Russian Phishing Uses Fake CIA Sites to Target Anti-war, Ukraine Supporters

Silent Push uncovers an alleged Russian intelligence phishing campaign impersonating the CIA, targeting Ukraine supporters, anti-war activists and informants.

Cybersecurity researchers at Silent Push have discovered a complex and extensive phishing operation, allegedly launched by Russian Intelligence Services or a similarly motivated entity, targeting individuals who support Ukraine and oppose the Russian government.

The campaign, which surfaced in early 2025, employed fake website lures to gather personal information from Russian citizens and informants. This was a particularly sensitive endeavour given the illegality of anti-war activities within the Russian Federation.

The phishing sites collected user input using a combination of static HTML and JavaScript. Data exfiltration was often facilitated through simple POST requests to threat-actor-controlled servers or through the abuse of Google Forms.

Researchers identified four distinct phishing clusters, each impersonating a prominent organization: the US Central Intelligence Agency (CIA), the Russian Volunteer Corps (RVC), Legion Liberty, and Hochuzhit, an appeals hotline for Russian service members operated by Ukrainian intelligence.

Despite their diverse impersonations, these clusters share a common objective: the illicit collection of personal data. As noted by the legitimate Liberty of Russia Legion in a March 14, 2024, X post, “We remind you that the only official telegram channel of the Legion is listed on our website: hxxps://legionlibertyarmy. Do not be fooled by fakes. Do not fall into the traps of the security forces of the Putin regime!”

The threat actors utilized a bulletproof hosting provider, Nybula LLC (ASN 401116), to host phishing pages designed to mimic the official websites of these organizations. This tactic, along with the use of Google Forms and website forms to gather data, reveals a sophisticated attempt to deceive and extract sensitive information from unsuspecting victims.

The campaign’s infrastructure analysis revealed interconnectedness across the four clusters, with shared technicalities such as the WHOIS organization name “Semen Gerda,” similar metadata, and common registration through the NiceNIC registrar.

The phishing pages employed various tactics to lure victims. For instance, the rusvolcorpsnet domain lured users with a “Join Here” button, leading to a Google Form requesting detailed personal information. Similarly, the legionlibertytop domain used a blue “Join” button to direct users to a legitimate Google Form, while a green button led to a form controlled by the threat actors.

CIA impersonation involved the creation of domains like ciagovicu and jagotovoffcom, which featured suspicious web forms and embedded illegitimate .onion links. The threat actors even manipulated YouTube content, replacing official CIA links with their phishing domains.

Conversely, the Hochuzhit cluster, targeting Russian service members seeking to surrender, utilized domains like hochuzhitlifecom and hochuzhitlife. Silent Push Threat Analysts, in collaboration with security researcher Artem Tamoian, uncovered additional domains and infrastructure, including legionllbertyarmy, which was hosted on Cloudflare.

Silent Push’s attribution to Russian intelligence services is based on several factors, including the campaign’s focus on targets of strategic interest to the Russian government, the observed TTPs that align with known Russian state-sponsored actor behaviour, and the persistent impersonation of the CIA for intelligence gathering purposes.

Researchers concluded that all domains associated with this Russian Intelligence Agency campaign pose massive privacy and security risks, highlighting the importance of caution and stronger cybersecurity measures.