Threat profileRussian Federation
The Russian Federation's cyber activity can be subdivided into that of state-sponsored APTs and Organized Crime Groups (OCGs). Its state-sponsored units are highly advanced, mature and professionally integrated into its main intelligence services. Next to that, it houses a wide range of proxies and OCGs and cleverly uses such groups for capability development and talent recruitment. The OCGs are primarily concerned with financial gain and ransomware in particular. Russian OCGs dominate the ransomware business, with the vast majority operating from Russian soil.
- Strategic motives: Espionage, information theft, disruption, financial gain
- Strategic goals: Dominating information warfare
- Cyber capabilities: ★★★★☆
- Number of known cyber operations: ★★★☆☆
- Number of APTs: 51
Highly advanced, mature and integrated in intelligence services
Cyber activity from the Russian Federation is characterized by two types of actors. On the one hand, it has multiple stealthy nation state actors that are focused on advancing the state's interests. On the other hand, it houses multiple opportunistic and financially motivated Organized Crime Groups (OCGs) that can be used for capabilities development and recruitment to state-sponsored units.
On the state-sponsored front, there are numerous indicators that point to the Russian Federation's main intelligence services (FSB, GRU & SVR) all having offensive cyber capabilities. However, it is assumed that the GRU (the Federation’s military intelligence service) is responsible for the majority of the nation-state cyber-attacks attributed to the Russian Federation. The Russian Federation is primarily known to use its nation-state level offensive cyber capabilities for gathering intelligence, targeting critical infrastructures, spreading disinformation and for other forms of political interference. Additionally, it is reportingly working on developing means for targeting strategic cyber-physical assets, such as submarines for targeting undersea internet cables or space vehicles for targeting satellites. Domestically, the Russian Federation’s defensive cyber capabilities are focused on controlling information flows, so that information undermining the Russian Federation can be censored. Furthermore, in official policy documents relating to cybersecurity, the Russian Federation primarily describes the need for defensive cyber capabilities in order to protect itself against adversarial actors. In addition, it tries to prevent hostility in cyberspace by trying to advance (inter)national legal frameworks on cyber norms focusing on internet sovereignty. However, these efforts are critically received by western nations, and possibly used as framing for extended domestic surveillance.
Furthermore, despite the Russian Federation having arguably fewer financial resources for developing offensive cyber capabilities than for example the US or China, it actively makes use of state-affiliated proxies that are tasked with advancing the Russian Federation’s interests through cyberspace.  Next to that, the Russian Federation is known to have a large pool of independent ‘patriotic hackers’. It is not entirely clear to what extent such hackers are directed by the state, but their actions are nevertheless in line with the Russian Federation’s strategic interests. Finally, it uses the presence of OCGs on its soil for developing its offensive cyber capabilities and for recruitment to the state's cyber intelligence units. A somewhat older but nevertheless relevant example of cooperation between the Russian government and OCGs is when in 2014, Russian cybercriminals hosted a large-scale botnet, including the GameOver Zeus malware, in order to commit banking fraud and other financial crimes. The Russian government has been accused of 'piggybacking' on exploiting the established access points by the cybercriminals in order to conduct espionage on, amongst other strategic targets, military and intelligence services.
The cyber capabilities of the Russian Federation's second category of APTs, the OCGs, are primarily centered around the development and deployment of ransomware. Russian OCGs dominate the ransomware business, with the vast majority operating from Russian soil. Russian OCGs are highly professionalized and have developed mature business models, such as Ransomware-as-Service, or RaaS. RaaS is a business model in which operations are divided between so-called 'ransomware operators' and 'affiliates'. In this structure, the ransomware operators are tasked with developing the ransomware, whilst the affiliates are the ones who execute the attack and deploy the ransomware. In turn, the ransomware operators get a percentage of the revenue gained from the ransom. In short, the ransomware operators function as the service provider behind the ransomware-attacks, whilst the affiliates are responsible for penetrating and deploying the ransomware at the targets.
