Russian nation-state cyber actors remain among the most persistent, capable, and strategically aligned threats in the global cyber landscape. Their operations routinely target Western governments, critical infrastructure, defense contractors, and political institutions, using a combination of cyber espionage, advanced malware, and living-off-the-land techniques. These campaigns are characterized by prolonged presence, covert operations, and strategic alignment with Russia’s geopolitical goals, making them especially challenging to detect and mitigate.
A key takeaway from this analysis is that Russian cyber activity is not merely opportunistic; it is intentional and ongoing, designed to maintain persistent access for future disruption, espionage, or influence efforts. Russia’s ability to blend into trusted environments and exploit legitimate platforms significantly raises the threat to national security, essential services, and the private sector.
In the broader risk context, Russia exemplifies the intersection of cyber operations and hybrid warfare, where espionage, sabotage, and geopolitical strategy align. Organizations must prioritize detection and hardening against known Russian tactics, techniques, and procedures (TTPs), particularly those involving credential theft, cloud environment exploitation, and lateral movement, as these remain core elements of Russia’s offensive cyber strategy.
Key Points
- Who: Russian state-sponsored actors, including APT28 (Fancy Bear), APT29 (Cozy Bear), Sandworm, and Gamaredon.
- What: Conducted cyber espionage, prepositioned in networks, and launched disruptive operations aligned with Russian geopolitical goals.
- How: Used spearphishing, credential harvesting, zero-day exploits, cloud service abuse, and stealthy tools like living-off-the-land binaries (LOLBins) and custom malware.
- Why it matters: These operations are designed not only for data theft but also to maintain persistent access, evade detection, and retain the ability to disrupt critical infrastructure or manipulate information at strategic moments.
Risk Assessment
The NJCCIC has assessed that Russian state-sponsored cyber actors represent a persistent and evolving threat with the demonstrated capability and intent to conduct both intelligence-gathering and disruptive operations. Their activities seriously threaten national security, essential public services, and critical industries.
Recently, these groups have changed tactics by increasingly targeting cloud infrastructure and identity management platforms like Microsoft 365. This evolution includes deploying new malware variants designed to evade traditional detection methods, allowing them to infiltrate previously considered lower-risk environments.
Russian actors have a well-documented history of targeting entities across government, critical infrastructure, healthcare, defense, and election systems. The likelihood of exposure or compromise is significantly higher if environments include legacy technology or commonly used third-party platforms. The combination of their strategic intent, advanced techniques, and a sector’s relevance makes proactive defense and visibility into these threat vectors essential.
Timeline of Activity
Attribution | Start Date | End Date | Location | Sector | Activity |
APT 28 (Fancy Bear) | 2007 | Present | Global (US, NATO, and Europe) | Government, Military, and Media | Espionage, election interference, credential theft, hack and leak operations |
APT 29 (Cozy Bear) | 2008 | Present | Global | Government, Think Tanks, and NGOs | Cyber espionage, credential harvesting, and supply chain compromises |
Turla (Venomous Bear) | 2008 | Present | Europe and the Middle East | Government, Military, and Research | Long-term espionage, custom malware, and hijacking satellite infrastructure |
Berserk Bear (Energetic Bear) | 2010 | Present | Europe and the US | Energy and ICS | ICS reconnaissance, credential harvesting, and infrastructure targeting |
Gamaredon (Primitive Bear) | 2013 | Present | Ukraine | Government | Phishing, malware, and espionage |
Sandworm Team | 2014 | Present | Ukraine and Global | Energy, ICS, and Telecom | Destructive Malware (NotPetya), ICS Attacks, and Wiper Malware |
Evil Corp (Indrik Spider) | 2014 | Present | Global | Finance, Retail, and Healthcare | Banking trojans and ransomware deployments |
Star Blizzard | 2017 | Present | UK, US, and Ukraine | Academia and Government | Credential theft and phishing |
Shuckworm | 2017 | Present | Ukraine | Government | Using old malware |
Nobelium (Subset of APT 29) | 2020 | 2021 | Global | IT, Government, and Supply Chain | SolarWinds compromise, cloud service, and lateral movement |
NoName057(16) | 2022 | Present | Europe, NATO-aligned States | Government and Media | DDoS ops focused on Finland, Latvia, and Poland. Activity spikes during major NATO summits and political votes. |
KillNet (pro-Russian hacktivist) | 2022 | Present | NATO, EU, and US | Government, Healthcare, and Transportation | DDoS attack on US hospital, Polish rail, and airport websites. |
Fancy Bear | 2022 | Present | Europe and the US | Critical Infrastructure | Compromise of CCTV at transit hubs to monitor Western Military Aid |
RomCom | 2024 | Present | Europe and the US | Government, Defense, Energy, Pharma, and Legal | Zero-click exploits via Firefox (CVE-2024-9680) and Windows (CVE-2024-49039), deploying RATs |
Capabilities
- Advanced Persistent Threats (APTs): Russia maintains multiple state-sponsored groups (APT28, APT29, Sandworm) capable of long-term, covert operations across sectors.
- Malware Toolsets: Known for deploying malware such as NotPetya, Snake, Drovorub, WellMess, and CosmicDuke.
- Tradecraft: Uses living-off-the-land binaries (LOLBins), legitimate credentials, and cloud platform abuse (Microsoft 365).
- Operational Focus: Supports espionage, prepositioning in critical infrastructure, disinformation, and destructive attacks aligned with geopolitical goals.
- Supply Chain Intrusions: Demonstrated ability to compromise software providers and abuse trusted relationships (SolarWinds, Ukrainian tax software).
- ICS/OT Disruption: Proven capacity to target and impact operational technology systems (BlackEnergy, Industroyer).
- Information Warfare: Coordinates cyber operations with disinformation and influence campaigns targeting elections and public opinion.
Key Intelligence Gaps
The NJCCIC has assessed that several intelligence gaps limit a full Russian cyber threat landscape assessment. One of the most pressing concerns is whether Russian threat actors are currently positioning themselves within networks to carry out future physical or disruptive attacks, particularly amid ongoing geopolitical tensions and hybrid warfare strategies.
Another critical intelligence gap concerns developing and deploying new malware strains, particularly malware designed to target industrial control systems (ICS), satellite infrastructure, or emerging space technologies, where visibility remains low.
The degree of coordination between Russian intelligence services and non-state criminal cyber groups (such as ransomware-as-a-service operators) also remains unclear. It is essential to determine how much operational freedom these groups have and whether they receive explicit support or protection from the state. There is also a lack of clarity about whether Russia’s agencies are working together or against each other.
Additionally, there is limited insight into evolving Russian tactics for evading detection, especially in hybrid and multi-cloud environments, where traditional monitoring tools may fall short.
The impact of economic sanctions and wartime constraints on Russia’s cyber strategy and operational capabilities is also poorly understood, leaving a gap in forecasting future shifts in tactics or targeting priorities.
Known Threat Groups
- APT28: Fancy Bear, Sofacy, STRONTIUM, Sednit
- Sandworm Team: BlackEnergy, Voodoo Bear, TeleBots
- Gamaredon Group: Primitive Bear
- InvisiMole: Occasionally linked with Gamaredon
Foreign Intelligence Service (SVR)
- APT29: Cozy Bear, The Dukes, Yttrium, Nobelium
Federal Security Service (FSB)
- Turla: Snake, Uroburos, Venomous Bear
- Berserk Bear: Energetic Bear, Crouching Yeti, Dragonfly
- Krypton: Suspected ties to Turla