Hackers use fear of mobilization to target Russians with phishing attacks

Hackers took advantage of Russian concerns about mobilization to steal credentials through malicious links, according to new research.

In a phishing campaign described by the Russian cybersecurity channel In2security on the messaging app Telegram and confirmed by researchers from antivirus provider Kaspersky Lab, attackers used a phishing website and Telegram bot to collect personal data from Russian users.

The hackers sent out messages on Telegram urging Russians to follow a link to a site that purportedly contained lists of people who could be drafted into the army and sent to fight in Ukraine this February. 

The link was in fact malicious and had to be constantly updated "so that it would not be blocked by the Russian media regulator Roskomnadzor," according to a post on the In2Security channel sent on January 11.


A screenshot of one of the phishing messages: “List of people in Russia who will be mobilized this year. You can check this list and warn your relatives. The link will be constantly updated so that it is not blocked by Roskomnadzor.”

According to In2security, the link leads to a website that hackers have already used to steal Telegram user data. In a previous campaign in early January, scammers asked users to log in to a fake site to vote for the best children's Christmas drawing.

In both campaigns, the hackers constantly redirected users from one link to another in order to hide the main phishing site, the analysis said.

The attackers also created a Telegram bot that asks users to enter personal data, supposedly to check if their names are in the database. The attackers also asked to recommend this bot to at least 10 friends to use it for free.



Screenshots of a Telegram bot that offers Russians to check themselves or their relatives in alleged list for mobilization to fight in Ukraine. Image: In2security

It's unclear how many people were affected by this phishing campaign, but In2security said it was “one of the largest and most sophisticated attacks on Russian Telegram users recently.”

According to Kaspersky Lab, the campaign has been going on for the past few days, luring users into handing over their login details to messengers.

The independent Russian television channel TV Rain reported that it had also received phishing messages. 

Kaspersky Lab's chief expert Sergey Golovanov told Russian state-owned news agency Tass that if users give their data to hackers, they could lose control of their Telegram accounts and have their private messages compromised. Hackers could also send phishing messages on behalf of the compromised users to their contacts in the app.

Russia announced a "partial mobilization" of 300,000 people in September, forcing many of its citizens to flee the country. Ukrainian intelligence services warn that in January the Kremlin is planning a new mobilization wave for up to 500,000 people to participate in hostilities in Ukraine.

News of the mobilization has caused "anxiety, fear, horror" among Russians, according to a poll released in September. People also said they were outraged, shocked, and exasperated by the mobilization.

Hackers play on the emotions engendered by the war in Ukraine.

Earlier in March, Google’s Threat Analysis Group found that financially-motivated groups as well as government-backed actors from China, Iran, North Korea, and Russia were using the war in Ukraine “as a pretext” for phishing attacks.

For example, one threat actor was impersonating military personnel to extort money for rescuing relatives in Ukraine. A Russian-based threat actor, Coldriver, targeted several U.S.-based NGOs, think tanks, the military of a Balkan country, and a Ukrainian defense contractor with credential phishing campaigns.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.