Russian Intelligence Impersonates Multiple Organizations to Target Ukraine Sympathizers in New Phishing Campaign

On March 14, 2024, Silent Push published a report [1] detailing a targeted phishing campaign suspected to be linked to Russian intelligence services, possibly associated with GRU Unit 29155—a unit previously implicated in influence operations, assassinations, and destabilization campaigns across Europe [2]. The campaign appears to target individuals who are sympathetic to Ukraine or opposed to the Russian government, with the likely objective of collecting intelligence on opposition-aligned Russians, identifying potential defectors, and monitoring foreign sympathizers.

Silent Push identified four distinct phishing clusters impersonating:

  • The CIA – Websites masquerading as legitimate CIA communication portals, likely intended to trick users into self-identifying as informants or opposition supporters.

  • Russian Volunteer Corps (RVC) – Fake sites spoofing this anti-Putin militia made up of Russian nationals fighting alongside Ukraine.

  • Legion "Liberty" (Legion Svoboda) – Another anti-Kremlin paramilitary group spoofed to gather information from sympathizers.

  • Hochu Zhit ("I Want to Live") Hotline – A Ukrainian-run surrender hotline, mimicked to identify and track Russian soldiers seeking to defect.

All phishing domains were hosted on infrastructure associated with the bulletproof hosting provider Nybula LLC (ASN 401116). The sites used static HTML and JavaScript forms to harvest sensitive personal data, which was then exfiltrated via HTTP POST requests to attacker-controlled infrastructure.

The infrastructure and tactics exhibited overlaps with prior Raspberry Robin-related activity, raising the possibility of shared access, tooling, or operational playbooks across Russian cyber units.


References

[1] https://www.silentpush.com/blog/raspberry-robin/

[2] https://blog.sploited.org/2024/11/russian-gru-unit-29155-recent-operations.html

Comments

Popular posts from this blog

Russian GRU Unit 29155 recent operations