# US warns Russia's GRU is phishing military Signal accounts; APT28 weaponises new flaws > FBI/CISA advisory targets encrypted-messaging compromise as Fancy Bear exploits a patched-by-May vulnerability **Meta:** type: story · date: 2026-05-12 · heads: 何が壊れたか, 語られていないこと, 誰が決めるのか · 7 takes · 3 lenses · 3 regions ## Summary US authorities are warning that [Russia](/ja/entity/russia)'s military intelligence is running a sustained [Military Cyber](/ja/entity/military-cyber) campaign against the trusted communications of officials and troops. An FBI/[Cisa](/ja/entity/cisa) joint advisory says Russian hackers are phishing to compromise commercial encrypted-messaging apps such as Signal, targeting current and former [United States](/ja/entity/united-states) government officials, military personnel, political figures and journalists of high intelligence value, typically by abusing device-linking features to clone sessions. Separately, CISA added flaws exploited by [Apt28](/ja/entity/apt28) (the GRU's Fancy Bear, Unit 26165) to its Known Exploited Vulnerabilities catalog, ordering federal agencies to patch by mid-May 2026. The thread is espionage on encrypted channels rather than destructive attacks, the quiet, persistent side of the war that runs parallel to the drone and EW fight on the front. ## By the numbers - May 12, 2026, federal remediation deadline for the APT28-exploited flaw. - Unit 26165, the GRU formation behind APT28 / Fancy Bear. - 4, high-value target classes named: officials, military, political figures, journalists. - 200 / 80, companies / countries an earlier China-linked (Salt Typhoon) campaign hit, for scale. ## Why it matters The campaign turns "secure" messaging into an intelligence collection surface against the people running Western defence and Ukraine policy, espionage that shapes decisions without firing a shot. It also keeps state-sponsored APTs (Russia's GRU here; China's Salt Typhoon elsewhere) at the centre of the [Military Cyber](/ja/entity/military-cyber) threat picture. ## What to watch - Whether Signal/messaging vendors harden device-linking against session cloning. - New CISA KEV additions tied to APT28 and agency patch compliance. - Escalation from espionage to disruptive attacks on defence or critical infrastructure. ## Regional takes (batched by bias / lens) ### unlabelled - **CISA (Cybersecurity Advisories)** (United States, en) — US government advisory hub carrying the FBI/CISA joint warning that Russian state hackers are phishing to compromise commercial encrypted-messaging apps such as Signal, targeting current and former officials, military personnel, political figures and journalists of high intelligence value. Source: https://www.cisa.gov/news-events/cybersecurity-advisories - **CSIS (Significant Cyber Incidents)** (United States, en) — Source: https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents - **The Cyber Express** (India, en) — Source: https://thecyberexpress.com/cyber-warfare-2026-nation-state-attacks/ - **NJCCIC (NJ.gov)** (United States, en) — Source: https://www.cyber.nj.gov/threat-landscape/2026-cyber-threat-assessment - **BleepingComputer** (Global, en) — Source: https://www.bleepingcomputer.com/news/security/cisa-tells-govt-agencies-to-patch-critical-exploited-flaws-in-3-days/ ### Security-research reporting - **GBHackers** (India, en) — Details the social-engineering campaign against encrypted-messaging accounts of military officials and journalists, abusing device-linking/QR features to clone Signal sessions, framing it as espionage aimed at trusted-comms compromise rather than mass disruption. > "State-backed hackers are targeting military officials and journalists on Signal, abusing device-linking to clone sessions and read messages." Source: https://gbhackers.com/state-backed-hackers-target-military-officials-and-journalists/ ### Vulnerability / threat-intel reporting - **SecurityOnline** (Global, en) — Reports CISA adding APT28-exploited flaws to its Known Exploited Vulnerabilities catalog, with Federal Civilian Executive Branch agencies ordered to remediate by mid-May 2026, placing the GRU's Fancy Bear unit at the centre of active government-and-military targeting. > "CISA sounds the alarm as state-sponsored hackers, including APT28, weaponise new flaws; agencies were ordered to remediate by May 12." Source: https://securityonline.info/cisa-kev-catalog-kimsuky-apt28-exploitation-cve-2024-1708-cve-2026-32202/ ## Across the graph - Related: [[shahed-record-strikes-jet-geran]], [[eu-russia-21st-sanctions-package-2026]] - Entities: Military Cyber, Russia, United States, Apt28, Cisa --- Canonical: https://rbtfl.xyz/ja/n/apt28-signal-phishing-advisory