The US government is offering rewards of up to $10 million for information on individuals associated with two threat actors linked to Russian intelligence.
Publicly tracked as UNC5792 and UNC4221, the cyber groups have been targeting current and former US government officials and military leaders, allied personnel, journalists, political figures, and key officials located in Ukraine.
The threat actors have been conducting phishing campaigns targeting commercial messaging applications (CMAs), a March alert from CISA and the FBI shows.
Posing as automated CMA support accounts, the hackers lure victims into clicking on a link or sharing verification codes to take over their accounts on messaging platforms such as Signal and WhatsApp.
In a fresh update, CISA and the FBI warn that the attackers have renewed their tactics and are now asking victims for their Backup Recovery Keys to access historical conversations as well, including private and group messages.
“If a victim inadvertently shares their Backup Recovery Key, that same key remains valid even if they create a new account following the compromise using the same phone number. Consequently, the actor could potentially use the compromised key to take over the new account in the future as well,” the alert reads.
To evict the hackers from compromised accounts, users need to generate a new Backup Recovery Key, thus invalidating the previous one.
“However, please note that this does not prevent the actor from having already downloaded a backup of the original account,” CISA and the FBI warn.
UNC5792 and UNC4221, the agencies note, are associated with the Russian intelligence services (RIS). On the Rewards for Justice portal, the US government links UNC5792 to the Russian Federal Security Service (FSB) Border Guards, and UNC4221 to the Russian military services.
“Using social engineering techniques, these malicious cyber actors exploit legitimate device-linking features in these secure messaging applications to gain unauthorized access to sensitive government communications, contact lists, and group conversations,” the US notes.
The threat actors have abused the compromised accounts to launch phishing attacks against other valuable individuals, and, in some instances, they modified ‘group invite’ pages to link attacker-controlled devices to victims’ Signal accounts.
The US is willing to pay up to $10 million in rewards for information leading to the identification of UNC5792 actors, including their names, location, and biographies.
It also seeks information on the threat actors’ affiliation with RIS, on entities that support them, their infrastructure and tooling, their funding sources, and financial networks, including banking accounts, cryptocurrency wallets, and transactions.
Related: Russian APT Deploys ‘StockStay’ Backdoor Against Ukrainian Targets
Related: Russian Initial Access Broker Behind FortiBleed Campaign
Related: Russian Spies Are Aggressively Seeking Western Technology as Sanctions Bite, Officials Say
Related: Russia-Linked ‘GreyVibe’ Attackers Use AI to Supercharge Cyberattacks
