Wednesday, May 7, 2025
Homecyber securityRussian Hackers Impersonate CIA to Steal Ukrainian Defense Intelligence Data

Russian Hackers Impersonate CIA to Steal Ukrainian Defense Intelligence Data

Published on

SIEM as a Service

Follow Us on Google News

In a complex cyber operation discovered by Silent Push Threat Analysts, Russian hackers have launched a multi-pronged phishing campaign impersonating various organizations, including the CIA, to gather intelligence on individuals sympathetic to Ukraine’s defense efforts.

The campaign, believed to be orchestrated by Russian Intelligence Services or aligned actors, utilizes a network of fraudulent websites to collect personal information from unsuspecting victims.

Exploiting Anti-War Sentiment

The threat actors have created convincing replicas of websites belonging to the Russian Volunteer Corps (RVC), Legion Liberty, and “I Want to Live” (Hochuzhit), an appeals hotline for Russian service members in Ukraine.

- Advertisement - Google News

These fake sites prompt visitors to submit personal data, ostensibly for recruitment or information-sharing purposes.

The campaign specifically targets Russian citizens involved in anti-war activities, which are illegal in the Russian Federation and can result in arrests.

Technical Infrastructure and Tactics

The phishing infrastructure spans multiple domains hosted on bulletproof providers, with a notable presence on Nybula LLC (ASN 401116).

The attackers employ sophisticated tactics, including the use of legitimate-looking Google Forms to capture victim information and the embedding of authentic Telegram channels to enhance credibility.

Russian Hackers
A Google Form requested site visitors’ personal information

One key domain in the CIA impersonation effort, ciagov[.]icu, was found to generate suspicious “Submission Reference IDs” when users attempted to report information.

According to the Report, this domain, along with others like jagotovoff[.]com, shared infrastructure with the fake RVC and Legion Liberty sites, indicating a coordinated effort.

The threat actors have also manipulated search engine results and created deceptive YouTube content to lure victims to their phishing pages.

Russian Hackers
Legionliberty[.]top phishing page

For instance, a YouTube channel (@contactciaofficial) was discovered referencing both ciagov[.]icu and a fake .onion domain, demonstrating the campaign’s multi-platform approach.

As of March 2025, the campaign remains active with new domains continually being registered.

Security researchers have identified several indicators of compromise, including specific IP addresses and domain naming patterns.

Organizations and individuals are advised to exercise caution when interacting with websites purporting to represent these entities and to verify the authenticity of any forms requesting personal information.

This sophisticated operation underscores the evolving nature of cyber threats in the context of geopolitical conflicts, highlighting the need for enhanced digital vigilance and robust cybersecurity measures.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...