Russian Cyber Espionage Campaign Impersonates CIA to Target Ukrainian Defense Intelligence

Russian state-aligned hackers have launched a sophisticated phishing campaign impersonating the U.S. Central Intelligence Agency (CIA) to steal intelligence from individuals supporting Ukraine’s defense efforts. Discovered by Silent Push Threat Analysts, this operation leverages fraudulent domains and social engineering tactics to compromise targets¹. The campaign aligns with historical Russian cyber operations against Ukraine, including NotPetya (2017) and WhisperGate (2022), which were attributed to GRU-linked groups².

Campaign Technical Analysis

The attackers registered domains mimicking legitimate organizations, including ciagov[.]icu, to host phishing forms distributed via Telegram and email. Targets were prompted to submit personal details under the guise of “security verification” for Ukrainian defense initiatives. Silent Push identified the infrastructure overlaps with UAC-0185, a known Russian threat actor targeting defense sectors with MeshAgent and UltraVNC payloads³.

Key indicators of compromise (IOCs) include:

• Fake TLS certificates issued to domains like cia-verify[.]online
• HTTP redirects to Russian-hosted C2 servers (IPs 91.215.85.XX)
• Use of Google Forms for credential harvesting with Ukrainian-language lures

Historical Context and Attribution

This campaign follows Russia’s established pattern of cyber operations against Ukraine since 2014. The GRU’s Sandworm unit was previously implicated in:

Operation	Impact	Attribution Evidence
NotPetya (2017)	$10B+ global damages	CIA/Five Eyes forensic reports4
VPNFilter (2018)	500,000+ infected devices	BlackEnergy code reuse5

Recent DOJ indictments (2024) against five GRU officers for WhisperGate attacks provide additional context for state-sponsored involvement⁶.

Mitigation Strategies

Organizations should implement:

1. DMARC/SPF email authentication to block spoofed CIA domains
2. Network traffic analysis for connections to Russian ASNs (AS12389, AS8342)
3. User training on identifying Ukrainian-language phishing lures

The Ukrainian SBU recommends air-gapping critical systems and monitoring for UltraVNC/MeshAgent deployments, which have been used in prior intrusions⁷.

Conclusion

This campaign demonstrates Russia’s continued evolution of hybrid warfare tactics, blending cyber espionage with psychological operations. The reuse of infrastructure and TTPs from historical attacks enables defenders to proactively hunt for related activity. Future attacks will likely incorporate AI-generated content, as seen in GRU’s 2023 deepfake phishing experiments⁸.

References

1. “Russian Hackers Impersonate CIA to Steal Ukrainian Defense Intelligence Data,” GBHackers, 2025.
2. “Russian Cyber Operations Targeting Ukraine (2014–2025),” compiled from Cisco Talos, CISA, and DOJ reports.
3. “UAC-0185 Defense Sector Phishing Campaigns,” The Record, 2024.
4. E. Nakashima, “Russian military behind destructive 2017 cyberattack,” Washington Post, 2018.
5. Cisco Talos, “VPNFilter: New Router Malware with Destructive Capabilities,” 2018.
6. U.S. Department of Justice, “Five Russian Military Officers Charged in Cyberattack Campaign,” 2024.
7. Security Service of Ukraine (SBU), “Critical Infrastructure Protection Alerts,” 2024.
8. Mandiant, “GRU’s Use of AI in 2023 Spear-Phishing Operations,” 2023.