The presence of both sophisticated and opportunistic Russian APTs also means that in terms of persistence, actors have conducted both stealthy attacks and noisy attacks. The level of persistence is determined by the type of adversary-victim relationship (whether it is a victim of opportunity or a victim of interest). Although the Russian Federation's criminal groups have become more organized over the years, they do not always need stealthy persistence in their attacks as they are focused on finding opportunities to make money. For Russian intelligence units, stealthy persistence is much more important as they are often tasked with gathering intelligence over long periods or executing strategically placed disruptive attacks when required. A prime example of the Russian Federation's sophisticated cyber capabilities is the SolarWinds hack in 2020 (see case 1). Moreover, the level and sophistication of persistence depends on multiple factors. Elements include how valuable the target is terms of (uniqueness of) information it has access to or possesses itself, how long access to a target is to be exploited and the efforts by the target to detect intrusions and counter persistence.
CASE 1: SolarWinds hack (2020)
In 2020, a widespread supply-chain attack targeting numerous private and public sector networks was discovered. The breach occurred through the software of IT company SolarWinds. Investigations showed that the hackers already infected SolarWinds in October 2019. The hackers were able to spread the malware by hiding it into a routine software update from SolarWinds. Whilst customers thought they did the right thing by executing the software update, it actually executed the malware. There were many victims in both the private and public sector, including cybersecurity firm FireEye, the U.S. Department of the Treasury and the Department of Justice. The attack has been attributed to APT29, a threat actor that has been connected to the Russian Federation's Foreign Intelligence Service (SVR). The Russian Federation, however, denies any involvement in the attack. Nevertheless, the attack is considered to be one of the largest and sophisticated attacks that has been observed to this day.
Strengths, weaknesses, opportunities & threats
- Multiple intelligence agencies with offensive cyber capabilities
- Large arsenal of proxy groups and independent patriotic hackers that contribute to advancing the state’s interest through cyberspace
- Presence of cyber capabilities to target cyber-physical assets
- Highly professionalized Russian OCGs dominating the ransomware landscape
- Lagging behind in information technologies
- Fewer financial resources to invest in cyber than other cyber powers (US and China)
- Using cyber as a means of hybrid warfare against Western influence (mis)using the factor of 'plausible deniability'
- Use of OCGs to develop cyber capabilities and for recruitment to cyber intelligence units
- Gathering strategic intelligence on targets situated in the US, East & Western Europe
- Freedom for OCGs to operate from Russian soil without risking prosecution
- Continuing target for foreign APTs
- Targeted sanctions by the US in reaction to Russian cyber operations
Interactions with other nations
The Russian Federation has a longstanding and volatile relation with the West, marked by completely opposing ideologies. The Russian Federation holds the view that the West is trying to undermine and destabilize the Russian state and therefore wants to stop the expansion of the EU and NATO. For this reason, Russia tries to stop the influence of the West in Eastern Europe. The Russian Federation argues that it has to defend its ‘compatriots’ (individuals with cultural and linguistic ties to the Federation, but living outside its borders) from hostile Western influences in the former Soviet republics. By reasoning this way, it justifies actively interfering and exercising influence in the region, seeing it as part of its ‘re-imperialization process’. A current example is the Russian Federation's invasion of Ukraine, which it does not call an invasion, but rather a justified special military operation.
In Asia, China is an important strategic partner for the Russian Federation. They have the same views on information security and cyber threats. They are both strong proponents for internet sovereignty and have for example actively promoted this in the UN. However, it is unlikely that the two countries would share offensive cyber capabilities, as for both nations cyber capabilities are highly interconnected with their intelligence apparatuses.
The Russian Federation aims to strengthen relations with Latin America, arguably to counter the influence of the US in the region. The Russian Federation is primarily supporting undemocratic regimes by offering military support and training. In return, the Russian Federation gets the opportunity to create strategic sites that are closer to the US to advance its intelligence collection. Nicaragua for example agreed to the Russian Federation building a Global Navigation Satellite System (GNSS) station, which was strategically located in near proximity of the U.S. Embassy there. Furthermore, it actively disseminates disinformation and propaganda focused at spreading anti-West sentiments, with the US as primary adversary. The Russian Federation also helps Latin American countries with evading U.S. sanctions, by providing financial support. There is mutual diplomatic support between the Russian Federation and Latin America, e.g. in the UN.
