US offers $10m bounty for info on Russia-linked hackers behind Signal and WhatsApp attacks
UNC5792 and UNC4221 have been targeting government officials through their Signal and WhatsApp accounts
The US Department of State is offering a reward of up to $10 million to anyone that can help it identify and locate members of the Russia-linked UNC5792 and UNC4221 hacking groups.
UNC4221 works on behalf of the Russian military services while UNC5792 is associated with the Russian Federal Security Service (FSB), and has carried out phishing campaigns targeting the Signal and WhatsApp accounts of US government officials, military leadership, and allied personnel.
"Using social engineering techniques, these malicious cyber actors exploit legitimate device-linking features in these secure messaging applications to gain unauthorized access to sensitive government communications, contact lists, and group conversations," said the US Department of State.
"After compromising an account, the malicious actors were also able to send messages and conduct additional phishing against other accounts using those same commercial messaging applications."
In some cases, UNC5792 actors altered legitimate group invite pages to redirect users to a malicious URL that linked a hacker-controlled device to the victim’s Signal account.
Officials said that while these activities did not exploit vulnerabilities in either platforms’ encryption standards, they successfully compromised “thousands of individual commercial messaging application accounts”.
Targets included US government officials, diplomatic personnel and foreign affairs officials, defense and national security personnel, policy analysts and advisors, NATO member-state officials and diplomats, and allied intelligence and defense partners.
The group also went after investigative journalists covering Russia, Ukraine, and international affairs, NGOs providing support and assistance to Ukraine, and academic researchers in security studies and Russian affairs.
Valuable intel
The announcement of the reward follows an advisory issued by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) last week, which warned of continued activity by the two groups as well as a change in tactics aimed at harvesting victims' backup recovery keys.
"If a victim inadvertently shares their backup recovery key, that same key remains valid even if they create a new account following the compromise using the same phone number," the advisory warned.
"Consequently, the actor could potentially use the compromised key to take over the new account in the future as well."
The department gives a list of what information it seeks, including:
- Names
- Locations
- Biographical information on UNC5792 members
- Affiliations with Russian intelligence services
- Identities of personnel providing technical support
- Contractors or third-party entities providing services
It’s also seeking information on domain names, server locations, hosting providers, data storage and processing infrastructure, and technical tools, frameworks, and software used in operations.
Elsewhere, officials are keen to hear about the financial side of operations, including:
- Funding sources
- Financial accounts and banking relationships
- Cryptocurrency wallets
- Payments for infrastructure
- Financial networks supporting operations
Anyone with dirt on either of the two groups can submit their tip here, uploading relevant files such as photographs, videos, and documents.
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
Two-thirds of UK enterprises would ditch US cloud providersNews Concerns over data sovereignty, privacy, and the impact of outages are reshaping perception of US hyperscaler services
-
The legislative challenges of cybersecurityIn-depth Technology is constantly evolving at a pace that legislation struggles to keep up with. Is it possible for governments to develop cybersecurity legislation that will not be obsolete before it is enacted?
-
Duo accused of role in TfL cyber attack plead guilty after ‘lengthy, highly complex, and painstaking investigation’News Around 10 million people are believed to have been affected by the TfL cyber attack
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
Russian hackers are weaponizing CRMs, Ukraine’s former foreign minister warnsNews Dr Dmytro Kuleba told IT leaders in London that everyday business software is being actively exploited by nation-states
-
Hackers are turning up at law firms to gain physical access to machinesNews The FBI is warning companies to look out for fake IT staff
-
A ‘perfect storm’: NCSC chief issues warning over quantum threats, nation-state hackers, and the dangers of global ‘hacktivism’News NCSC CEO Richard Horne says nation-state attacks, AI and the looming quantum threat require stronger global collaboration
-
Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businessesNews Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda
-
NCSC issues alert over Russian hacker campaign targeting SOHO routersNews The APT28 group has exploited vulnerable internet routers to covertly reroute internet traffic through malicious servers
-
German authorities want your help finding the hackers behind GandCrab and REvilNews Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk are believed to have made millions from ransomware as a service schemes
