Return to site

Russian Hackers Target Signal: What Law Firms Must Do Now

FBI/CISA warn Russian intel actors are stealing Signal backup keys to read encrypted messages. Law firms using Signal for client comms must act now.

July 2, 2026

In late June 2026, the FBI and CISA released a joint advisory — PSA I-062626-PSA — that most people outside national security circles quietly filed away. They shouldn't have.

Russian intelligence operatives have added a new technique to their playbook: social engineering Signal users into handing over their backup recovery keys. Give that key to an attacker, and they walk away with your complete Signal message history. Past conversations. Active matters. Everything you assumed was protected by end-to-end encryption.

For law firms using Signal to communicate with clients, this is a direct threat to attorney-client privilege. And it doesn't require any technical hacking at all.

What the FBI and CISA Found

The advisory names two Russian Intelligence Services clusters with public tracking designations: UNC5792, linked to FSB border guard officers, and UNC4221, attributed to Russian military intelligence. These groups have been targeting individuals of high intelligence value — government officials, military personnel, journalists, political figures.

Here is the part that matters for law firms: the techniques state-sponsored actors prove out against high-value targets get adopted by criminal groups. Scattered Spider built its playbook around vishing and social engineering that intelligence services refined. These methods migrate down.

Signal's encryption is solid. That's not the point of the attack.

Signal allows users to enable encrypted backups protected by a 64-character recovery key. The attack works by impersonation. An operative contacts a target via text, chat, or email posing as Signal support staff, an IT department, or a trusted colleague running a firm-wide "security update." They walk the target through a scripted process — a fake mandatory two-factor rollout, or an "urgent account recovery" that messages supposedly at risk of loss. At the end, the target has pasted their 64-character recovery key into the attacker's chat window.

The FBI's advisory includes sample social engineering scripts. They read like legitimate support communications. Most people would not catch it.

Hand over that key once, and the attacker can restore the account's backup and read the entire message archive. Worse: even if the target creates a new account on the same phone number, the old key can still be used to decrypt the old backup. There is no "changing the password" on a key you've already surrendered.

Why This Is a Law Firm Problem

Law firms are using Signal more than ever. Clients request it for sensitive discussions. Partners on active litigation or M&A matters use it as a fallback when they distrust email. Whistleblowers and sources insist on it. After a year in which email and document management systems at multiple BigLaw firms were breached — Silent Ransom Group, UNC3753, INC Ransom — Signal earned a reputation as the more secure option.

That reputation is not wrong. The encryption still holds. But this attack doesn't go through the encryption.

ABA Model Rule 1.6 requires attorneys to make reasonable efforts to prevent unauthorized disclosure of client information. "Reasonable efforts" in 2026 means understanding not just technical vulnerabilities but the social engineering angles that bypass them. If a paralegal or associate hands over their Signal recovery key to someone posing as IT support, the encryption is meaningless. Months of privileged client conversations are now in an attacker's possession.

This is an ABA Rule 1.6 compliance issue dressed up as a phishing scenario.

What Your Firm Should Do

  • Understand who at your firm uses Signal and for what purpose.
    • This is about knowing where privileged communications actually live, not a referendum on Signal as a tool. If attorneys and staff use Signal to discuss active matters, client strategy, or settlement positions, that data needs real protection.
  • Consider disabling Signal backups for firm-related accounts.
    • Signal backups are a convenience feature, not a core security requirement. For law firm use cases involving privileged communications, the marginal convenience of message history across devices is almost never worth the risk. Disabling backups eliminates the recovery key attack surface entirely. If backups must be enabled, the recovery key must be treated like a root password — stored in a business-grade password manager, never transmitted in any message.
  • Brief your staff on this specific scenario.
    • The FBI's advisory PSA I-062626-PSA describes the exact social engineering scripts attackers use. Show staff what the message looks like. Run a tabletop scenario where someone calls claiming to be IT support and asks for an account key. Make the scenario real and specific — vague security awareness training doesn't prepare people for this.
  • Build a verification protocol.
    • Any contact claiming to represent Signal, IT support, or a software vendor and requesting credentials, keys, or account information must be verified through an out-of-band channel. That means calling a known number — not the one they gave you — or walking to someone's office. Not replying in the same chat.

Recognize the Pattern

This attack technique is one variation of what law firms have been facing consistently. The Lewis Brisbois vishing incident in June 2026. UNC3753 sending operatives physically into law firm offices. Silent Ransom Group making callback calls to front desk staff posing as IT. The common thread across every recent law firm breach is this: attackers are bypassing technical defenses by targeting people.

End-to-end encryption protects data in transit. It doesn't protect against a staff member being socially engineered into voluntarily surrendering the key that decrypts that data.

Staff training, clear verification protocols, and a defensible acceptable-use policy for communication tools aren't optional features of a compliant law firm security program. Under ABA Rule 1.6, they're the "reasonable efforts" the rule requires.

At Mytec Solutions, we help professional services firms build layered security cultures that make social engineering attacks harder to execute at every point of contact — front desk, administrative staff, and attorneys alike. If you want to assess your firm's exposure and prepare your team for these scenarios, reach out.