Cyber War Playbook 2

Overview of Russia’s Cyber Playbook

The principal goals driving Russia’s cyber strategy across the spectrum of conflict are clear: disruption, destruction, and control of information. Russian actors perpetrated the earliest known cyberattacks, and Russia has continued to be a leader in cyber activity.

Moscow views cyber operations and information operations as indivisible. As a result, Russia’s targets include government networks for the purposes of espionage, critical infrastructure for operational preparation of the environment (OPE), and communication mechanisms to manipulate the psyche of an adversary’s population. To describe its activities in cyberspace, Moscow employs the term informatsionnoe protivoborstvo (IPb), which roughly translates to “information confrontation.” IPb describes a much broader range of activities than Western conceptions of “cyberwar.” As the NATO Strategic Communications Centre of Excellence describes it, “More than any other country, Russia attempts to achieve cognitive effects when conducting cyber operations.” While this project focuses more on cyber operations than on information operations, one central finding of the research is that U.S. adversaries—Russia in particular—view these operations as inseparable.

The strengths and weaknesses of Russian cyber strategy have been made evident by its war in Ukraine. As Washington and London warned Kyiv and other European capitals that a full-scale Russian invasion of Ukraine looked likely, a hidden war was beginning in the cyber domain. Before the invasion began, Russia was retreading tools used in previous attacks on Ukraine to undermine the basic functioning of Ukrainian society. Russian-affiliated cyber actors went after oil and gas companies, banks, and the websites of the Ukrainian Ministry of Defence. When the conflict shifted from OPE to open war, Russia’s efforts refocused on government targets, communication infrastructure, power, and media.

But few disastrous effects materialized. The apparent lack of disruption was not from a lack of Russian effort. This time, Ukraine was ready, and its defenses proved potent. Ukraine had suffered from Russian aggression in the cyber domain for years and was aware of the need for resilience. Therefore, Kyiv had created redundant internet infrastructure, trained talented cyber defenders, and recruited allies in Western governments and technology companies. Professionals at Microsoft, Mandiant, and other firms sat (virtually and literally) side by side with Ukrainian defenders, limiting damage and restoring critical systems.

In many ways, Russia’s war against Ukraine is a unique case that could provide false reassurance that a cyber conflict between Moscow and the United States would be inconsequential. That hope would be misplaced. The United States and its allies have not prioritized developing resilient systems to the same degree Ukraine has, and they do not have the years of practice defending against Russian attacks that Ukraine has. The Microsoft Digital Defense Report 2023, for instance, found that 48 percent of Russian state and state-affiliated cyberattacks were against Ukrainian institutions, a phenomenon that Ukraine has been grappling with since the period proceeding Russia’s illegal annexation of Crimea in 2014. Some analysts also argue that Russia has refrained from using all of its capabilities to conduct large-scale cyberattacks against Ukraine, and Moscow has certainly learned lessons from its successes and failures on the cyber battlefield in Ukraine as well. Further, Russia’s 2021 National Security Strategy emphasizes using advanced technologies such as artificial intelligence (AI) and quantum computing as multipliers for its cyber capabilities. Now, and increasingly as these capabilities come online, Russian cyber operations pose a serious threat to the United States and its allies.

Core Elements of Russia’s Strategy

Russia notably does not use the terms “cyber” (kiber) or “cyber warfare” (kibervoyna) when referring to its actions in cyberspace. Rather, Russia uses these terms only when talking about Western threats and activities. To describe its own activities, Russia uses the term “information confrontation,” or IPb, which the Russian Ministry of Defence’s Military Encyclopedia defines as “the clash of national interests and ideas, where superiority is sought by targeting the adversary’s information infrastructure while protecting its own objects from similar influence.”

IPb covers a much broader range of activities than Western conceptions of cyber conflict. Importantly, it is not limited to wartime but rather is carried out continuously. The 2016 Doctrine of Information Security of the Russian Federation defines this domain as

a combination of information, informatization objects, information systems and websites within the information and telecommunications network of the Internet . . . communications networks, information technologies, [and] entities involved in generating and processing information, developing and using the above technologies, and ensuring information security, as well as a set of mechanisms regulating public relations in the sphere.

In other words, Moscow views all elements of the cyber domain—governmental, personal, and corporate—as potential assets (or threats to its security) in a conflict. Due to the breadth of activities included, Russian military scholars divide IPb into two main subcategories: informational-technical confrontation and informational-psychological confrontation. The informational-technological aspect is largely comparable to Western conceptions of cyber warfare and involves attempts to attack and gain access, disrupt, or damage enemy computers or information networks. This aspect includes cyber espionage, malware, denial-of-service (DoS) attacks, distributed-denial-of-service (DDoS) attacks, and supply chain attacks.

Informational-psychological confrontation has no single parallel concept in Western cyber doctrine. The Russian Ministry of Defence’s Military Encyclopedia defines it as influencing “the enemy’s information resources, the consciousness and feelings of their military personnel and population, as well as a set of measures to protect one’s own information and psychological resources.” It includes efforts to influence an enemy’s population and military forces by shaping the enemy’s perceptions and manipulating their thoughts and behavior. The eventual goal of informational-psychological confrontation might be to force the enemy population to support the aggressor or to “prolong internal deliberations on policy decisions within the adversary state.” Russia’s activity in this space has broad implications for the West since the United States and its allies value free speech highly and have been slow to recognize this as an area of vulnerability. In the remainder of this chapter, the terms “IPb,” “information warfare,” and “information doctrine” encompass both informational-technical and informational-psychological confrontation and reflect Russian thinking on the subject, though most of the focus will be on informational-technical warfare.

How Cyber Strategy Fits into Foreign Policy

Russia views IPb as both a means of achieving its strategic and political objectives and as a threat emanating from the West. The Kremlin’s actions are shaped by a belief that it is already in an information war with the United States and its allies. As former Russian Defense Minister Sergei Shoigu highlighted, Moscow believes “Western countries, led by the United States, have unleashed an absolutely unprincipled information war against Russia.” As a result, Russia’s defining approach to information warfare could be described as adhering to the adage “the best defense is a good offense,” combined with a near-paranoid view of the need to protect the domestic information space.

Because Moscow portrays itself as constantly under attack from the West, it describes its information strategy as entirely defensively oriented. A 2022 study by the RAND Corporation shows that Russia’s “doctrinal publications omit offensive actions, instead emphasizing defensive and collaborative measures, even legal frameworks and partnerships to prevent aggression.” Russia’s 2016 Information Security Doctrine clearly reflects this focus on a pervasive threat and defensive measures: “Intelligence services of certain States are increasingly using information and psychological tools with a view of destabilizing the internal political and social situation in various regions across the world, undermining sovereignty and violating the territorial integrity of other States.”

