesting Signal Recovery Keys
Has anyone seen the updated joint advisory from the FBI and CISA regarding Russian intelligence actors? It looks like they have significantly evolved their targeting of Signal accounts.
Instead of just standard credential harvesting, they are now actively coaxing targets into handing over their Signal Backup Recovery Key. This is a critical shift because, unlike a session token that expires, this key allows an attacker to fully restore an account on a new device—including historical group and private messages—and maintain persistence until the key is rotated (which is rarely done by average users).
From a defensive perspective, this bypasses standard phishing-resistant MFA because the user is essentially authorizing the restore process. We are updating our awareness training to treat this key with the same sensitivity as a private SSH key or seed phrase.
If you are running EDR or DLP, you might want to start scanning for this specific pattern leaving your environment. Here is a quick Python snippet to detect the typical 58-character alphanumeric string used by Signal:
import re
# Signal recovery keys are typically 58 characters (alphanumeric)
signal_key_pattern = re.compile(r'\b[a-z0-9]{58}\b')
def scan_log_for_keys(log_data):
matches = signal_key_pattern.findall(log_data)
return matches
# Example usage
# logs = open('clipboard_buffer.txt').read()
# if scan_log_for_keys(logs):
# print("ALERT: Potential Signal Key detected!")
Given that Signal is the default for secure comms in our sector, how are you all handling the balance between needing backups and this massive key leakage risk? Are you disabling cloud backups entirely for your C-suite?
User education is really the only control here. We can't technically block the transfer of a specific string of text if the user willingly copies it into a sophisticated phishing portal. However, we've added a SIEM correlation rule to alert on 'Signal' keywords appearing in clipboard logs on our jump hosts. It's noisy, but better than nothing.
It's a clever bypass of trust models. The attackers are banking on the victim trusting the 'cloud backup' functionality. I advise clients that if they don't absolutely need message history across devices, they should generate the key, write it down on paper for emergencies, and strictly delete the digital copy from their clipboard and notes apps immediately.
We're actually looking at restricting Signal to mobile-only devices via MDM policies for our sensitive teams. Desktop endpoints are too susceptible to clipboard stealers (malware or otherwise), and this targeted phishing campaign justifies the inconvenience of losing the desktop client for those users.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access