In Africa, the Russian Federation is also strengthening its ties as a way to advance its strategic agenda. It is mainly focused on involvement on the military front (e.g. with mercenaries and arms deals) and on the political front by spreading disinformation about the West and by keeping authoritarian leaders in power. In this way, the Russian Federation strengthens its global power position and receives support from multiple African countries on the global diplomatic playing field (e.g. in the UN).
Controlling your cybersecurity risks
The Russian Federation’s nation-state activities in cyberspace are centered around advancing political and military goals. The Russian Federation holds the view that it is currently engaged in an information warfare with the West and that it has to counter this by conducting information campaigns. Furthermore, the Russian Federation sees cyberspace as a domain in which military disputes can be settled without crossing the threshold of war.
The Russian Federation primarily uses cyberspace to advance its political and military interests. In order to advance these interests, it conducts both cyber espionage operations on intelligence and military targets, as well as disruptive operations on critical infrastructures and other strategic targets.
The Russian Federation appears to hold the view that all activities of the West in cyberspace are part of an aggressive information warfare aimed at undermining the Federation. Therefore, information dominance must be pursued and – under the header of defending national security – it is allowed to counter these threats by conducting information campaigns against adversaries.  There have been numerous incidents in which Russian actors were accused of election interference and spreading disinformation against such adversaries.
In the military domain, the Russian Federation sees cyberspace as a non-military measure that can be used in military disputes, or ‘hybrid warfare’. The goal of such cyber-attacks is to disrupt the stability of the adversary by attacking strategic targets, such as the energy or transportation sector (see case 2 & 3). Cyber-attacks also fit in the Russian Federation’s strategy, as there is no clear boundary between war and peace, thereby creating the opportunity to destabilize the adversary without committing an act of war. Another reason cyber-attacks are an attractive option for the Russian Federation in conducting warfare, is that it creates the possibility of plausible deniability, as attribution remains extremely difficult in cyberspace.
Activities of Russian OCGs in cyberspace are centered around financial gain. A way in which they try to maximize profits, is by 'Big Game Hunting' (BGH). In BGH, actors do not soley choose their targets based on whether it is easy to break-in, but also look at the size and the value of the target. The goal of this strategy is to identify targets that are most likely to pay the ransom. Another aspect that benefits continuously collecting money, is that in principle, Russian OCGs are protected by the Russian state from any form prosecution. It is expected from OCGs to avoid attacks on so-called 'Commonwealth of Independent States' (former Sovject countries) and to share people and resources with the state. This essentially offers OCGs a Russian safe haven from which to conduct attacks without risking prosecution.
CASE 2: Ukraine power grid hack (2015)
On 23 December 2015, three Ukrainian electricity distribution companies were targeted by a piece of malware called BlackEnergy3, resulting in major power outages in the country.  The SCADA systems were targeted, enabling the hackers to shut down power. Next to that, the hackers also launched a DDoS-attack on the customer service phone lines, trying to prevent customers from reporting the power outage. As a result, around 230,000 Ukrainian citizens had no electricity for one to six hours. It is reported that BlackEnergy3 belongs to ELECTRUM, allegedly a cyberunit of the GRU with a track record of conducting espionage and destructive attacks in line with the interests of the Russian state. The attack was arguably part of a much larger and ongoing military conflict between Russia and Ukraine and was the first to show that power grids can be successfully targeted for disruptive purposes.
CASE 3: wiper malware targeting Ukrainian organizations (2022)
In 2022, the Russian Federation started an invasion Ukraine. A few hours before the operation started, a malware dubbed 'HermeticWiper' targeted multiple Ukrainian organizations. The malware corrupted the data on hunderds of systems at Ukrainian organizations, resulting in the systems being inoperable. A day later, Ukrainian organizations were targeted by another piece of similar malware called 'IsaacWiper'. In March, a third wiper called 'CaddyWiper' had been discovered targeting Ukrainian organizations. It is highly likely that the wipers are deployed by Russian nation state actors. A first indication can be found in the time of the deployment, which was just a couple of hours before the invasion. Furthermore, the timestamp of creation of the HermeticWiper dates back to 28 December 2021, indicating that the attack may have been planned since then.