As a result of the perceived threat emanating from the West, Moscow emphasizes the need to protect its domestic information environment and ensure what Russia refers to as “digital sovereignty.” Following a series of events—including the Arab Spring uprisings, protests against Russian President Vladimir Putin in 2011 and 2012, and the Edward Snowden leaks in 2013—Moscow’s fear of the internet and Western online interference accelerated. As a result, Russia began to take steps to tighten its grip on the Russian-language information space, dubbed RuNet. In 2012, the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) started maintaining a centralized internet blacklist, which Russian internet service providers use to manage Russia’s firewall. The blacklist covers territories where Russia has a significant presence, such as Belarus and all Russian-occupied territories, like eastern Ukraine. Since then, the Russian government’s tactics to isolate the internet within Russia have grown increasingly aggressive and have included blocking foreign media.

Russia also uses IPb to further its strategic goals during peacetime. According to the 2010 Military Doctrine of the Russian Federation, a key feature of modern military conflict is the “prior implementation of measures of information warfare in order to achieve political objectives without the utilization of military force.” The Kremlin thus views IPb as a tool that can and should be used against countries not engaged in a direct armed conflict with Moscow. For example, Russian government actors hit Montenegro with a series of cyberattacks in 2016 and 2017 as Montenegro drifted away from Moscow—its former ally—and voted to join NATO. The 2016 attack targeted state digital infrastructure on election day, while the 2017 attack was a direct response to Montenegro joining NATO. Since that time, Moscow has continuously “used cyberattacks . . . to redirect Podgorica toward its influence,” including a massive attack in 2022 that crippled state-run transportation services and water and electricity systems.

Similarly, Moscow uses IPb to raise fear and stoke instability in enemy populations. These cyber actions remain below the threshold of acts of war, which minimizes retaliatory responses, particularly from Western countries that do not have similar conceptions of cyber and information warfare and the use of these tools during peacetime. For instance, in 2017, a spear-phishing campaign attributed to the Russian government targeted French President Emmanuel Macron’s campaign team. Moscow stole and leaked gigabytes of data, but the Russian campaign was unsuccessful in that it did not affect the election results or antagonize French society. Nevertheless, the attack is a clear example of Moscow attempting to sow doubt in the electoral process and raise questions about France’s stability.

Further, Moscow believes IPb can be a tool to prevent armed confrontation. According to a NATO Defense College report, “Senior Russian officers have suggested that information effects . . . can in some cases replace armed intervention altogether.” Russian conceptions of “strategic deterrence” (sderzhivanie strategichesko) also highlight this concept. The Russian Ministry of Defence’s Military Encyclopedia defines strategic deterrence as “a coordinated system of forceful and non-forceful measures taken consecutively or simultaneously by one side in relation to another to keep the latter from any military actions that inflict or may inflict damage on the former on a strategic scale.” While not explicitly stated, IPb certainly falls under nonmilitary interventions and is therefore an important tool to prevent armed confrontation, especially in Moscow’s strategy toward adversaries with stronger conventional capabilities, such as the United States and other NATO partners.

Additionally, as seen in Russia’s cyber operations in Ukraine and Georgia, IPb plays a critical role in Moscow’s strategy during a kinetic conflict. Disabling critical infrastructure such as energy, transport, and command and control “can dramatically weaken an adversary’s fighting capabilities” and thus help bridge the gap between Moscow’s capabilities and the capabilities of its adversaries. These cyber operations also have a psychological component aimed at keeping the adversary government distracted and affecting the psyche of the enemy population.

The 2008 war between Russia and Georgia is often cited as the first time that a nation used cyber operations in tandem with military action. In August 2008, Russian troops invaded Georgia. Weeks before the kinetic conflict began, Russian hackers launched a “rehearsal” DDoS attack that took down numerous government websites, such as that of the Georgian president, for almost 24 hours. Following the invasion, Russian hackers continued their attacks on an expanded list of targets in Georgia, including additional government sites, financial and educational institutions, and Western media sites such as CNN and BBC. Georgian authorities blamed Russia broadly for the attacks, but Moscow denied the claims. The attacks have since been widely attributed to Russian hacktivist groups that are suspected to have coordinated closely with the government.

The speed of the cyberattacks in Georgia suggests that reconnaissance took place well in advance of the attacks and the invasion. Cyber forces were prepositioned before the outbreak of kinetic conflict, meaning cyber actors had some degree of advanced planning. The attacks also carefully avoided targets that would cause physical damage, despite likely having access to supervisory control and data acquisition (SCADA) systems that could have damaged critical infrastructure; this demonstrates that the Kremlin is selective about the accesses it chooses to exploit.

Since 2008, Russia has continued to combine cyber operations with military action. For instance, the lead-up and period immediately following Russia’s illegal annexation of Crimea in 2014 saw sustained cyberattacks. Russian threat actors conducted widespread cyber espionage on a series of Ukrainian targets and DDoS attacks against government websites and media, and the Kremlin continued its cyberattacks against Ukraine “in parallel with protracted military confrontation in the Donbas.” Similarly, Russia used cyber operations to support its 2022 full-scale invasion of Ukraine.

How Russia Approaches Deniability

Russia’s activities in cyberspace are bifurcated between two genres: (1) operations intended to create high-profile effects while providing some deniability to Moscow, and (2) operations intended to remain clandestine while achieving long-dwell espionage effects or while prepositioning for future attacks.

The first category includes Russian operations that aim to cause immediate disruption. Cyberattacks such as the 2007 DoS attacks on Estonian critical infrastructure, the 2015 and 2016 attacks targeting the Ukrainian power grid, and the 2018 attack on the Winter Olympics, for example, purposefully drew immediate attention while somewhat hiding Moscow’s hand. Throughout this time, Russia’s Main Intelligence Directorate (GRU) took on a more high-profile role in cyberattacks, bringing with it “‘a culture of aggression and recklessness’ and a ‘high tolerance for operational risk’ that was unusual in the cyber domain.” In the heat of kinetic conflict such as the current war in Ukraine, Moscow issues weak denials of its disruptive cyber activities.

