CISA and the FBI have renewed their warning that Russian state cyber actors are still going after people's commercial messaging accounts. In an updated joint Public Service Announcement (PSA), the two agencies say cyber threat actors tied to the Russian Intelligence Services (RIS) continue to run phishing campaigns aimed at commercial messaging applications, and they have published fresh tactics, mitigations, and sample lure messages to help potential targets recognize the activity.
What happened
According to the joint advisory from CISA and the FBI, the new PSA is an update to the March 2026 announcement titled "Russian Intelligence Services Target Commercial Messaging Application Accounts." The agencies say the campaigns are ongoing, and the refreshed guidance reflects recent tactics observed since the earlier notice. The advisory is aimed at federal, industry, and state, local, tribal, and territorial audiences, a sign the agencies see a broad pool of potential targets rather than a narrow set of victims.
Why it matters
Messaging apps have become a soft target because they often sit outside the corporate security stack, yet they carry sensitive conversations among officials, executives, journalists, activists, and other people of interest to a hostile intelligence service. A successful account compromise can hand an adversary an ongoing window into private communications without ever touching a hardened enterprise network. The agencies frame this as a continuing, not a one-off, threat, which is why they reissued the warning rather than letting the March notice stand.
The activity fits a long-running pattern of Russian state-aligned espionage that IntelFusions has tracked across multiple operations, from Turla's StockStay backdoor used against Ukrainian targets to APT28's use of disposable malware and AI-assisted tradecraft. The common thread is a steady focus on the accounts and devices of high-value individuals.
What you should do
The agencies bundle their detailed recommendations and example lures into the PSA itself rather than the summary, so anyone in a likely target group should read the full advisory for the specifics. In general terms, the agencies say the document provides recommended mitigations and includes samples of phishing messages so readers can learn what the lures look like. Reviewing those samples, treating unexpected account-linking or verification prompts with suspicion, and following the advisory's hardening steps are the practical takeaways.
CISA and the FBI did not attribute the activity to a single named group in the announcement, describing it instead as the work of Russian Intelligence Services broadly. Readers should consult the original CISA and FBI advisory for the recent tactics, recommended mitigations, and sample phishing messages it documents.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.