US Offers $10M Reward for Info on Russian-Backed Phishing Groups UNC5792 and UNC4221

The US State Department is offering up to $10 million for information on two Russian-linked threat groups that ran phishing campaigns stealing WhatsApp and Signal accounts from government officials.

Threat Intelligence Identity & Access Regulations

The US State Department’s Rewards for Justice program has announced a reward of up to $10 million for information leading to the identification of individuals operating under the direction of the Russian government as part of two threat groups: UNC5792 and UNC4221. The groups conducted phishing campaigns specifically designed to steal WhatsApp and Signal accounts from senior government officials, military personnel, and other high-value targets.

The attack method is notable for targeting encrypted messaging platforms rather than corporate email or network infrastructure. Attackers sent phishing lures impersonating legitimate app notifications or account security prompts, tricking victims into surrendering session tokens or linking their accounts to attacker-controlled devices. Once access is obtained, the attacker can read historical messages and monitor ongoing communications — including content that recipients believe is end-to-end encrypted and ephemeral.

Targeting messaging apps reflects a calculated shift in attacker strategy. As organizations harden email and network defenses, adversaries follow high-value communication wherever it moves. Senior officials and military personnel increasingly rely on consumer messaging apps for informal, fast coordination — and those apps typically fall outside enterprise MDM policies, MFA enforcement, and audit logging.

For security teams, this campaign reinforces a consistent pattern: privileged users are the target, and the attack surface extends beyond managed endpoints. Review whether your organization has visibility into messaging app account activity on corporate and BYOD devices, and whether out-of-band communication channels are covered by your identity threat detection controls.

Why it matters: Phishing campaigns targeting messaging apps like WhatsApp and Signal represent a direct threat to out-of-band communication channels that security teams often treat as safe. If your organization uses consumer messaging apps for any sensitive coordination, this is a reminder to enforce mobile device policies and monitor for account compromise signals.

Read source →