Russia also uses its vast and opaque network of nongovernmental cyber actors to maintain a level of plausible deniability. This category of actors includes cybercriminals, patriotic hackers, and proxy organizations and front companies, which all receive varying amounts of support from the Kremlin. Moscow has differing levels of control over these groups, making it difficult for policymakers to determine the government’s true degree of involvement and calculate an appropriate response.

Moscow has also engaged in sophisticated long-term clandestine campaigns. These types of operations tend to be aimed at espionage—creating a long-term, quiet presence that can consistently deliver intelligence—or at creating a penetration that could be weaponized later. Sometimes the same exploit can deliver both. For instance, the 2020 SolarWinds compromise went undetected for at least nine months. During that time, the Kremlin stole the data of thousands of individuals and multiple federal agencies.

In another instance, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert in 2018 highlighting that Russian actors had been targeting government entities and critical infrastructure sectors since at least 2016. The victims included both staging and intended targets: Russian cyber actors gained initial access to the less secure networks of staging targets and then used them as “pivot points and malware repositories when targeting their final intended victims.” After gaining access to the intended targets, Russian actors conducted reconnaissance operations, moved laterally, and gathered information about industrial control systems (ICSs) and SCADA systems. These Russian cyber actors were “positioning themselves for a limited or widespread attack,” according to Michael Carpenter, former deputy assistant secretary of defense.

Implementation: Campaigns or Opportunism?

The Kremlin sets long-term strategic goals. Then, this “commander’s intent” funnels into particular campaigns with clear objectives. However, the targets of cyber operations within these campaigns are largely opportunistic—chosen because they feature a combination of alignment with a Kremlin objective and a critical security vulnerability. For example, Putin’s strategic intent is clearly to undermine democracy in NATO nations. Russia has staged campaigns with this intent during the 2017 French and Dutch elections, both of which featured a far-right antiestablishment candidate likely to cause intense controversy. These opportunities are fragile, momentary alignments where a useful target has a security flaw. Attacking those opportunities are operators from intelligence agencies, military units, arms-length contractors, and criminal groups temporarily pressed into service.

Attacks in Ukraine by different Russian threat actors have exemplified the same pattern. During the few weeks before and immediately following Russia’s invasion, Moscow conducted a campaign to disrupt command and control infrastructure, interfere with banking, take over social media accounts, and spread fake news. However, after this initial campaign culminated and energy shifted to kinetic warfare, cyber activity waned dramatically. Russia seemed to pursue opportunistic goals over the next several months as it likely worked to refresh its cyber tool kit.

Moscow is also known to partake in opportunistic attacks against its adversaries that appear to be one-off retaliatory efforts. For example, in April 2015, a state-affiliated threat group—almost certainly the GRU—shut down 12 French television networks. The hackers shut down broadcasting with destructive malware and hijacked the network’s website and social media. They posted jihadist propaganda, posing as supporters of the Islamic State and calling themselves the Cyber Caliphate. The attack began in January 2015, two months after the French government canceled the sale of two warships to Russia in protest over Russian aggression toward Ukraine. While the reason for the attack has not been definitively established, it appears to have been opportunistic—likely a statement of revenge—rather than part of a larger campaign.

In particular, DDoS attacks by hacktivist groups have been extremely opportunistic, not very sophisticated, and minimally damaging. For example, in August 2022, Russian hacktivist group Killnet claimed responsibility for more than 200 DDoS attacks against institutions across Estonia. Estonian authorities said they repelled the attacks, and for the most part websites remained available “with some brief and minor exceptions.” These attacks, however, served a purpose. If a group successfully takes a government site down—even for just two minutes—it can take a screenshot and use its success to recruit talent. The attacks also work to affect the psyche of the target population and thus potentially help Russia’s cause.

There are a few public instances of Moscow carrying out long-term, persistent presence operations as part of a sustained campaign. For instance, in December 2015, the Russian hacking group Voodoo Bear attacked Ukrainian power distribution companies and caused a power outage for more than 230,000 residents in western Ukraine. This operation began as early as May 2014 with phishing emails and reconnaissance, through which Voodoo Bear was able to install the Trojan malware BlackEnergy 3 on utility companies’ systems. Voodoo Bear also tried a series of methods to extend blackouts—for instance, by carrying out a DoS attack against one company’s call center and tampering with equipment at another to slow recovery operations. This attack was carefully planned over a series of months, and it served as a learning opportunity for future attacks on the Ukrainian power grid.

Organization of Capabilities

Who Are the Fighters?

Moscow capitalizes on a talented set of government security services and a cadre of ostensibly private citizens to further its foreign policy goals. In government, no single Russian security or intelligence agency has sole responsibility for cyber operations, and observers have noted that coordination between cyber units is weak. This structure “contributes to competition among the agencies for resources, personnel, and influence” and may be why the units sometimes conduct similar operations “without any apparent awareness of each other.” The GRU, Federal Security Service (FSB), and Foreign Intelligence Service (SVR) all have capable internal offensive cyber groups with varying levels of tradecraft.

▲ Figure 1: Russian Offensive Cyber Actors. Source: CSIS research.

MAIN INTELLIGENCE DIRECTORATE (GRU)

The GRU is Russia’s military intelligence agency and has orchestrated some of Russia’s most notorious high-profile cyberattacks. The GRU has demonstrated a willingness to conduct brazen and aggressive operations and has not necessarily attempted to maintain operational security or secrecy. GRU units responsible for cyberattacks include Fancy Bear (GRU 85 Main Special Service Center Unit 26165), Voodoo Bear (GRU Main Center for Special Technologies Unit 74455), and Ember Bear (unit not public). GRU Unit 54777 (72nd Special Service Center, Foreign Information and Communication Service) is responsible for the GRU’s psychological operations, which include disinformation and information operations.

Fancy Bear

▲ Table 1: Aliases of Fancy Bear

Fancy Bear is generally given credit for a long list of high-profile government and government-adjacent hacks, including attacks on the German parliament in 2014; French television station TV5Monde, the White House, and NATO in 2015; the Democratic National Committee (DNC) in 2016; and the International Olympic Committee in 2018. According to a 2017 special report by FireEye, Fancy Bear has “engaged in extensive operations in support of Russian strategic interests” since at least 2007. In December 2016, the U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released a joint analysis report that linked Fancy Bear to Russian civilian and military intelligence services, and the United States identified Fancy Bear in a 2018 indictment as GRU 85 Main Special Service Center (GTsSS), military unit 26165.

