In a sophisticated cyber espionage campaign recently uncovered, Russian hackers have been impersonating the U.S. Central Intelligence Agency (CIA) and other organizations to harvest sensitive information from Ukrainian sympathizers and potential Russian defectors.
The operation utilizes carefully crafted phishing websites that mimic legitimate organizations, creating convincing facades to trick victims into divulging personal information.
The campaign targets individuals seeking to contact anti-Putin organizations or provide intelligence to Western agencies.
.png
)
By creating nearly identical replicas of trusted websites with only subtle differences in domain names, the attackers have established an effective method for collecting sensitive data from unsuspecting victims.
Silent Push threat researchers identified the operation, revealing it consists of four major phishing clusters impersonating not only the CIA but also the Russian Volunteer Corps, Legion Liberty, and “Hochuzhit” (an appeals hotline for Russian service members in Ukraine operated by the Defense Intelligence of Ukraine).
Evidence suggests these operations are likely the work of Russian Intelligence Services or threat actors aligned with Russian interests.
The campaign has been evolving since at least September 2023, with new domains continuously being registered to expand the operation’s reach and effectiveness.
.webp)
The attackers have demonstrated significant technical sophistication in their domain spoofing techniques. For example, instead of using the legitimate CIA domain (cia.gov), they registered domains like “ciagov.icu” and “ciacontactru.com” to fool victims.
.webp)
Similar tactics were used across all targeted organizations, with domains like “legionliberty.top” mimicking the legitimate “legionliberty.army” site.
.webp)
Phishing Infrastructure Analysis
The campaign’s infrastructure reveals careful planning and execution.
The attackers created convincing replicas of legitimate forms, using Google Forms in many cases to collect personal information from victims.
.webp)
One form example requested details such as:-
Your gender
Your age
Country of Location
Citizenship
Contact for feedback - your Telegram via @
EmailWhen examining the network infrastructure, researchers uncovered shared hosting patterns across the phishing domains.
Many were hosted on IP address 80.78.22.146, later moving to 101.99.76.102 in February 2025, suggesting ongoing campaign maintenance and development.
This infrastructure connectivity helped analysts link the seemingly disparate phishing clusters to a single coordinated operation targeting Ukrainian defense intelligence channels.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
