Several successful phishing attacks often lead to financial setbacks or the infiltration of harmful software. However, succumbing to certain phishing scams, particularly those currently aimed at individuals in Russia who are searching online for entities that oppose the military actions of the Kremlin, can result in the loss of personal freedom or even endanger your life.
The authentic website of the Ukrainian paramilitary group “Freedom of Russia” legion. The content has been automatically translated from Russian.
A team at the cybersecurity company Silent Push uncovered a network of numerous fake domains that imitate the recruitment portals of Ukrainian paramilitary organizations and government intelligence agencies in Ukraine.
The site legiohliberty[.]army replicates the homepage of the Freedom of Russia Legion (also known as the “Free Russia Legion”), a group founded three years ago in Ukraine, consisting of Russian nationals who oppose Vladimir Putin and his military intervention in Ukraine.
The counterfeit version of this website mirrors the legitimate platform — legionliberty[.]army — and offers an interactive Google Form for potential applicants to submit their personal and contact information. The form requires users to input their name, gender, age, email address and/or Telegram handle, nationality, citizenship status, military experience, political beliefs, reasons for joining, and any negative habits.
According to a report released today by Silent Push, engagement in such anti-war activities is considered unlawful in Russia, with participating citizens frequently facing charges and arrests. The observed campaigns share similar characteristics and a common goal: gathering personal details from visitors to the sites. The team suspects that this campaign is likely the handiwork of either Russian Intelligence Services or a threat actor with comparable intentions.
Zach Edwards from Silent Push noted that the fraudulent Legion Liberty site is closely linked to rusvolcorps[.]net. This domain mimics the recruitment webpage of a Ukrainian far-right paramilitary group known as the Russian Volunteer Corps (rusvolcorps[.]com) and utilizes a similar Google Forms interface to collect data from potential members.
Other domains linked to the phishing operation by Silent Push include: ciagov[.]icu, replicating content from the official website of the U.S. Central Intelligence Agency; and hochuzhitlife[.]com, a mimicry of the Ministry of Defense of Ukraine & General Directorate of Intelligence (with the genuine domain being hochuzhit[.]com).
Edwards stated that there are no indications of these phishing sites being promoted via email. Rather, it seems that the parties responsible are boosting their visibility by manipulating search engine results when individuals search for these anti-Putin organizations.
In August 2024, security analyst Artem Tamoian shared on Twitter that he noticed significant differences in the search results obtained when looking up “Freedom of Russia legion” on Russia’s primary domestic search engine, Yandex, compared to Google.com. While Google displayed the legitimate website of the legion as the top result, Yandex returned a phishing page targeting the group as its first result.
“I suspect that some of these sites are definitely being promoted through search,” Tamoian remarked regarding the phishing domains. “My initial thread on this scrutinizes Yandex, but beyond Yandex, these sites consistently rank higher than genuine ones on DuckDuckGo and Bing. Initially, I underestimated the scale of this issue. They continue to surface to this day.”
Tamoian, a Russian native who left the country in 2019, founded the cyberspace investigation platform malfors.com. He recently uncovered two additional websites impersonating Ukrainian paramilitary groups — legionliberty[.]world and rusvolcorps[.]ru — and promptly reported them to Cloudflare. Subsequently, Cloudflare took action by blocking these sites and issuing a phishing alert, which revealed the actual Internet address of these sites as belonging to a known “bulletproof hosting” network called Stark Industries Solutions Ltd.
Stark Industries Solutions emerged just before Russia’s invasion of Ukraine in February 2022, suddenly appearing with a substantial number of Internet addresses under its control — many of which were originally allocated to Russian governmental bodies. In May 2024, KrebsOnSecurity published an in-depth assessment of Stark, which has been frequently utilized to host infrastructure for activities such as distributed denial-of-service (DDoS) attacks, phishing, malware distribution, and disinformation efforts by Russian intelligence agencies and pro-Kremlin hacker groups.
In March 2023, the Supreme Court of Russia categorized the Freedom of Russia legion as a terrorist entity, which means that Russian citizens caught communicating or cooperating with the group could face severe prison sentences ranging from 10 to 20 years.
Tamoian highlighted that individuals searching online for information about these paramilitary groups have become vulnerable targets for Russian security agencies.
“I became interested in these phishing websites as I kept coming across news stories about individuals getting arrested for attempting to join the Ukrainian Army or assist them,” Tamoian disclosed to KrebsOnSecurity. “I’ve seen reports of FSB reaching out to people pretending to be Ukrainian officers, and they also use fake Telegram bots, so I thought fake websites could be another method employed.”
Search results displaying news reports of individuals in Russia receiving lengthy prison sentences for attempting to aid Ukrainian paramilitary groups.
Tamoian mentioned that incidents emerge frequently in Russia where people are apprehended for trying to carry out tasks requested by a “Ukrainian recruiter,” with courts consistently imposing harsh punishments regardless of the defendants’ age.
“These incidents recur often, but usually, there are no specifics on how the individual gets caught,” Tamoian elaborated. “Anything related to state treason or terrorism is classified, so there’s little information available.”
Although he lacks direct proof linking the reported arrests and convictions to these phishing websites, Tamoian firmly believes that the sites are part of a broader Russian government-backed campaign.
“Given that they remain active and continue to spawn new sites, I suspect they might be effective,” he speculated. “They consistently appear at the top of DuckDuckGo and Yandex search results, so unfortunately, they are effective.”
For more information, refer to the Silent Push report, Russian Intelligence Targeting its Citizens and Informants.
About Author