Fancy Bear typically targets NATO countries, with particular emphasis on attacking foreign governments, defense and aerospace sectors, research and financial institutions, and global media outlets. It is best known for using spear phishing to target individuals as well as registering domains that resemble those of legitimate organizations to establish phishing sites and harvest credentials. The threat group has dedicated considerable time to developing and updating malware, including DownRange, Foozer, WinIDS, XAgent, and X-Tunnel, and it has been known to exploit zero-day vulnerabilities. After compromising an organization, Fancy Bear steals data, which it eventually leaks to further Russian political interests.

Fancy Bear is responsible for the following notable cyberattacks:

• Perhaps the most well-known Fancy Bear attack targeting the United States is the 2016 breaches of the DNC and the presidential campaign of Hillary Clinton. The group stole thousands of documents, including “internal strategy documents, fundraising data, opposition research, and emails from the work inboxes of DNC employees.” Shortly after the breach was announced, an online persona identifying itself as Guccifer 2.0 and claiming to be a Romanian hacker leaked documents and emails.

• In September 2016, the World Anti-Doping Agency (WADA) confirmed that Fancy Bear had compromised its networks and obtained athlete medical data (see image below). The data specifically revealed drug test results and “therapeutic use exemptions,” or situations in which WADA allows athletes to use banned substances to treat legitimate medical conditions. Some commentators viewed the incident as Russian retaliation for a WADA report that suggested Russia should be banned from the Rio Olympics for systematic doping of Russian athletes.

Voodoo Bear

▲ Table 2: Aliases of Voodoo Bear

Voodoo Bear is responsible for some of Russia’s most brazen and destructive cyberattacks. The group is best known for targeting critical infrastructure, including the energy, financial, and transportation systems sectors, and is responsible for the first confirmed cyber operation to successfully target a power grid and cause power outages. The group appears to disregard or ignore the unintended effects of its attacks, as seen in the NotPetya malware that caused over $10 billion of damage globally and affected more than 60 countries.

Voodoo Bear has been active since at least 2009, and in October 2020, the U.S. Department of Justice (DOJ) indicted six officers operating under the GRU’s Main Center for Special Technologies (GTsST) Unit 74455 for numerous attacks that cybersecurity researchers tied to Voodoo Bear. According to a DOJ press release about the indictment, the attacks were

intended to support Russian government efforts to . . . destabilize: (1) Ukraine; (2) Georgia; (3) elections in France; (4) efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and (5) the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag.

A 2022 CISA report confirmed that Voodoo Bear is GTsST Unit 74455. The group is responsible for the following notable cyberattacks:

• In December 2015, Voodoo Bear hacked the power grid in two western oblasts in Ukraine, leaving over 200,000 people without electricity. In 2016, the group attacked the grid in Kyiv, which left residents in the northern part of the capital without electricity. In 2022, Voodoo Bear hackers again targeted the Ukrainian power grid, causing a temporary power outage utilizing a novel technique. The threat group first attacked the victim’s operational technology then deployed a new variant of CADDYWIPER malware to the critical infrastructure organization’s IT environment.

• In June 2017, the NotPetya malware attack targeted MeDoc, a tax-processing service in Ukraine. The malware soon spread globally and caused significant damage to countries and businesses outside of Ukraine. In the United States, the attack shut down a pharmaceutical manufacturer and affected the medical record systems of dozens of hospitals. The attack is estimated to have caused more than $10 billion in damage.

• In February 2018, Voodoo Bear deployed a destructive malware known as Olympic Destroyer, which caused technology issues during the opening ceremony of the Olympics in South Korea. The attack disrupted internet access and telecasts, shut down the official website of the Olympics, prevented spectators from printing out reservations and attending the ceremony, and grounded broadcasters’ drones.

Ember Bear

▲ Table 3: Aliases of Ember Bear

Ember Bear is a relatively new advanced persistent threat (APT) group that has been active since at least 2020. In a January 2021 blog post, Microsoft Threat Intelligence links Ember Bear to the GRU and asserts that Ember Bear is independent from Fancy Bear and Voodoo Bear. While a March 2022 CrowdStrike blog post similarly confirms that Ember Bear is distinct from Fancy Bear and Voodoo Bear, it does not formally attribute the group to the GRU, although it notes that the group’s “target profile, assessed intent, and their technical tactics, techniques, and procedures (TTPs) are consistent with other GRU cyber operations.”

Ember Bear mainly targets Ukraine, but it has also attacked entities in Europe, Latin America, Central Asia, and NATO member states that provide military aid to Ukraine. The group attacks government services, law enforcement, nongovernmental organizations (NGOs), emergency services, and information technology (IT) service providers, but according to Microsoft, the group’s operations are “comparatively less prolific in both scale and scope to more established threat actors” such as Fancy Bear or Voodoo Bear. After Ember Bear infiltrates networks—typically by exploiting vulnerabilities in web, Confluence, and Exchange servers—the threat group gathers data before engaging in disruptive actions. For example, in January 2022, a month before Russia invaded Ukraine, Ember Bear deployed WhisperGate, a malware that overwrites master boot records, against Ukrainian government organizations. Microsoft found data exfiltrated from these hacks on a Tor .onion site called Free Civilian.

Information Operations Troops

Separate from the cyber operations units, Moscow has a host of troops engaged in information operations. In a 2017 speech to the Russian parliament, Defense Minister Shoigu referenced the existence of the Information Operations Troops (Voyska Informatsionnykh Operatsiy, or VIO). Reports indicate that the VIO has an “emphasis on information assurance, counterpropaganda, and psychological operations—much less on technical efforts.” The VIO has an estimated 1,000 total troops across 12 to 14 units.

One such unit is GRU Unit 54777, also known as the 72nd Main Intelligence Information Center, which operates at the center of the Russian military’s psychological warfare capacity. In 2021, the U.S. Department of the Treasury confirmed that the 72nd Main Intelligence Information Center is a unit in Russia’s Information Operations Troops. It also has several front organizations, financed through government grants and run covertly, that spread false conspiracy narratives and disinformation. The two best-known organizations are InfoRos and the Institute of the Russian Diaspora.

According to Western intelligence officials, Unit 54777 has worked alongside GRU cyber units throughout their operations since at least 2014. Unit 54777 is known to complement “cyberattacks with digital information operations through proxies and front organizations.” For example, before the annexation of Crimea in 2014, Unit 54777 sent advisers to Russia’s various military branches and split 80 specialists among five sections: mass media, teleradio broadcasts, psychological and information operations, editorial publications, and the Center for Foreign Military Information. Similarly, Unit 54777 likely worked with Fancy Bear in the Cyber Caliphate operations to hijack U.S. Central Command’s Twitter and take France’s TV5Monde off the air in 2015.

