Ukraine’s Security Service (SSU), working in collaboration with the U.S. Federal Bureau of Investigation (FBI), has uncovered a long running cyber espionage campaign carried out by Russian intelligence services that targeted messaging application accounts belonging to government officials, military personnel, politicians, activists, and other individuals across Ukraine, Europe, and the United States. According to SSU, the operation was designed to obtain unauthorized access to sensitive communications and collect confidential information exchanged through widely used messaging platforms. Authorities said the campaign also extended beyond high profile individuals and organizations to include personal accounts of Ukrainian citizens, highlighting the broad scope of the operation. The agency stated that the attackers sought access to military, political, and economic information while also attempting to steal personal data from victims. The findings were shared by SSU through its official Telegram channel as part of an advisory warning users about the ongoing threat and encouraging stronger account security practices.
Investigators revealed that the attackers relied on phishing techniques delivered through SMS messages that were crafted to resemble official support notifications from messaging platforms. These fraudulent messages attempted to convince recipients that action was required on their accounts and urged them to provide account credentials, verification information, or other authentication details. By impersonating trusted support services, the attackers aimed to trick users into voluntarily handing over access to their messaging accounts. Although SSU did not publicly attribute the campaign to a specific hacking group, cybersecurity researchers have previously linked similar attacks targeting Signal and WhatsApp users to Russian threat clusters identified as Star Blizzard, UNC5792, also known as UAC 0195, and UNC4221, also known as UAC 0185. These threat groups have been associated with phishing operations focused on compromising secure communications used by government officials, journalists, activists, and other high value targets. The latest findings reinforce concerns that messaging platforms continue to remain attractive targets for state backed cyber espionage campaigns due to the sensitive conversations and information exchanged through these services.
To reduce the likelihood of account compromise, SSU advised users to regularly review active sessions on their messaging applications and immediately log out of any unfamiliar or unauthorized devices. The agency also recommended enabling two factor authentication wherever available to strengthen account security. Users were further warned against scanning QR codes received from unknown contacts or responding to unsolicited support requests asking for confirmation codes, PIN codes, passwords, or account recovery keys. SSU emphasized that users should exercise caution before clicking suspicious links or opening files received through unfamiliar or questionable chats, as these methods remain commonly used in phishing campaigns. Security experts continue to stress that even well protected messaging platforms can become vulnerable if attackers successfully deceive users into revealing authentication credentials through social engineering techniques rather than exploiting technical weaknesses in the applications themselves.
The disclosure from SSU follows a recent warning issued by FBI, which attributed an ongoing phishing campaign targeting commercial messaging applications to Russian Intelligence Services cyber actors. According to FBI, the campaign focuses on high value individuals and attempts to deceive victims into surrendering backup recovery keys that could allow attackers to regain access to messaging accounts and stored communications. Separately, Ukraine’s Computer Emergency Response Team, CERT UA, reported late last month that the Belarus aligned threat actor UNC1151, also known as Ghostwriter and UAC 0057, conducted a spear phishing campaign targeting government organizations. That campaign reportedly used compromised accounts to distribute an information stealing malware known as OYSTERBLUES. The series of incidents reflects the continued use of phishing, credential theft, and social engineering by state aligned threat actors seeking access to sensitive communications and confidential information across government institutions and strategic organizations.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
