A phishing campaign uses phony websites to help Russian intelligence catch citizens sympathetic to defending Ukraine. Victims are regularly arrested and charged.
Successful phishing attacks usually result in malware infection and/or financial losses. But some target individuals searching for specific information online. In Russia, this alone can make you guilty.
Researchers at the security company Silent Push have found a network of dozens of phishing domains that spoof the recruitment websites of Ukrainian paramilitary groups as well as Ukrainian government intelligence sites and even the page of the US Central Intelligence Agency (CIA).
The scheme is targeting Russian citizens searching online for organizations that are fighting Russia. Silent Push believes the campaign is the work of either Russian intelligence or a state-sponsored threat actor.
That’s because anti-war actions have been illegal in the Russian Federation since 2022 when the country’s president Vladimir Putin ordered an invasion of neighboring Ukraine.
Tricking Russians who oppose war on Ukraine
According to Silent Push, the campaign consists of four major phishing clusters, impersonating the CIA, the Russian Volunteer Corps, Legion Liberty, and Hochuzhit – “I Want to Live,” an appeals hotline for Russian troops in Ukraine, which is operated by Ukrainian intelligence.
Legion Liberty is also known as the Freedom of Russia Legion. It’s a paramilitary unit consisting of Russian citizens who oppose Putin and his invasion of Ukraine, and are willing to join the Ukrainians in resisting the invading forces.
In March 2023, Russia’s Supreme Court designated the legion as a terrorist organization. This means that Russians caught communicating with the group can face up to 20 years in prison.
Hundreds of Russians have still joined this particular unit – but many others who have searched for more information about joining it online have been arrested. They were tricked with the help of phony websites, Silent Push says.
For instance, legiohliberty[.]army is at first glance very similar to the legitimate site, legionliberty[.]army. It even provides an interactive Google Form where interested applicants can share their contact and personal details.
The form is pretty thorough. It asks visitors to provide their name, gender, age, email address and/or Telegram handle, country, citizenship, experience in the armed forces, political views, motivations for joining, etc.
The website is fake, though. As is the site rusvolcorps[.]net, mimicking the recruitment page for a Ukrainian far-right paramilitary group called the Russian Volunteer Corps. The legitimate domain is called rusvolcorps[.]com.
Other domains connected to the phishing scheme include ciagov[.]icu, mirroring the official website of the CIA, and hochuzhitlife[.]com. According to Silent Push, all four campaigns are interconnected and target Ukrainian entities, pro-Ukrainian Russians, and Russian-speaking informants.
The CIA has indeed established a presence on Telegram to reach individuals in countries with no access to other social media or independent media.
“All the campaigns our threat analysts observed have had similar traits and shared a common objective: collecting personal information from site-visiting victims,” said Silent Push.
Russian intelligence and SEO
The official Freedom of Russia X account was even forced to issue a reminder in mid-March, urging potential recruits: “Do not be fooled by fakes. Do not fall into the traps of the security forces of the Putin regime!”
ФСБ активизировались. Не могут победить нас на поле боя — пытаются убрать наших соратников в сети.
undefined undefinedFreedom of Russiaundefined Legion (@legion_svoboda) March 14, 2024
Но мы то умнее.
Напоминаем, что единственный официальный телеграм-канал Легиона, указан на нашем сайте: https://t.co/6UzgABFJQZ
Не ведитесь на фейки. Не попадайтесь в ловушки… pic.twitter.com/1ltwJqeRdw
The campaigns seem to have been at least partially successful. The web is full of news about Russians arrested for trying to join the Ukrainian war effort.
To Silent Push, it also seems that agencies or threat actors promoting the fake websites are manipulating the search engine results shown when someone searches for one of these anti-Kremlin organizations.
It looks like Russian internet users are mostly targeted, too. Already in August 2024, security researcher Artem Tamoian who left his native Russia in 2019 and now works in cybersecurity, said on X that he saw various spoof websites when he searched for Freedom of Russia legion on Yandex, a Russian search engine.
On Google, the top returned result was the legion’s actual website, but on Yandex, the first result was a phishing page targeting the organization.
Все домены спрятаны за Cloudflare. Но главное – у них одинаковое поведение, если переходить по ним из поиска.
undefined Artem Tamoian (@artemtam) August 15, 2024
Когда вы переходите по этим ссылка именно из поиска (https://t.co/Cc0L2nSEpw, https://t.co/C1Uz4IMB0v, и др), открываются совершенно другие сайты.
3/ pic.twitter.com/KS5MRYndK1
According to Tamoian who cooperated with Silent Push, it looks like Russian intelligence has been trying its hand in search engine optimization.
Your email address will not be published. Required fields are markedmarked