Ukraine Says Russian Intelligence Used Fake Support Texts to Steal Messaging Credentials

Ravie LakshmananJun 27, 2026Messaging Security / Cyber Espionage

The Security Service of Ukraine (SSU) said it, together with the U.S. Federal Bureau of Investigation (FBI), uncovered a long-running campaign orchestrated by Russian intelligence services to break into the messaging accounts of government officials, military personnel, politicians, and activists in Ukraine, Europe, and the U.S.

The systematic cyber attacks aimed at stealing sensitive information from the victims, the agency added.

“The goal of these ‘hacks’ is to gain access to sensitive military, political, and economic information exchanged by users, as well as to steal their personal data,” the agency warned in a post shared on Telegram.

To pull off the operation, the attackers send SMS messages that masquerade as the messaging platform’s support bot and urge users to disclose their account credentials. 

The SSU noted that these attacks include not only organizations, officials or public figures, but also personal accounts belonging to Ukrainian nationals. It did not attribute the campaign to a specific hacking group.

However, similar attack waves directly aimed at Signal and WhatsApp messaging app users have been attributed to Russian threat activity clusters tracked as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185).

To counter the risk posed by such threats, it’s advised to periodically review active messaging app sessions and log out of unknown connections, enable two-factor authentication, refrain from scanning QR codes received from unknown users, not disclose confirmation codes, PIN codes, passwords, and account recovery keys, and click on suspicious links or open files from unknown or dubious chats.

The development comes as the FBI attributed Russian Intelligence Services (RIS) cyber threat actors to an ongoing commercial messaging application (CMA) phishing campaign aimed at high-value targets to deceive them into handing over their backup recovery keys.

Late last month, the Computer Emergency Response Team of Ukraine (CERT-UA) attributed to the Belarus-aligned threat actor known as UNC1151 (aka Ghostwriter and UAC-0057) a spear-phishing campaign that targeted government organizations using compromised accounts to deliver an information stealer called OYSTERBLUES.