Russian-linked threat actors are suspected of deploying AI-generated deepfakes to impersonate U.S. Secretary of State Marco Rubio in an ongoing cyber campaign aimed at manipulating government officials. The U.S. State Department issued a warning on Tuesday confirming that multiple foreign ministers and U.S. officials were targeted using synthetic audio and text communications mimicking Rubio’s voice and style.
The incidents occurred in mid-June, when at least five individuals—including three foreign ministers, a U.S. governor, and a member of Congress—were contacted by an unknown actor posing as Secretary Rubio. According to an internal cable, the threat actor used the encrypted Signal messaging app and leveraged AI to craft personalized voicemails and text messages designed to appear legitimate.
“The actor likely aimed to manipulate targeted individuals using AI-generated text and voice messages with the goal of gaining access to information or accounts,” stated the July 3 cable.
Sophisticated Impersonation With Insider Detail
Though names of the targeted officials were not disclosed, the impersonator’s use of State Department branding and apparent insider knowledge raised concerns over the operation’s depth. The attacker demonstrated a strong understanding of official naming conventions, communication styles, and internal documentation typically inaccessible to outsiders.
The campaign follows an FBI warning in May about AI-based vishing and smishing attacks impersonating U.S. senior officials to access accounts or sensitive information. Two of the officials received fake voicemails, and another was texted a direct invitation to connect over Signal.
Prior Deepfake Incidents and Broader Threat Landscape
This is not the first time Rubio has been targeted. Earlier this year, a deepfake video falsely showing him calling to cut Starlink services to Ukraine circulated online, later debunked by Ukrainian officials. Other State Department personnel have also been targeted in similar impersonation schemes via email.
The State Department said the deepfake campaign posed no direct cyber threat but warned that “information shared with a third party could be exposed if targeted individuals are compromised.”
A previous campaign linked to Russian actors also impersonated U.S. diplomats using spoofed email addresses and official logos to phish Eastern European targets and former diplomats.
“These campaigns typically employ a multi-pronged approach, starting with phishing attacks sent from seemingly legitimate email accounts and escalating to AI-generated deepfake voicemails,” said Steve Cobb, CISO at SecurityScorecard.
Raising the Alarm on Deepfake Threats
Cobb emphasized the importance of secondary verification for messages from high-profile individuals. He advised using known phone numbers, verified social media, or third-party confirmation to validate outreach attempts.
“We need to evolve toward a default mindset of healthy skepticism in these interactions and adopt a ‘trust but verify’ approach as our standard practice,” he added.
With deepfake tools rapidly improving and lowering the barrier to high-level impersonation, enterprise organizations and public sector entities are facing a growing wave of synthetic identity threats.
To defend against this evolving risk landscape, it’s critical to not only maintain secure access protocols but also have robust data recovery and continuity strategies in place.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
