US warns Russia's GRU is phishing military Signal accounts; APT28 weaponises new flaws

Summary

US authorities are warning that Russia's military intelligence is running a sustained Military Cyber campaign against the trusted communications of officials and troops. An FBI/Cisa joint advisory says Russian hackers are phishing to compromise commercial encrypted-messaging apps such as Signal, targeting current and former United States government officials, military personnel, political figures and journalists of high intelligence value — typically by abusing device-linking features to clone sessions. Separately, CISA added flaws exploited by Apt28 (the GRU's Fancy Bear, Unit 26165) to its Known Exploited Vulnerabilities catalog, ordering federal agencies to patch by mid-May 2026. The thread is espionage on encrypted channels rather than destructive attacks — the quiet, persistent side of the war that runs parallel to the drone and EW fight on the front.

By the numbers

May 12, 2026 — federal remediation deadline for the APT28-exploited flaw.
Unit 26165 — the GRU formation behind APT28 / Fancy Bear.
4 — high-value target classes named: officials, military, political figures, journalists.
200 / 80 — companies / countries an earlier China-linked (Salt Typhoon) campaign hit, for scale.

Why it matters

The campaign turns "secure" messaging into an intelligence collection surface against the people running Western defence and Ukraine policy — espionage that shapes decisions without firing a shot. It also keeps state-sponsored APTs (Russia's GRU here; China's Salt Typhoon elsewhere) at the centre of the Military Cyber threat picture.

What to watch

Whether Signal/messaging vendors harden device-linking against session cloning.
New CISA KEV additions tied to APT28 and agency patch compliance.
Escalation from espionage to disruptive attacks on defence or critical infrastructure.

the record · 1

CISA (Cybersecurity Advisories) — US government advisory hub carrying the FBI/CISA joint warning that Russian state hackers are phishing to compromise commercial encrypted-messaging apps such as Signal, targeting current and former officials, military personnel, political figures and journalists of high intelligence value.

Regards régionaux · 2

▸ Security-research reporting

GBHackers · India · en

Details the social-engineering campaign against encrypted-messaging accounts of military officials and journalists — abusing device-linking/QR features to clone Signal sessions — framing it as espionage aimed at trusted-comms compromise rather than mass disruption.

“State-backed hackers are targeting military officials and journalists on Signal, abusing device-linking to clone sessions and read messages.”

Source ↗

▸ Vulnerability / threat-intel reporting

SecurityOnline · Global · en

Reports CISA adding APT28-exploited flaws to its Known Exploited Vulnerabilities catalog, with Federal Civilian Executive Branch agencies ordered to remediate by mid-May 2026 — placing the GRU's Fancy Bear unit at the centre of active government-and-military targeting.

“CISA sounds the alarm as state-sponsored hackers, including APT28, weaponise new flaws; agencies were ordered to remediate by May 12.”

Source ↗