Russia Cyber Threat Operations

Russian nation-state cyber actors remain among the most persistent, capable, and strategically aligned threats in the global cyber landscape. Their operations routinely target Western governments, critical infrastructure, defense contractors, and political institutions, using a combination of cyber espionage, advanced malware, and living-off-the-land techniques. These campaigns are characterized by prolonged presence, covert operations, and strategic alignment with Russia’s geopolitical goals, making them especially challenging to detect and mitigate.

A key takeaway from this analysis is that Russian cyber activity is not merely opportunistic; it is intentional and ongoing, designed to maintain persistent access for future disruption, espionage, or influence efforts. Russia’s ability to blend into trusted environments and exploit legitimate platforms significantly raises the threat to national security, essential services, and the private sector.

In the broader risk context, Russia exemplifies the intersection of cyber operations and hybrid warfare, where espionage, sabotage, and geopolitical strategy align. Organizations must prioritize detection and hardening against known Russian tactics, techniques, and procedures (TTPs), particularly those involving credential theft, cloud environment exploitation, and lateral movement, as these remain core elements of Russia’s offensive cyber strategy.

Key Points

  • Who: Russian state-sponsored actors, including APT28 (Fancy Bear), APT29 (Cozy Bear), Sandworm, and Gamaredon.
  • What: Conducted cyber espionage, prepositioned in networks, and launched disruptive operations aligned with Russian geopolitical goals.
  • How: Used spearphishing, credential harvesting, zero-day exploits, cloud service abuse, and stealthy tools like living-off-the-land binaries (LOLBins) and custom malware.
  • Why it matters: These operations are designed not only for data theft but also to maintain persistent access, evade detection, and retain the ability to disrupt critical infrastructure or manipulate information at strategic moments.

Risk Assessment

The NJCCIC has assessed that Russian state-sponsored cyber actors represent a persistent and evolving threat with the demonstrated capability and intent to conduct both intelligence-gathering and disruptive operations. Their activities seriously threaten national security, essential public services, and critical industries.

Recently, these groups have changed tactics by increasingly targeting cloud infrastructure and identity management platforms like Microsoft 365. This evolution includes deploying new malware variants designed to evade traditional detection methods, allowing them to infiltrate previously considered lower-risk environments.

Russian actors have a well-documented history of targeting entities across government, critical infrastructure, healthcare, defense, and election systems. The likelihood of exposure or compromise is significantly higher if environments include legacy technology or commonly used third-party platforms. The combination of their strategic intent, advanced techniques, and a sector’s relevance makes proactive defense and visibility into these threat vectors essential.

Timeline of Activity

AttributionStart DateEnd DateLocationSectorActivity
APT 28 (Fancy Bear)2007PresentGlobal (US, NATO, and Europe)Government, Military, and MediaEspionage, election interference, credential theft, hack and leak operations
APT 29 (Cozy Bear)2008PresentGlobalGovernment, Think Tanks, and NGOsCyber espionage, credential harvesting, and supply chain compromises
Turla (Venomous Bear)2008PresentEurope and the Middle EastGovernment, Military, and ResearchLong-term espionage, custom malware, and hijacking satellite infrastructure
Berserk Bear (Energetic Bear)2010PresentEurope and the USEnergy and ICSICS reconnaissance, credential harvesting, and infrastructure targeting 
Gamaredon (Primitive Bear)2013PresentUkraineGovernment Phishing, malware, and espionage 
Sandworm Team2014 PresentUkraine and GlobalEnergy, ICS, and TelecomDestructive Malware (NotPetya), ICS Attacks, and Wiper Malware
Evil Corp (Indrik Spider)2014 PresentGlobalFinance, Retail, and HealthcareBanking trojans and ransomware deployments 
Star Blizzard2017PresentUK, US, and UkraineAcademia and Government Credential theft and phishing 
Shuckworm2017PresentUkraineGovernment Using old malware 
Nobelium (Subset of APT 29)20202021GlobalIT, Government, and Supply ChainSolarWinds compromise, cloud service, and lateral movement 
NoName057(16)2022PresentEurope, NATO-aligned StatesGovernment and MediaDDoS ops focused on Finland, Latvia, and Poland. Activity spikes during major NATO summits and political votes. 
KillNet (pro-Russian hacktivist)2022PresentNATO, EU, and USGovernment, Healthcare, and Transportation DDoS attack on US hospital, Polish rail, and airport websites. 
Fancy Bear2022PresentEurope and the USCritical InfrastructureCompromise of CCTV at transit hubs to monitor Western Military Aid
RomCom2024PresentEurope and the USGovernment, Defense, Energy, Pharma, and LegalZero-click exploits via Firefox (CVE-2024-9680) and Windows (CVE-2024-49039), deploying RATs

Capabilities

  • Advanced Persistent Threats (APTs): Russia maintains multiple state-sponsored groups (APT28, APT29, Sandworm) capable of long-term, covert operations across sectors.
  • Malware Toolsets: Known for deploying malware such as NotPetyaSnakeDrovorubWellMess, and CosmicDuke.
  • Tradecraft: Uses living-off-the-land binaries (LOLBins), legitimate credentials, and cloud platform abuse (Microsoft 365).
  • Operational Focus: Supports espionage, prepositioning in critical infrastructure, disinformation, and destructive attacks aligned with geopolitical goals.
  • Supply Chain Intrusions: Demonstrated ability to compromise software providers and abuse trusted relationships (SolarWinds, Ukrainian tax software).
  • ICS/OT Disruption: Proven capacity to target and impact operational technology systems (BlackEnergy, Industroyer).
  • Information Warfare: Coordinates cyber operations with disinformation and influence campaigns targeting elections and public opinion.

Key Intelligence Gaps

The NJCCIC has assessed that several intelligence gaps limit a full Russian cyber threat landscape assessment. One of the most pressing concerns is whether Russian threat actors are currently positioning themselves within networks to carry out future physical or disruptive attacks, particularly amid ongoing geopolitical tensions and hybrid warfare strategies.

Another critical intelligence gap concerns developing and deploying new malware strains, particularly malware designed to target industrial control systems (ICS), satellite infrastructure, or emerging space technologies, where visibility remains low.

The degree of coordination between Russian intelligence services and non-state criminal cyber groups (such as ransomware-as-a-service operators) also remains unclear. It is essential to determine how much operational freedom these groups have and whether they receive explicit support or protection from the state. There is also a lack of clarity about whether Russia’s agencies are working together or against each other. 

Additionally, there is limited insight into evolving Russian tactics for evading detection, especially in hybrid and multi-cloud environments, where traditional monitoring tools may fall short.

The impact of economic sanctions and wartime constraints on Russia’s cyber strategy and operational capabilities is also poorly understood, leaving a gap in forecasting future shifts in tactics or targeting priorities.

Known Threat Groups

Military Intelligence (GRU)

  • APT28: Fancy Bear, Sofacy, STRONTIUM, Sednit
  • Sandworm Team: BlackEnergy, Voodoo Bear, TeleBots
  • Gamaredon Group: Primitive Bear
  • InvisiMole: Occasionally linked with Gamaredon

Foreign Intelligence Service (SVR)

  • APT29: Cozy Bear, The Dukes, Yttrium, Nobelium

Federal Security Service (FSB)

  • Turla: Snake, Uroburos, Venomous Bear
  • Berserk Bear: Energetic Bear, Crouching Yeti, Dragonfly
  • Krypton: Suspected ties to Turla