Full Report
Many successful phishing attacks result in a financial loss or malware infection. But falling for some phishing scams, like those currently targeting Russians searching online for organizations that are fighting the Kremlin war machine, can cost you your freedom or your life.
Analysis Summary
# Incident Report: Russian Intelligence Phishing Campaign Targeting Anti-Kremlin Activists
## Executive Summary
A sophisticated campaign, attributed to likely Russian Intelligence Services or affiliated actors, utilized dozens of phishing domains to impersonate Ukrainian paramilitary groups and intelligence agencies. The primary goal was to harvest personal and politically sensitive data from Russian citizens attempting to join or aid these anti-Kremlin organizations, exposing them to prosecution under Russian law. Response efforts focused on researcher discovery, reporting domains to hosting providers, and public disclosure.
## Incident Details
- **Discovery Date:** Throughout 2024 and early 2025 (based on researcher reports and domain activity).
- **Incident Date:** Ongoing campaign observed targeting users searching in 2024/2025.
- **Affected Organization:** Unspecified Russian citizens attempting to contact or join Ukrainian paramilitary groups; impersonated Ukrainian groups and US intelligence.
- **Sector:** Geopolitical/Cyber Espionage targeting individuals.
- **Geography:** Targeting users operating within Russia's search engine ecosystems (Yandex, DuckDuckGo, Bing).
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing, observed throughout late 2024/early 2025.
- **Vector:** Search Engine Manipulation (SEO poisoning) followed by phishing links.
- **Details:** Attackers manipulated search engine results (specifically Yandex, DuckDuckGo, and Bing) to rank fake recruitment sites above legitimate ones for searches like "Freedom of Russia legion."
### Lateral Movement
- Not applicable; the attack was focused on data collection via web forms rather than network intrusion.
### Data Exfiltration/Impact
- **Details:** Collection of sensitive personal data (name, contact info, citizenship, military experience, political views, bad habits) from individuals attempting to join anti-Kremlin groups.
- **Impact:** Exposure of individuals to severe legal repercussions (imprisonment, charges of treason/terrorism) by the Russian Federation.
### Detection & Response
- **Detection:** Security researchers (Silent Push, Artem Tamoian) mapped and analyzed the network of phishing domains by comparing search results between Yandex and Google, and by observing domain trends.
- **Response Actions:** Researcher reporting of domains (**legionliberty\[.\]world**, **rusvolcorps\[.\]ru**) to the hosting provider (Cloudflare), leading to the exposure of the underlying host infrastructure linked to Stark Industries Solutions Ltd.
## Attack Methodology
- **Initial Access:** SEO poisoning/Search Engine Manipulation.
- **Persistence:** Domain setup indicating continuous operation and spawning of new lookalike domains.
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Utilizing hosting providers (Stark Industries Solutions Ltd.) known for supporting malicious infrastructure; operating on search engines where legitimate sites were suppressed.
- **Credential Access:** Direct collection via Google Forms embedded in the phishing sites.
- **Discovery:** Through manual search comparison by researchers and analysis of domain connections (e.g., Edwards linking fake Legion Liberty sites to **rusvolcorps\[.\]net**).
- **Lateral Movement:** Not applicable.
- **Collection:** Gathering highly detailed personal and ideological information via structured application forms.
- **Exfiltration:** Standard web form submission to attacker-controlled endpoints.
- **Impact:** Subjecting victims to arrest and severe sentencing by Russian authorities (up to 10-20 years for aiding designated "terrorist" organizations).
## Impact Assessment
- **Financial:** Not explicitly quantified, related to potential bounties or recruitment costs for the attacker.
- **Data Breach:** Collection of names, contact details (Telegram handles), citizenship, military history, and political alignment of opposition-minded Russian citizens.
- **Operational:** Disrupting the recruitment and communication efforts of Ukrainian paramilitary groups by setting up decoys.
- **Reputational:** Damaging the operational security of genuine anti-Kremlin groups by luring potential members into traps.
## Indicators of Compromise
- **Network Indicators (Defanged):**
- Domains impersonating **Freedom of Russia Legion**: `legiohliberty[.]army`, `legionliberty[.]world`
- Domains impersonating **Russian Volunteer Corps**: `rusvolcorps[.]net`, `rusvolcorps[.]ru`
- Domains impersonating intelligence sites: `ciagov[.]icu`, `hochuzhitlife[.]com`
- Underlying Hosting: Stark Industries Solutions Ltd. (historically associated with Russian intelligence infrastructure).
- **File Indicators:** Not specified (focus was on web infrastructure).
- **Behavioral Indicators:** Use of interactive Google Forms hosted on lookalike domains to collect detailed personal questionnaires from prospective volunteers; high search engine ranking manipulation.
## Response Actions
- **Containment:** Reporting identified phishing domains to Cloudflare for blocking/warning implementation.
- **Eradication:** N/A by external parties; required proactive domain shutdown by registrars/hosts or takedown requests.
- **Recovery:** Public disclosure by researchers (Silent Push, Tamoian) to warn potential victims about the threat vector.
## Lessons Learned
- **Key Takeaways:** State-aligned actors are employing highly targeted, non-technical access vectors (SEO manipulation) to harvest sensitive intelligence on opposition figures operating within repressive regimes. The reliance on specific domestic search engines (Yandex) creates exploitable blind spots.
- **What could have been done better:** Faster identification and reporting of the underlying hosting provider infrastructure (Stark Industries Solutions) associated with these campaigns.
## Recommendations
- **Prevention Measures for Similar Incidents:**
1. Organizations should actively monitor search engine results (especially regional/local engines) for high-ranking malicious impersonations of their official sites.
2. Implement robust domain monitoring and quick reporting mechanisms for lookalike domains, leveraging partnerships with hosting providers and domain registrars.
3. Advise known sympathizers or recruits about the high risk of using anonymous online recruitment channels in high-risk geopolitical environments.