# US warns Russia's GRU is phishing military Signal accounts; APT28 weaponises new flaws > FBI/CISA advisory targets encrypted-messaging compromise as Fancy Bear exploits a patched-by-May vulnerability **Meta:** type: story · date: 2026-05-12 · heads: What Broke, What They're Not Saying, Who Decides · 7 takes · 3 lenses · 3 regions ## Summary US authorities are warning that [Russia](/en/entity/russia)'s military intelligence is running a sustained [Military Cyber](/en/entity/military-cyber) campaign against the trusted communications of officials and troops. An FBI/[Cisa](/en/entity/cisa) joint advisory says Russian hackers are phishing to compromise commercial encrypted-messaging apps such as Signal, targeting current and former [United States](/en/entity/united-states) government officials, military personnel, political figures and journalists of high intelligence value — typically by abusing device-linking features to clone sessions. Separately, CISA added flaws exploited by [Apt28](/en/entity/apt28) (the GRU's Fancy Bear, Unit 26165) to its Known Exploited Vulnerabilities catalog, ordering federal agencies to patch by mid-May 2026. The thread is espionage on encrypted channels rather than destructive attacks — the quiet, persistent side of the war that runs parallel to the drone and EW fight on the front. ## By the numbers - May 12, 2026 — federal remediation deadline for the APT28-exploited flaw. - Unit 26165 — the GRU formation behind APT28 / Fancy Bear. - 4 — high-value target classes named: officials, military, political figures, journalists. - 200 / 80 — companies / countries an earlier China-linked (Salt Typhoon) campaign hit, for scale. ## Why it matters The campaign turns "secure" messaging into an intelligence collection surface against the people running Western defence and Ukraine policy — espionage that shapes decisions without firing a shot. It also keeps state-sponsored APTs (Russia's GRU here; China's Salt Typhoon elsewhere) at the centre of the [Military Cyber](/en/entity/military-cyber) threat picture. ## What to watch - Whether Signal/messaging vendors harden device-linking against session cloning. - New CISA KEV additions tied to APT28 and agency patch compliance. - Escalation from espionage to disruptive attacks on defence or critical infrastructure. ## Regional takes (batched by bias / lens) ### unlabelled - **CISA (Cybersecurity Advisories)** (United States, en) — US government advisory hub carrying the FBI/CISA joint warning that Russian state hackers are phishing to compromise commercial encrypted-messaging apps such as Signal, targeting current and former officials, military personnel, political figures and journalists of high intelligence value. Source: https://www.cisa.gov/news-events/cybersecurity-advisories - **CSIS (Significant Cyber Incidents)** (United States, en) — Source: https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents - **The Cyber Express** (India, en) — Source: https://thecyberexpress.com/cyber-warfare-2026-nation-state-attacks/ - **NJCCIC (NJ.gov)** (United States, en) — Source: https://www.cyber.nj.gov/threat-landscape/2026-cyber-threat-assessment - **BleepingComputer** (Global, en) — Source: https://www.bleepingcomputer.com/news/security/cisa-tells-govt-agencies-to-patch-critical-exploited-flaws-in-3-days/ ### Security-research reporting - **GBHackers** (India, en) — Details the social-engineering campaign against encrypted-messaging accounts of military officials and journalists — abusing device-linking/QR features to clone Signal sessions — framing it as espionage aimed at trusted-comms compromise rather than mass disruption. > "State-backed hackers are targeting military officials and journalists on Signal, abusing device-linking to clone sessions and read messages." Source: https://gbhackers.com/state-backed-hackers-target-military-officials-and-journalists/ ### Vulnerability / threat-intel reporting - **SecurityOnline** (Global, en) — Reports CISA adding APT28-exploited flaws to its Known Exploited Vulnerabilities catalog, with Federal Civilian Executive Branch agencies ordered to remediate by mid-May 2026 — placing the GRU's Fancy Bear unit at the centre of active government-and-military targeting. > "CISA sounds the alarm as state-sponsored hackers, including APT28, weaponise new flaws; agencies were ordered to remediate by May 12." Source: https://securityonline.info/cisa-kev-catalog-kimsuky-apt28-exploitation-cve-2024-1708-cve-2026-32202/ ## Across the graph - Related: [[shahed-record-strikes-jet-geran]], [[eu-russia-21st-sanctions-package-2026]] - Entities: Military Cyber, Russia, United States, Apt28, Cisa --- Canonical: https://rbtfl.xyz/en/n/apt28-signal-phishing-advisory