A recent discovery by cybersecurity researchers at Silent Push has unveiled a sophisticated phishing campaign allegedly orchestrated by Russian intelligence services, targeting individuals who support Ukraine and oppose the Russian government. This elaborate operation, which came to light in early 2025, utilized fake website lures to harvest personal information from Russian citizens and informants, a risky endeavor considering the prohibition of anti-war activities within the Russian Federation.
The modus operandi of this phishing campaign involved the use of fake websites that collected user data through a combination of static HTML and JavaScript. Data exfiltration was often carried out through simple POST requests to servers controlled by the threat actors or by exploiting Google Forms for malicious purposes. The researchers identified four distinct phishing clusters, each masquerading as a reputable organization: the US Central Intelligence Agency (CIA), the Russian Volunteer Corps (RVC), Legion Liberty, and Hochuzhit, a hotline for Russian service members operated by Ukrainian intelligence.
Despite their well-crafted impersonations, these clusters shared a common goal of illicitly collecting personal data from unsuspecting victims. The threat actors behind this campaign employed a bulletproof hosting provider, Nybula LLC, to host phishing pages that replicated the official websites of the targeted organizations. Furthermore, the use of Google Forms and website forms to gather data demonstrated a high level of sophistication in deceiving individuals and extracting sensitive information.
An in-depth analysis of the campaign’s infrastructure highlighted interconnectedness among the four phishing clusters, with shared technical details such as the WHOIS organization name “Semen Gerda,” similar metadata, and common registration through the NiceNIC registrar. The phishing pages utilized various tactics to lure victims, including enticing buttons that led to legitimate or malicious forms requesting personal information.
The impersonation of the CIA involved the creation of domains with suspicious web forms and embedded illegitimate .onion links, while YouTube content was also manipulated to redirect users to phishing domains. In contrast, the Hochuzhit cluster targeted Russian service members seeking to surrender, using specific domains to lure victims. Silent Push Threat Analysts, in collaboration with security researcher Artem Tamoian, uncovered additional domains and infrastructure linked to the campaign, including domains hosted on Cloudflare.
Silent Push attributed this phishing campaign to Russian intelligence services based on several factors, including the strategic targets of interest to the Russian government, observed tactics, techniques, and procedures (TTPs) consistent with known Russian state-sponsored actor behavior, and the persistent impersonation of the CIA for intelligence gathering purposes. The researchers emphasized the significant privacy and security risks posed by all domains associated with this campaign, underscoring the importance of exercising caution and implementing robust cybersecurity measures.
In conclusion, the exposure of this alleged Russian intelligence phishing operation sheds light on the ongoing threat of malicious cyber activities targeting individuals advocating for causes contrary to the interests of certain governments. This incident serves as a stark reminder of the need for vigilance and enhanced cybersecurity measures to safeguard personal data and prevent unauthorized access by threat actors.