FEDERAL SECURITY SERVICE (FSB)

The FSB is Russia’s primary domestic security agency responsible for counterterrorism, internal and border security, and information security. It also engages in foreign intelligence collection and offensive cyber operations. The FSB is tasked with protecting Russia’s cyberspace and monitoring domestic criminal hackers, a task shared with the Ministry of Internal Affairs. Both media reporting and DOJ indictments have documented the close relationship between the FSB and criminal and civilian hackers, who are reportedly used to bolster FSB cyber units.

Within the FSB, there are two primary centers responsible for information security and cyber operations. First, Center 16, which includes Berserk Bear and Venomous Bear, hosts most of the FSB’s signals intelligence capabilities. Next, the Center for Information Security, or Center 18, which includes Primitive Bear, mainly oversees domestic operations (including all territories that the Kremlin claims as part of Russia, such as Ukraine) and security but also occasionally conducts foreign operations.

Berserk Bear

▲ Table 4: Aliases of Berserk Bear

Berserk Bear has been active since at least 2010. Both the U.S. and UK governments assess that Berserk Bear is almost certainly the FSB’s Center 16, also known as Military Unit 71330.

Berserk Bear’s activity may be divided into two distinct periods. Initially referred to as Energetic Bear, the group’s first phase of activity lasted until 2014. During this time, it targeted manufacturing, oil and gas, and electric utility entities across North America and Europe, using traditional phishing attacks, watering hole attacks, and supply chain intrusions for initial access. These operations typically led to deployment of custom malware, primarily Sysmain and Havex, combined with commodity penetration testing and tools.

Following public disclosure of Berserk Bear’s capabilities in 2014, cybersecurity researchers believe the group “stopped using its known tools and retired its infrastructure.” During the brief break, the behavioral characteristics of Berserk Bear’s activity shifted, but “enough technical and other links [remained] to associate this activity with previous campaigns.” The Dragonfly 2.0 campaign, likely launched in 2015, uses phishing and strategic web compromise methodologies as well as watering hole attacks. What sets Berserk Bear’s attacks apart from those of other Russian APTs targeting critical infrastructure such as Voodoo Bear is that there is no evidence its attacks are disruptive in nature; it gains access to adversary systems and steals data but “despite ample opportunity never actually exploit[s] sensitive systems to attempt to cause a blackout, plant data-destructive malware, or deploy any other sort of cyberattack payload.” Berserk Bear seems to carry out only reconnaissance operations, but researchers worry that the information gathered could be used for more disruptive purposes in the future.

The U.S. government and its allies have found evidence of Berserk Bear hacking a range of entities, but it is difficult to gauge the extent of their work and the actual threat it poses. There are some notable examples:

• Berserk Bear targeted U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors in a years-long campaign beginning in March 2016 or earlier. In 2018, CISA released a report detailing Berserk Bear’s actions.

• In 2020, investigators discovered evidence of Berserk Bear using supply chain attacks to target German companies in the energy, water, and power sectors. German authorities stated that the attacker’s goal was to “steal information or even gain access to productive systems,” but there was no evidence of a disruptive attack on any network.

• In October 2020, the FBI and CISA warned that Berserk Bear had hacked multiple U.S. state, local, and tribal-level government and aviation networks. Due to the proximity of this hack to the November 2020 elections, the attack raised concerns that election data had been compromised, although the FBI and CISA did not find any evidence of this.

Venomous Bear

▲ Table 5: Aliases of Venomous Bear

Venomous Bear has been active since 2004. In May 2023, the U.S. government formally attributed Venomous Bear to an unknown unit within Center 16 of the FSB.

Venomous Bear mainly targets foreign governments and militaries and diplomatic organizations such as ministries of foreign affairs and embassies. Although it has targeted entities in at least 45 countries, it appears to focus largely on former Eastern Bloc countries. More recently, the group’s targets have expanded to include victims operating in multiple sectors, such as education and pharmaceutical companies. The group is known for conducting watering hole and spear-phishing campaigns, creating fake software update files, and using satellite communication hijacking for command and control. Venomous Bear has been known to use a wide range of sophisticated and custom malware, including Snake, Agent.BTZ/ComRAT, Mosquito, and LightNeuron.

Venomous Bear is responsible for the following notable cyberattacks:

• In 2008, the U.S. Department of Defense suffered what was then “the worst breach of U.S. military computers in history” when a flash drive containing malicious code was inserted into a military laptop at a base in the Middle East. Agent.BTZ infected U.S. Central Command networks and had the “ability to scan computers for sensitive information and send data to a remote command and control server.” It took 14 months to remove the malware from military networks.

• In 2014, Kaspersky Lab analyzed a large cyber espionage campaign called Epic Turla. Venomous Bear hackers infected hundreds of computers in more than 45 countries, specifically targeting Europe and the Middle East. Affected entities included government institutions, embassies, research and pharmaceutical companies, and military and educational organizations. Hackers used a multistage attack, starting with spear-phishing emails with Adobe PDF exploits and watering hole attacks. As attackers gained confidence, they upgraded to using sophisticated backdoors such as the Carbon/Cobra system. Upon infiltrating a system, the group often deployed a rootkit, a type of malware that permits the infiltrator to covertly command and control the infected system.

• In 2017, Venomous Bear targeted invitees, guests, and nation-state participants of the G20 summit in Hamburg, Germany. The group used a back door named KopiLuwak, which is “capable of exfiltrating data as well as downloading and triggering additional malware and executing arbitrary commands on the infected machine.” The campaign used watering hole and spear-phishing emails posing as an invitation for the G20 summit for the Task Force on the Digital Economy.

• In 2017, Venomous Bear made headlines when it used comments on Britney Spears’s Instagram to store the location of its command and control server. After deploying malware to compromise a system, attackers used command and control servers to send instructions and receive stolen data. When decoded, the nonsensical comment on Britney Spears’s photo—reading “#2hot make loved to her, uupss #Hot #X”—contains the central server’s address. Venomous Bear likely hid this malicious comment on Britney Spears’s Instagram due to the large amount of likes and comments each post receives, making it more difficult to find.

Gossamer Bear

▲ Table 6: Aliases of Gossamer Bear

Gossamer Bear has been active since at least 2017. In December 2023, the U.S. government formally attributed Gossamer Bear to the the FSB Center for Information Security, also known as Center 18, military unit 64829. In 2021, the Security Service of Ukraine publicly associated Gossamer Bear with Primitive Bear, but other cybersecurity companies and researchers do not support this link.

