By Jennifer Hansler

(CNN) — Someone using artificial intelligence to impersonate Secretary of State Marco Rubio contacted at least five people, including three foreign ministers, a US governor, and a member of Congress, “with the goal of gaining access to information or accounts,” a US diplomatic cable said.

The cable advises diplomats worldwide that they “may wish to warn external partners that cyber threat actors are impersonating State officials and accounts.” The impersonation of the top US diplomat is one of “two distinct campaigns” being tracked at the State Department “in which threat actors impersonate Department personnel via email and commercial messaging apps to target individuals’ personal accounts,” the cable, dated last Thursday, advised.

According to the cable, the unknown actor posing as Rubio created an account in mid-June on the messaging platform Signal, using the display name “[email protected],” as part of “an effort to impersonate Secretary of State Rubio.”

“The actor left voicemails on Signal for at least two targeted individuals, and in one instance, sent a text message inviting the individual to communicate on Signal,” said the cable, which was first reported by the Washington Post.

“The actor likely aimed to manipulate targeted individuals using AI-generated text and voice messages, with the goal of gaining access to information or accounts,” it said.

The effort resembled investigated past activity to impersonate senior US officials, the cable said. That activity was under FBI investigation. CNN reported in May that a law enforcement investigation into efforts to impersonate President Donald Trump’s chief of staff, Susie Wiles, was underway.

External partners can report Rubio impersonations to the FBI’s Internet Crime Complaint Center, the cable said. Internally, State Department personnel were advised to report impersonation attempts to diplomatic security.

A State Department spokesperson said the agency “is aware of this incident and is currently investigating the matter.”

“The department takes seriously its responsibility to safeguard its information and continuously takes steps to improve the department’s cybersecurity posture to prevent future incidents,” the spokesperson said Tuesday. “For security reasons, and due to our ongoing investigation, we are not in a position to offer further details at this time.”

The FBI declined to comment.

The second campaign, according to the cable, began in April and involves a “Russia-linked cyber actor” who “conducted a spear phishing campaign targeting personal Gmail accounts associated with think tank scholars, Eastern Europe-based activists and dissidents, journalists, and former officials.”

The cyber actor “posed as a fictitious Department official, inviting targeted users to a meeting and attempting to convince them to link a third-party application to their Gmail accounts” that “would almost certainly grant the actor persistent access to the contents of the users’ Gmail.”

The campaign was highly detailed and the actor “demonstrated extensive knowledge of the Department’s naming conventions and internal documentation,” the cable said.

That hacking activity matches what researchers from Google and the University of Toronto’s Citizen Lab documented last month: a stealthy effort to pose as US diplomats and infiltrate the digital lives of prominent academics and critics of Russia.

One of the targets was Keir Giles, an outspoken expert on Russian influence operations, according to Citizen Lab, a research group at the University of Toronto that investigates hacking efforts aimed at civil society.

In targeting Giles, the hackers used four apparently fake email accounts with a “state.gov” domain to add an air of legitimacy to the correspondence, the Citizen Lab said.

“We believe that the attacker is aware that the State Department’s email server is apparently configured to accept all messages and does not emit a ‘bounce’ response even when the address does not exist,” the researchers wrote in their analysis.

The Russia-linked hackers conduct “extensive and patient rapport-building efforts” with their targets, said Gabby Roncone, a security researcher with Google Threat Intelligence Group who has investigated the activity. Google suspects the hackers have ties to an elite group called APT29, which US officials say works at the behest of Russia’s SVR intelligence agency.

“This is a departure from APT29’s previous diplomatic phishing operations. Although APT29 would impersonate legitimate entities in these older phishing operations, their targeting was much wider in scope and often impersonal,” Roncone told CNN.

CNN’S Sean Lyngaas contributed reporting.

This story has been updated with additional reporting.

The-CNN-Wire
™ & © 2025 Cable News Network, Inc., a Warner Bros. Discovery Company. All rights reserved.