A recent discovery by Silent Push Threat Analysts has shed light on a sophisticated cyber operation carried out by Russian hackers. These hackers have launched a multi-pronged phishing campaign, impersonating various organizations including the CIA, to gather intelligence on individuals sympathetic to Ukraine’s defense efforts.
The campaign, believed to be orchestrated by Russian Intelligence Services or aligned actors, aims to collect personal information from unsuspecting victims through a network of fraudulent websites.
The threat actors have created convincing replicas of websites belonging to the Russian Volunteer Corps (RVC), Legion Liberty, and “I Want to Live” (Hochuzhit), an appeals hotline for Russian service members in Ukraine. These fake sites prompt visitors to submit personal data under the guise of recruitment or information-sharing purposes.
Specifically targeting Russian citizens involved in anti-war activities, which are illegal in the Russian Federation and can lead to arrests, the campaign exploits anti-war sentiment to lure victims into divulging sensitive information.
The phishing infrastructure utilized in this campaign spans across multiple domains hosted on bulletproof providers, with a notable presence on Nybula LLC (ASN 401116). The attackers employ sophisticated tactics, including the use of legitimate-looking Google Forms to capture victim information and the embedding of authentic Telegram channels to enhance credibility.
One key domain in the CIA impersonation effort, ciagov[.]icu, was found to generate suspicious “Submission Reference IDs” when users attempted to report information. This domain, along with others like jagotovoff[.]com, shared infrastructure with the fake RVC and Legion Liberty sites, indicating a coordinated effort by the threat actors.
To further their deceptive tactics, the hackers have manipulated search engine results and created deceptive YouTube content to drive traffic to their phishing pages. For instance, a YouTube channel (@contactciaofficial) was discovered referencing both ciagov[.]icu and a fake .onion domain, highlighting the campaign’s multi-platform approach.
As of March 2025, the campaign remains active with new domains being registered continuously. Security researchers have identified several indicators of compromise, including specific IP addresses and domain naming patterns. Organizations and individuals are urged to exercise caution when interacting with websites purporting to represent these entities and to verify the authenticity of any forms requesting personal information.
This complex cyber operation underscores the evolving nature of cyber threats in the context of geopolitical conflicts, emphasizing the importance of enhanced digital vigilance and robust cybersecurity measures to protect against such malicious activities. It serves as a stark reminder of the lengths to which threat actors will go to gather sensitive information and highlights the critical need for vigilance and proactiveness in the face of ever-evolving cyber threats.