Gossamer Bear is known to target NATO countries, particularly the United States and the United Kingdom, and occasionally other countries in the Baltic, Nordic, and Eastern European regions. Within these countries, Gossamer Bear focuses on think tanks, institutes of higher education, defense and intelligence consulting companies, and NGOs. Gossamer Bear has also shown a unique interest in targeting individuals—in particular, former intelligence officials, experts in Russian affairs, and Russian citizens abroad—with Microsoft reporting that 30 percent of the tracked activity related to this threat group was delivered to consumer email accounts.

Gossamer Bear gathers intelligence on target individuals to identify legitimate contacts in the target’s social network. Based on the information it gathers, Gossamer Bear registers new email accounts that match the aliases of impersonated individuals before sending an initial benign email. After establishing contact, the group then sends an email referencing an attachment that was not attached. When the target replies, the hackers send a malicious attachment. One way Gossamer Bear conducts reconnaissance on potential targets is by creating fake LinkedIn profiles. In addition, Gossamer Bear has been documented using an organizational approach to phishing.

Once Gossamer Bear has stolen a target’s credentials, the threat actor has been known to sign into the victim’s email account and download emails and attachments, set up persistent data collection, or engage in conversation with specific people of interest.

Gossamer Bear is responsible for the following notable cyberattacks:

• During the summer of 2022, Gossamer Bear targeted three U.S. nuclear research laboratories, including Brookhaven, Argonne, and Lawrence Livermore National Laboratories. The attacks appear to have been unsuccessful. A U.S. Department of Energy spokesperson said they did not find “evidence of information being compromised.”

• In February 2023, Gossamer Bear gained access to the private email of Stewart McDonald, a member of the UK Parliament affiliated with the Scottish National Party. He wrote on Twitter, “Over the past couple of weeks. I have been dealing with a sophisticated and targeted spear phishing hack of my personal email account, and the personal email account belonging to one of my staff. These hacks are a criminal offence.”

Primitive Bear

▲ Table 7: Aliases of Primitive Bear

Primitive Bear is a Russian threat group that has been active since at least 2013. In November 2021, Ukraine publicly linked Primitive Bear to Center 18. According to the Security Service of Ukraine, the group is likely operating out of Russia-occupied Crimea.

Primitive Bear tends to target the Ukrainian government and defense sectors. According to a 2021 report by the Security Service of Ukraine, the group conducts “targeted cyberintelligence operations against state bodies of Ukraine, primarily security, defense and law enforcement agencies, in order to obtain intelligence information.” The group is known for using methods of social engineering, especially sending phishing emails containing malicious Microsoft Office document attachments to potential victims on behalf of state bodies, international organizations, and individuals. It is also known to exploit zero-day vulnerabilities. The 2021 report highlights that Primitive Bear has been responsible for over 5,000 attacks against more than 1,000 government systems since 2014.

FOREIGN INTELLIGENCE SERVICE (SVR)

The SVR is Russia’s civilian foreign intelligence service, “aimed at protecting the individual, society, and the state from external threats.” It collects foreign intelligence using human, signals, electronic, and cyber methods. The SVR, unlike the GRU and FSB, tends to operate with a high degree of secrecy to avoid detection. Most cyber operations that have been attributed to the SVR are aimed primarily at gathering intelligence, and the SVR is known to have a high degree of technical expertise and professionalism. Cozy Bear is the only APT that has been officially attributed to the SVR.

Cozy Bear

▲ Table 8: Aliases of Cozy Bear

Cozy Bear has been active since at least 2008. In 2018, the Dutch General Intelligence and Security Service reported that it had hacked Cozy Bear’s servers as well as a security camera in its office. The Dutch service passed the information to U.S. intelligence services, which strongly suggested that the group is a component of the SVR. The U.S. and UK governments have since both publicly attributed Cozy Bear to the SVR.

Cozy Bear is known to target government, foreign policy, and security-related organizations in the United States, United Kingdom, and other NATO member countries as well as post-Soviet states. Cozy Bear has used several intrusion methods, including widespread emails designed to look like high-volume spam messages and targeted spear-phishing emails. In some cases, Cozy Bear has used compromised third-party networks to conduct attacks, including sending phishing emails purportedly from the U.S. Department of State and Harvard University’s Faculty of Arts and Sciences.

According to a report by F-Secure, this group uses a “smash-and-grab approach involving a fast but noisy break-in followed by the rapid collection and exfiltration of as much data as possible.” If Cozy Bear determines the target to be particularly useful, it will switch the tool set and employ stealthier tactics “focused on persistent compromise and long-term intelligence gathering.” The group is especially adept at incrementally modifying its tactics as cybersecurity researchers publish information about its tool set and operations.

Cozy Bear is responsible for the following notable cyberattacks:

• In the SolarWinds hack of September 2019, Cozy Bear used a supply chain attack to insert malicious code into the SolarWinds Orion System. By attacking this third-party software, Cozy Bear compromised the networks and systems of thousands of organizations, including government agencies such as the Departments of Homeland Security and State as well as large private companies such as Microsoft and FireEye.

• In 2016, Cozy Bear hacked the DNC. The group is believed to have had access to the DNC’s network for over a year, waiting quietly and gathering information. Eventually, it leaked over 20,000 emails on WikiLeaks. Fancy Bear was also involved in this hack, although cybersecurity researchers believe the two worked independently and the attack was not coordinated.

• Throughout 2020, Cozy Bear targeted various organizations involved in Covid-19 vaccine research and development in Canada, the United Kingdom, and the United States with custom malware known as WellMess and WellMail. The goal of these attacks was likely to steal information and intellectual property and answer intelligence questions related to Covid-19.

OTHER ACTORS

TEMP.Veles

TEMP.Veles (also known as Xenotime) is a Russian threat group that has targeted critical infrastructure, focusing specifically on U.S. energy sector organizations. The U.S. government attributed TEMP.Veles to the Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), which is a research organization under Russia’s Ministry of Defence. The group has developed destructive malware for targeting industrial control systems.

In 2021, DOJ indicted a TsNIIKhM employee for conducting computer intrusions against U.S. energy sector organizations. This employee also accessed the systems of a foreign oil refinery and deployed Triton malware.

