Russian Hackers Impersonate CIA in Cyber Espionage Campaign Targeting Ukrainian Sympathizers
A sophisticated cyber espionage campaign has been uncovered, revealing that Russian hackers have been impersonating the U.S. Central Intelligence Agency (CIA) and other organizations to harvest sensitive information from Ukrainian sympathizers and potential Russian defectors.
Phishing Tactics and Targeted Individuals
The attackers have set up highly convincing phishing websites that mimic legitimate organizations, deceiving victims into disclosing personal information. Their targets include:
- Individuals attempting to contact anti-Putin organizations.
- Those seeking to share intelligence with Western agencies.
- Russian defectors looking for safe passage or asylum.
The hackers use near-identical website replicas with only minor variations in domain names to mislead victims into believing they are interacting with trusted entities.
Organizations Impersonated
According to Silent Push threat researchers, the campaign consists of four major phishing clusters impersonating:
- The CIA – Attackers created fake domains like “ciagov.icu” and “ciacontactru.com” instead of the legitimate cia.gov.
- The Russian Volunteer Corps – A paramilitary group opposing the Kremlin.
- Legion Liberty – A military unit composed of Russian defectors fighting for Ukraine.
- Hochuzhit – A hotline for Russian service members in Ukraine, operated by the Defense Intelligence of Ukraine.
Attribution and Evolution of the Attack
Evidence strongly suggests that Russian Intelligence Services or state-aligned hackers are behind the operation. The campaign has been active since at least September 2023, with new phishing domains being continuously registered to expand its reach.
The hackers have demonstrated technical sophistication, particularly in domain spoofing techniques, using deceptive domain names to trick users.
Phishing Infrastructure and Execution
Researchers analyzing the operation discovered shared hosting patterns across multiple phishing domains, indicating a well-coordinated attack.
- Many phishing websites were originally hosted on IP address 80.78.22.146 before moving to 101.99.76.102 in February 2025, suggesting ongoing maintenance and expansion.
- The attackers used Google Forms to collect victims' personal information, making the phishing attempts appear more legitimate.
By examining these infrastructure connections, cybersecurity analysts were able to link the seemingly unrelated phishing clusters to a single coordinated espionage effort targeting Ukrainian defense intelligence channels.
This evolving cyber campaign highlights the increasing use of deceptive digital tactics in modern warfare. With Russian-aligned threat actors targeting individuals seeking to aid Ukraine, heightened cybersecurity awareness and verification of online sources are critical in countering these espionage efforts.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
