Phishing 2.0: Russian APTs Targeting Signal Backup Recovery Keys

Just saw the updated advisory from the FBI and CISA regarding the Russian intelligence groups (likely APT29 given the MO) pivoting their Signal phishing tactics. It’s concerning because they aren't just asking for a password anymore; they are now explicitly coaxing targets into handing over the Signal Backup Recovery Key.

If you aren't familiar with the architecture, this key is a master credential. Once an attacker has this, they can bypass the phone number verification and restore the entire chat history—including private groups and contacts—on a new device. The worst part? These keys don't expire. Access is persistent until the user generates a new key.

From a defender's perspective, this is tricky. We can't inspect E2EE traffic, so we have to focus on the handoff. If you're managing DLP or email gateways, you might want to look for the specific pattern of these keys during outbound monitoring or phishing analysis.

Here is a quick Python snippet to match Signal's specific key format (typically signal-backup- followed by 44 characters) to help tune your DLP rules:

import re

# Matches Signal backup keys (approximate pattern based on standard generation)
# Pattern: signal-backup-[A-Za-z0-9+/]{43}=
signal_key_pattern = r'signal-backup-[A-Za-z0-9+/]{43}='

def check_for_keys(text):
    if re.search(signal_key_pattern, text):
        return True
    return False

Since we can't rely on technical controls to stop the exfiltration of the key after it happens, user education is the only firewall left. Are any of you actively blocking Signal usage on corporate devices, or are we accepting this risk as part of the 'new normal' for comms?