Ukraine’s Security Service (SSU), working with the FBI, has warned of a long-running campaign in which Russian intelligence services allegedly used fake support messages to compromise messaging accounts belonging to officials, military personnel, politicians, activists, and other high-value targets in Ukraine, Europe, and the United States.
The tactic is simple enough to scale and credible enough to work: victims receive SMS messages that appear to come from a messaging platform’s support function, then are pressured into giving up credentials, confirmation codes, backup recovery keys, or other account-access material. The objective, according to the Ukrainian warning, is access to sensitive military, political, economic, and personal information exchanged inside private chats.
For defenders, the most important lesson is not that SMS phishing is new. It is that messaging accounts have become primary identity and intelligence targets. If an attacker can quietly add a new device, steal a recovery key, or trick a user into approving a session, they may gain access to conversations that are more sensitive than email.
What the campaign shows
The reported campaign targets commercial messaging applications rather than traditional corporate login portals. That matters because many organizations still treat messaging apps as informal side channels, even when leadership teams, field personnel, journalists, contractors, and public-sector staff use them for operational coordination.
The attack flow described by Ukrainian authorities is consistent with social engineering that relies on urgency and platform trust. A message claiming to be from “support” can ask the user to verify an account, prevent suspension, reconnect a device, scan a QR code, or provide a code sent by the app. Any one of those requests should be treated as suspicious when it arrives through SMS, an unsolicited chat, or a link from an unknown sender.
The Hacker News report notes that similar waves against Signal and WhatsApp users have previously been associated with Russian threat activity clusters tracked as Star Blizzard, UNC5792, UAC-0195, UNC4221, and UAC-0185. The SSU did not publicly name a specific hacking group for this particular campaign, but the tradecraft fits a broader pattern: compromise the person’s trusted communication channel, then use that channel to collect intelligence or pivot to more targets.
Why messaging account takeover is so damaging
Messaging platforms often contain high-context information: who knows whom, what decisions are pending, where people are located, and which documents or links are being exchanged. For public officials, military personnel, campaign staff, activists, and executives, that context can be more valuable than a single password dump.
Account takeover also creates a trust problem. Once an adversary controls or mirrors a victim’s messaging account, they may impersonate that person to colleagues, request files, send malicious links, or ask others to scan device-linking QR codes. This turns one successful compromise into a social graph attack.
Backups and recovery keys deserve special attention. Some users assume that end-to-end encryption means a stolen account is useless. In reality, an attacker who obtains the right recovery material, device-linking approval, or active session may be able to access current or restored message content, metadata, contacts, or future conversations depending on the platform and configuration.
Practical actions for individuals
Session hygiene is now a frontline control. Users should open the security or linked-devices section of each messaging app and review every active session. Any unknown desktop, browser, phone, or tablet connection should be removed immediately. If the app supports device names, users should rename their own devices clearly so unfamiliar sessions stand out.
Enable two-factor authentication or registration lock where available. For Signal, WhatsApp, Telegram, and similar tools, this may involve a PIN, passcode, or additional verification step that blocks unauthorized re-registration. Choose a strong, unique PIN and store recovery material in a password manager rather than in screenshots or notes synced across devices.
Never disclose one-time codes, backup recovery keys, account PINs, or passwords to anyone claiming to be support. Legitimate messaging platforms do not need users to send these secrets over SMS or chat. Avoid scanning QR codes received from unknown contacts or unexpected “support” messages; QR codes are commonly used to link new devices to accounts.
If a suspicious message arrives, do not click the link. Instead, open the app directly, check official support documentation through a trusted route, and report the message using the platform’s abuse reporting mechanism. High-risk users should also capture the sender number, message text, and time received for internal security teams.
Practical actions for organizations
Organizations should treat messaging security as part of identity security. That means adding messaging-app guidance to security awareness programs, executive protection briefings, travel procedures, and incident-response playbooks. If staff are permitted to use consumer messaging applications for work coordination, the organization should document minimum settings and escalation steps.
Security teams should brief high-risk groups first: executives, legal and policy teams, public affairs staff, administrators, researchers, military-adjacent personnel, journalists, and anyone working with sensitive government or geopolitical information. The warning signs are easy to explain: unsolicited support texts, requests for codes, backup keys, QR scans, device linking, urgent account verification, or threats of suspension.
Incident response should include messaging accounts. If a user reports a suspicious support text or believes they entered a code, responders should help revoke unknown sessions, rotate related passwords, enable stronger account protections, preserve evidence, and review recent messages sent from the account. Contacts who may have received malicious messages from the compromised account should be warned quickly.
Where possible, organizations should reduce sensitive decision-making in unmanaged consumer chat channels. This does not mean banning every messaging app overnight; it means understanding where sensitive conversations occur and ensuring those channels have enforceable security controls, retention expectations, and incident procedures.
Bottom line
The reported SSU and FBI findings are a reminder that phishing is increasingly aimed at the communications layer people trust most. A fake support text may look less sophisticated than malware, but if it convinces one target to reveal a recovery key or approve a linked device, the intelligence value can be significant.
Review linked devices, turn on the strongest available account protections, and train users to treat support messages requesting secrets as hostile by default.
Source: The Hacker News source