PROXY AND FRONT ORGANIZATIONS

The Russian government also finances and directs operations through front organizations and websites used to spread disinformation (see Figure 2). Proxy and front organizations allow Moscow to evade blame more easily by creating a veil of deniability. For example, the Intelligence Community Assessment of Foreign Threats to the 2020 U.S. Federal Elections highlights that Moscow “employed a system of government officials, disinformation outlets, and companies to covertly influence U.S. voters and spread misinformation.” Front companies included SouthFront, an online disinformation site that operates on behalf of the FSB; NewsFront, a Crimea-based disinformation and propaganda outlet that also worked with the FSB; the Strategic Culture Foundation, an online journal directed by the SVR and closely affiliated with the Russian Ministry of Foreign Affairs; and InfoRos, a so-called “news agency” run by the GRU’s 72nd Main Intelligence Information Center (Unit 54777).

Another notorious Russia-connected organization known for its disinformation campaigns is the Internet Research Agency (IRA). The IRA conducted propaganda and influence operations on behalf of Russian domestic, foreign policy, and business interests. In February 2023, Yevgeny Prigozhin, then head of the Russian private military company Wagner Group, admitted on a Wagner Telegram channel that he founded the IRA. Following the failed Wagner rebellion in July 2023, the IRA dissolved.

The Russian government also has relationships with legitimate Russian IT companies for various reasons. Some companies—including Pasit, AO; Neobit; and Advanced System Technology—technically support government cyber and information operations. They act as covert contractors for the Kremlin and conduct research and development on behalf of the FSB, GRU, and SVR. Other companies, such as Positive Technologies (a Russian IT security firm), host large-scale conventions that are known recruiting events for the FSB and GRU.

▲ Figure 2: Russian Intelligence Service Disinformation Outlets. Source: U.S. Department of the Treasury, “Treasury Escalates Sanctions Against the Russian Government’s Attempts to Influence U.S. Elections,” Press release, April 15, 2021.

NONGOVERNMENTAL ACTORS

Russia is home to a vast, complicated, and opaque network of nongovernmental cyber actors that receive varying amounts of support or instruction from the Kremlin. There is no central body that coordinates this network, which includes “cybercriminals who operate without state backing and inject money into the Russian economy, patriotic hackers and criminal groups recruited by the state on an ad hoc basis, and proxy organizations and front companies created solely to conduct government operations, providing the Kremlin a veil of deniability.”

The government’s involvement and influence range from giving direct orders and financial support to simply permitting operations so long as the actor’s operations do not counter the interests of the Putin regime. This means Moscow has varying levels of control over these actors.

The Russian government leans heavily on nongovernmental entities to further Moscow’s foreign policy goals. Using cybercriminals makes it harder for adversaries to respond, as it adds uncertainty about attribution of the attack and thus the appropriate retaliation tactics. It is also a cheap way to accomplish Moscow’s goals of disruption. Russia-based or Russian-sponsored groups rarely conduct operations inside Russia or against Russian allies; instead, they focus on the United States, Europe, and Western-allied nations such as Canada and Australia—a particularly striking pattern when looking at criminal groups.

Cybercriminals

The Russian government allows financially motivated cybercrime groups to operate for a variety of reasons. Cybercrime brings money into Russia, and it also helps cultivate cyber talent, which the Kremlin can call on as needed. There is a mutual understanding between the Kremlin and these groups that they will be permitted to operate freely as long as they focus mainly on foreign targets, do not undermine Moscow’s foreign policy goals, and are responsive to government requests.

There are multiple examples of the Russian government recruiting criminal hackers, often through the FSB. This pattern was solidified during the 2008 Russo-Georgian war. A hacker told the Latvian news site Meduza that since the start of the conflict, Russian authorities “have regularly recruited hackers to work for them, sometimes voluntarily and sometimes under the threat of criminal prosecution.” Further, in 2017, DOJ charged two FSB officers and their criminal conspirators with “computer hacking, economic espionage, and other criminal offenses.” According to the press release, the two FSB officers “protected, directed, facilitated and paid criminal hackers to collect information through computer intrusions.” These groups include TeslaBotnet, NetSide, BLOODNET, and UserSec, among others. Table 9 provides details about a select number of Russian cybercriminal groups.

▲ Table 9: Information about Select Russian Cybercriminal Groups

Hacktivists

Beyond directly recruiting criminal hackers, Moscow also uses patriotic hackers, or hacktivists, to carry out cyber operations on its behalf. These groups, which vary greatly in terms of size and level of organization, conduct cyber operations in line with what they perceive as the Kremlin’s interests because they genuinely believe they are expressing patriotism for the Russian nation. Some cybercriminal groups have also expressed their support for Russia and the desire to back the Kremlin, particularly since Moscow’s invasion of Ukraine.

There is speculation regarding ties between patriotic hackers and the Russian government. Moscow does not attempt to hide its appreciation for their work. For example, in 2017, Putin bragged that Russian hacktivists “wake up in the morning, they read about some developments in international affairs, and if they have a patriotic mindset, then they try to make their own contribution the way they consider right into the fight against those who have bad things to say about Russia.” Some cybersecurity researchers have even assessed with moderate confidence that these groups at least coordinate with the GRU, SVR, and FSB. Table 10 shows a few notorious hacktivist groups.

▲ Table 10: Information about Select Hacktivist Groups

Internal Rivalries

This large array of options means Moscow can tailor the tool to the mission. It can use a sliding scale of sophistication and closeness to the government. For sensitive missions that require stealth or persistence, it has a range of sophisticated and talented in-house operators. For less sensitive missions, where attribution directly to the Russian government would be escalatory or politically awkward, it can call upon myriad criminal groups at any time. Moscow’s security services can recruit these criminal groups with an implied threat: either participate or be shut down. However, this calibration works only up to a point. Target nations are getting better at attribution, and some are willing to speak out publicly. An operation that is meant to be quiet can easily become loud, as in the case of SolarWinds.

Having several in-house cyber operators is not unusual. Most nations with a robust cyber capability have the same setup. In Russia, however, these services tend to compete rather than collaborate. Jockeying for the leader’s favor is a continuing feature of Russian government infighting, and Putin gives or retracts his favor as he approves or disapproves of an operator’s performance. That competition can lead to mistakes, but it also engenders aggressiveness and resilience. If one set of capabilities is disrupted, others exist to fill the void.

Case Study

Russia Targets Ukraine, Again

Ukraine has been a consistent target of Russian cyberattacks, particularly since the 2013 Maidan protest movement and the 2014 illegal annexation of Crimea. Since then, Moscow has continually gathered intelligence on Ukraine and conducted cyberattacks with varying levels of disruption. In support of Russia’s long-term goal to control Ukraine, Russian attacks intensified in the weeks leading up to the full-scale invasion on February 24, 2022. At this time, Russian-affiliated actors went after a range of targets, with some attacks intended to cause immediate disruption and others intended to remain clandestine.

