The US State Department’s Rewards for Justice program announced a reward of up to $10 million for information leading to the identification or location of individuals operating within two Russian cyber groups: UNC5792, associated with Russia’s Federal Security Service (FSB) Border Guards, and UNC4221, acting on behalf of Russian military services. Both groups conducted phishing campaigns targeting Signal and WhatsApp accounts belonging to US government officials, military leadership, diplomatic personnel, NATO member-state officials, journalists covering Russia and Ukraine, NGOs providing assistance to Ukraine, and academic researchers in security studies.

According to the Rewards for Justice announcement, the attacks exploited no cryptographic vulnerability in the messaging platforms. Instead, UNC5792 actors abused legitimate device-linking features built into Signal and WhatsApp. In some documented instances, actors altered legitimate “group invite” pages to redirect users to a malicious URL that linked an attacker-controlled device to the victim’s account. Once linked, the attacker gained persistent access to ongoing conversations, contact lists, and group memberships without ever breaking the underlying encryption. The State Department’s announcement states the campaign compromised thousands of individual messaging accounts across the listed target categories. The Rewards for Justice program is also seeking information about UNC4221, a separate Russian military-linked group, and accepts tips through a secure Tor-based submission channel as well as a Signal contact number. As CyberTech previously reported on the broader campaign targeting messaging security, the FBI issued a concurrent advisory on Russian intelligence targeting Signal backup recovery keys: FBI Warning on Russian Intelligence and Signal Recovery Keys.

The $10 million reward level signals a US government assessment that the damage to national security communications has been severe enough to warrant treating these groups as priority targets alongside ransomware operators and terrorism financiers, the other categories in the Rewards for Justice portfolio. For security teams protecting officials, diplomats, or researchers who communicate via commercial messaging apps, the attack method matters: the vulnerability here is not the encryption, but the account management workflow. Reviewable mitigations include auditing linked device authorizations across Signal and WhatsApp installations for sensitive users, restricting the ability to add linked devices through policy or organizational controls where available, and training staff who receive group invite links to verify those links through a side channel before clicking. The device-linking attack surface is persistent regardless of whether platforms patch anything, because it is not a software flaw but a social engineering angle against a legitimate feature.

Source: Rewards for Justice (US State Department)