Phishing Campaigns Target Anti-Kremlin Informants, Russian Citizens, and Ukraine Sympathizers

• Fake websites using search engine manipulation target people looking for anti-Russian content.
• Pro-Kremlin actors impersonate organizations such as the U.S. CIA or Ukraine’s Ministry of Defense and paramilitary groups.
• Harvesting the sensitive data the visitors input is dangerous as it could lead to arrests by Russian authorities.

A sophisticated phishing operation targets individuals searching for anti-Kremlin organizations by creating deceptive websites that mimic legitimate recruitment platforms, potentially endangering unsuspecting users.

Researchers at cybersecurity firm Silent Push have uncovered dangerous actors exploit the increasing interest in Ukrainian paramilitary groups. 

One prominent example is a fake site impersonating the Ukrainian paramilitary group Freedom of Russia Legion (legionliberty[.]army), designed to harvest personal information through an embedded Google Form. 

Applicants are prompted to disclose sensitive details, including their identity, contact information, political views, and military experience. Researchers believe these operations serve Russian Intelligence Services or groups with similar motives, aiming to expose and apprehend dissenters.

Unlike traditional phishing methods relying on email campaigns, these sites gain traction through manipulated search engine results. The fake domains frequently rank higher than legitimate sites on search platforms like Yandex, DuckDuckGo, and Bing, exposing users to significant risk. 

According to cybersecurity researcher Artem Tamoian, false search engine placements have made these sites a prominent trap for Russian citizens and anti-Kremlin sympathizers.

The fake site network isn’t limited to paramilitary organizations. Other domains, such as cia[.]gov[.]icu and hochuzhitlife[.]com, spoof official agencies like the U.S. Central Intelligence Agency and Ukraine’s Ministry of Defense.

Silent Push linked these malicious operations to known ‘bulletproof hosting’ providers like Stark Industries Solutions. This actor has a history of hosting infrastructure for DDoS attacks, malware campaigns, and disinformation efforts tied to pro-Kremlin actors.

People interacting with these phishing websites face grave risks. Gathering personal information could lead to arrests by Russian authorities, with convictions for terrorism or treason carrying severe penalties of up to 20 years in prison. Widespread reports suggest Russian security services, including the FSB, actively exploit the collected information to ensnare activists.