On January 14, 2022, Ukraine suffered the first major cyberattack in the series of attacks leading up to the invasion. The attack affected more than 70 government websites, including the country’s treasury, the National Emergency Service, and several ministries, causing them to display a message saying, “Be afraid and expect the worst.” The attacks were disruptive but minimally damaging: the vast majority of the websites were recovered within days. These types of cyber operations, however, have been an important part of Moscow’s strategy, undertaken by both government actors and hacktivists. They aim to destabilize Ukrainian society by keeping the Ukrainian government distracted and by affecting the psyche of the Ukrainian population.

A month later, Ukraine’s largest bank, PrivatBank, was hit by a DDoS attack that temporarily interfered with online banking transactions. The attack also disrupted the websites of Ukraine’s Ministry of Defence and armed forces, and Russian-affiliated actors went after oil and gas companies, sparking fears of broader cyberattacks should the conflict escalate. In the run-up to a war, these are exactly the aspects of society a belligerent actor intent on quickly subduing a population would seek to disrupt: trust in the military, the ability to withdraw money from banks, and access to fuel that would facilitate travel. If successfully executed, gutting these three sectors would prevent civilian mobility during crises and dampen hope. The public would become hostage, trapped in the line of fire.

Two days later, the U.S. government declassified information stating that Russian government hackers had penetrated Ukrainian military, energy, and other critical networks. The hackers, probably affiliated with the FSB and GRU, were lingering in the networks to collect information and position themselves to disrupt the systems in the wake of a full-scale invasion.

When the conflict shifted from operational preparation of the environment to open war, Russia’s efforts refocused on government targets, communication infrastructure, power, and media. Hours before the invasion in February, Russian actors, probably affiliated with the GRU, carried out a cyberattack that disrupted satellite communications in Ukraine, disconnecting thousands from the internet and potentially disrupting Ukraine’s ability to communicate with its troops. Some Ukrainians reported having no internet access for more than two weeks following the attack, and it even affected connectivity in France and Germany. The overall consequences, however, were not particularly severe, and Ukrainian military and intelligence officials said the attack had only a negligible operational impact.

Cyberattacks have continued throughout the war. The GRU has been responsible for the majority of the disruptive cyberattacks in Ukraine, including on the power grid. The FSB has also been involved in cyberattacks on Ukraine, particularly cyber espionage campaigns against political and military targets as well as government institutions. Similarly, according to Microsoft, SVR-affiliated Cozy Bear has carried out espionage attacks against political parties and the military. Finally, Russian hacktivist groups such as Killnet, Anonymous Russia, and the People’s Cyber Army significantly increased their activity in Ukraine following Russia’s full-scale invasion.

Russia’s cyber operations in Ukraine, however, have failed to achieve their objectives. The apparent lack of disruption has not been from a lack of Russian effort. Rather, the lack of coordination between various actors has crippled Russian success. According to a report by the George C. Marshall European Center for Security Studies, the FSB, GRU, and SVR “compete more than they cooperate.” The three state agencies have a fierce rivalry that makes coordination and cooperation extremely unlikely. These tensions were further stoked soon after the full-scale invasion, when Putin removed the FSB from the Ukraine portfolio and put the GRU in charge, likely intensifying competition between the two and dampening any possibility for collaboration. Cyberattacks have also been poorly coordinated with Russian military actions, partially attributable to the ongoing mistrust between agencies.

Ukraine’s strong defenses have further contributed to Russia’s failure to cause disruption. Ukraine has suffered from Russian aggression in the cyber domain for years and is aware of the need for resilience. Kyiv has created redundant internet infrastructure, trained talented cyber defenders, and recruited allies in Western governments and technology companies. Amid Russia’s invasion, professionals at Microsoft, Mandiant, and others have sat side by side (virtually and literally) with Ukrainian defenders, limiting damage and restoring critical systems.

Russia’s war in Ukraine is a unique case, so it remains difficult to gauge the full extent of Russian capabilities and how Russia might engage with other states in a similar scenario. The 2023 Annual Threat Assessment of the U.S. Intelligence Community highlights that although Russia’s cyber activity has thus far fallen short of the expected impact, Russia remains “a top cyber threat as it refines and employs its espionage, influence, and attack capabilities,” learning from its previous attacks. Some analysts also argue that Russia has thus far refrained from using all of its capabilities and conducting large-scale cyberattacks against Ukraine. Additionally, Russia’s 2021 National Security Strategy emphasizes Moscow’s work toward using advanced technologies such as AI and quantum computing in its cyber capabilities, indicating that the Kremlin’s tactics will continue to advance. The Kremlin therefore will continue to pose a serious threat to the United States and its allies.

Russia’s cyber operations in Ukraine illustrate the key elements of Moscow’s overall approach to warfare in the cyber domain. It has used a combination of government entities and hacktivist groups, still likely taking orders from Moscow, to execute its overall strategy. It has combined a strategic objective—undermining the Ukrainian government and disrupting normal state activities—with opportunistic attacks, striking where and when it can. Cyber activity switched from information warfare to a combination of information and disruptive warfare. The last point could be a sign of things to come, as Ukraine has often served as a test bed for Russian capabilities. Moscow has long had the ability to engage in cyber espionage and persistent access, but the 2022 invasion of Ukraine has shown the next level of warfare: pairing destructive and disruptive cyber activity with kinetic warfare.

Julia Dickson is a research associate with the Intelligence, National Security, and Technology (INT) Program at CSIS. Her research interests include cybersecurity and cybercrime and the role of technology in conflict. Prior to joining CSIS, she was awarded a Fulbright grant and spent a year teaching English in Osh, Kyrgyzstan. She was also previously a research assistant at the Wilson Center, an intern for the Conventional Defense Program at the Stimson Center, and a communications and outreach intern at the International Crisis Group.

Emily Harding is director of the Intelligence, National Security, and Technology (INT) Program and vice president of the Defense and Security Department at CSIS. As the head of the INT Program, she provides thought leadership on the most critical issues facing intelligence professionals and on the future of intelligence work. She also serves as vice president of the Defense and Security Department, where she is responsible for leading a team of world-renowned scholars providing policy solutions that shape national security. Drawing on her decades of experience in national security, Emily has established herself as an expert on how technology is revolutionizing national security work. Harding has served in a series of high-profile national security positions at critical moments.