Advanced Persistent Threats (APTs)
Tactics, Techniques & Procedures (TTPs)
Hunt & Hackett currently tracks 51 Russian APTs. It is assessed that 18 APTs are state-sponsored and that 33 APTs are OCGs (see table 1). The data from the Threat Diagnostic System supports how the geographical and sector focus differs between state-sponsored groups and OCGs. State-sponsored APTs are mainly focused on Europe and the US. This can be explained by the Russian Federation’s view that the information warfare conducted by the West must be countered and that Eastern Europe must be defended against the West through exercising its influence in the region. The geographical focus of OCGs, on the other hand, is more dispersed. This is in line with the general opportunistic behavior of such groups. Russian OCGs are known for their specialization in ransomware and together responsible for most of the ransomware attacks on the western countries. 
|State-sponsored APTs||Organized Crime Groups|
|Number of APTs||18||33|
|Main geographical focus||The US, East & West Europe||Dispersed|
|Main sector focus||Government, defense, energy, political, technology, industrials, media & publishing||Banking & investment services, financial, government, technology, healthcare, basic materials, biotech|
Table 1 - comparison of Russian APTs
State-sponsored – observed countries
OCGs – observed countries
Figure 1 - targeted countries by Russian APTs
Anomalies are based on differences between the Russian Federation and the rest of the actors in the dataset. In other words, anomalies indicate to what extent the Russian Federation has a larger focus on certain countries or sectors when compared to all the actors that Hunt & Hackett tracks. Looking at the anomalies for state-sponsored APTs, it shows that Russian threat actors have a focus on Eastern European countries, with Georgia standing out (see figure 2). This supports the data above, as it was already established that the Russian Federation actively interferes in these countries for regional influence.
Figure 2 - anomalies in the data compared to the global threat landscape (observed countries, state-sponsored APTs)
When looking at the sector focus, again clear differences between state-sponsored groups and OCGs can be identified (see figure 3). State-sponsored groups are mainly focused on strategic targets that can be useful for gathering intelligence relevant to the state or on targets that, when disrupted, can destabilize the country. OCGs are more focused on sectors that hold a lot of money, and/or are more critical to national infrastructure and therefore more inclined to pay when services are down.
State-sponsored – observed sectors
OCGs – observed sectors
Figure 3 - targeted sectors by Russian APTs
Russian state-sponsored APTs appear to have a stronger focus on embassies, NGOs and oil and gas compared to the global picture. This can be explained by Russia actively protecting its economic interests, as well as gathering strategic intelligence and controlling information flows.
Figure 4 - anomalies in the data compared to the global threat landscape (sectors, state-sponsored APTs)
Russian OCGs have traditionally had a strong interest in the financial sectors (see figure 5). This supports the observation that these groups are financially motivated and have an interest in targeting sectors that deal with the money supply of economies and sectors where they gain leverage through disruption of operations. Over the last five years, most of these groups have adopted their tactics to ransomware and expanded their focus to investment services, basic materials, retail and healthcare amongst other more opportunistically targeted sectors.
Figure 5 - anomalies in the data compared to the global threat landscape (sectors, OCGs)
This profile aims to describe the Russian Federation's cyber power from a threat intelligence perspective. For a geopolitical angle of the Russian Federation’s cyber power, see the chapter on the Russian Federation from IISS’s research paper called 'Cyber Capabilities and National Power: A Net Assessment' (downloadable as PDF) on https://www.iiss.org/blogs/research-paper/2021/06/cyber-power---tier-two.
- IISS. Cyber Capabilities and National Power: A Net Assessment.
- The Past, Present, and Future of Russia's Cyber Strategy and Forces.
- NATO Strategic Communications Centre of Excellence. Russia's Strategy in Cyberspace.
- Russia's Westpolitik and the European Union.
- The New York Times. Russian Espionage Piggybacks on a Cybercriminal’s Hacking.
- Sergio Caltagirone, Andrew Pendergast & Christopher Betz. The Diamond Model of Intrusion Analysis.
Our articles covering Russian threats
From Hunt & Hackett experts
Kennissessies: de digitale dreiging, oplossingen en ervaringen in de land- en tuinbouwsector
The SolarWinds attack: A contrarian view and lessons learned
Lights can go out: Espionage & disruption in the energy sector
All hands on deck: Attackers have entered the maritime industry
Agriculture in the crosshairs of nation-state sponsored hackers