Skip to content
— CH. 1 · INTRODUCTION —

Cyberwarfare by Russia

~8 min read · Ch. 1 of 7
7 sections
  • Cyberwarfare by Russia is not a single dramatic strike. It is a sustained, decades-long campaign woven from denial-of-service floods, covert hackers, forged documents, and psychological operations, all coordinated by Russian security and intelligence agencies since the 1990s to advance Kremlin geopolitical objectives. In April 2007, Estonia's banking system went dark, its government email collapsed, and its media outlets fell silent, all because a diplomatic row over a Soviet war memorial had triggered something the world had never quite seen before: a nation targeted by coordinated cyberattacks on a national scale. What does it mean when a country's critical systems can be switched off from across a border? Who controls these operations, and how far do they reach? Those questions became urgent in Tallinn in 2007, and they have not stopped being urgent since.

  • A 2017 United States Defense Intelligence Agency assessment described Russia's approach as having two interlocking components. The first is informational-technical operations: hacking, sabotage, and surveillance of computer networks. The second is informational-psychological operations: campaigns designed to shift beliefs and destabilize institutions. Together they fall under a Russian concept called informatsionnoye protivoborstvo, or information confrontation, a framework that has Soviet-era roots.

    Russia's 2016 Information Security Doctrine gave this framework formal standing in national law. The doctrine defines information security broadly enough to encompass data systems, physical infrastructure, and the behavior of human beings online. Its stated aims include protecting information sovereignty, securing state secrets, and promoting domestic technology development. Foreign states, organizations, and individuals are named as potential threats, and all branches of government are directed to coordinate responses.

    In 2013, Chief of the General Staff Valery Gerasimov published an article arguing that non-military tools can be decisive in modern conflict when coordinated with limited military force. Western analysts have frequently cited the article as a kind of blueprint, though experts caution that it reflects long-standing Russian military thinking rather than announcing a new doctrine.

    The Federal Security Service, the FSB, manages internal surveillance and counterintelligence, including the SORM system used to monitor online activity inside Russia. Military intelligence, the GRU, runs external operations including cyberattacks and network intrusions. Civil agencies and state-aligned media add messaging capacity both at home and abroad. Researchers at the Centre for Eastern Studies and the Kennan Institute have noted that this combination of legal, technical, and narrative tools is the defining feature of the approach.

  • US Department of Justice indictments and cybersecurity company reports have identified several recurring groups linked to the Russian state. APT28, also known as Fancy Bear, is commonly attributed to GRU Unit 26165. It has run operations against parliaments, broadcasters, and election campaigns across Europe. APT29, also known as Nobelium or Midnight Blizzard, is linked to Russia's foreign intelligence service, the SVR, and conducts long-running espionage campaigns against governments and technology companies.

    Sandworm, assessed as GRU Unit 74455, has deployed destructive malware against Ukrainian targets and is responsible for global campaigns including NotPetya. Turla, tracked by Microsoft as Secret Blizzard, is associated with FSB infrastructure and continued espionage operations as recently as 2025, when it targeted foreign embassies in Moscow. Star Blizzard, also known as Callisto or ColdRiver and linked to the FSB, has faced sanctions, criminal charges, and technical takedowns for spear-phishing campaigns aimed at officials, academics, and non-governmental organizations.

    In December 2023, US authorities charged two men, Andrey Korinets and alleged FSB officer Ruslan Peretyatko, in connection with Star Blizzard's spear-phishing operations. The US State Department offered a reward of up to ten million dollars for information leading to their whereabouts and arrest. By October 2024, the Justice Department and Microsoft had seized more than a hundred internet domains tied to Star Blizzard. Microsoft's Digital Crimes Unit reported that from January 2023 to August 2024, the group targeted more than thirty different organizations and at least eighty-two Microsoft customers, roughly one attack per week.

  • In April 2007, a dispute over the relocation of a Soviet-era war memorial in Tallinn escalated into something that security experts later described as a turning point in the history of conflict. Over several days, botnets flooded Estonian financial, media, and government websites with enormous volumes of spam traffic in what is called a distributed denial-of-service attack. Online banking went offline. Government employees lost email access. Journalists could not publish news.

    Estonian officials traced the systems directing the attacks back to Russian IP addresses, and the instructions coordinating the attack were written in Russian. Some experts nonetheless questioned whether the Russian government itself ordered the campaign. The ambiguity of attribution would become a recurring feature of Russian cyber operations.

    A year later, NATO founded the Cooperative Cyber Defence Centre of Excellence in Tallinn as a direct response to what Estonia had experienced. The centre became an institutional anchor for allied thinking about cyber conflict. When Estonia removed a Soviet-era tank monument near Narva in response to Russia's 2022 invasion of Ukraine, Estonian authorities reported the most extensive cyberattacks the country had experienced since 2007.

  • A Russian cyber weapon called Snake, also known as Ouroboros, began spreading into Ukrainian government computer systems in 2010, and was publicly reported in March 2014. The tool performed both network exploitation and sophisticated network attacks on Ukrainian government infrastructure.

    From 2014 to 2016, the Russian group Fancy Bear used malware hidden inside an infected Android application to target the Ukrainian Army's Rocket Forces and Artillery. The app was designed to control targeting data for the D-30 Howitzer. It was loaded with X-Agent spyware and distributed on military forums. The hacking group CyberBerkut, meanwhile, attacked the May 2014 Ukrainian presidential election over several days: it released hacked emails, attempted to alter vote tallies, and launched denial-of-service attacks that delayed results. A file that would have declared far-right candidate Dmytro Yarosh the winner was discovered inside the Central Election Commission's network less than an hour before polls closed. Channel One Russia reported that Yarosh had won and broadcast the fabricated graphic, citing the election commission's website, even though it had never appeared there.

    In December 2015, a malware attack attributed to Sandworm or the Russian government struck Ukrainian infrastructure, leaving more than two hundred thousand people temporarily without power. A similar attack on the power grid followed in December 2016. In February 2022, before and after Russian troops moved into eastern Ukraine, a series of cyberattacks took down major Ukrainian government and business websites. US officials attributed those attacks to Russian actors.

  • In May 2017, on the eve of the French presidential election, more than twenty thousand emails belonging to Emmanuel Macron's campaign were dumped on an anonymous file-sharing website, shortly after the campaign announced it had been hacked. Analysis by the American cybersecurity firm Flashpoint determined with moderate confidence that APT28 was behind the breach and the subsequent leak. An earlier attack in 2015 had already struck the French broadcasting network TV5Monde; that operation was initially claimed by a group calling itself the Cyber Caliphate, but French authorities later connected it to APT28.

    In Poland, a three-year pro-Russian disinformation campaign on Facebook with an audience of four and a half million Poles was uncovered in early 2019 by OKO.press and Avaaz. The campaign published fabricated news and supported specific Polish politicians. Facebook removed some of the pages after reviewing the analysis.

    In February 2016, senior Kremlin cyber official Andrey Krutskikh told Russia's national security conference that Russia was developing new strategies for the information arena that he compared to testing a nuclear weapon, saying it would allow Russia to speak to Americans as equals. Later that year, hacked emails belonging to the Democratic National Committee, John Podesta, and Colin Powell were released through DCLeaks and WikiLeaks. Private sector analysts and US intelligence agencies attributed the operation to Russian origin. In 2020, the group APT29 breached a top cybersecurity firm and multiple US government agencies, including the Treasury, Commerce, and Energy departments and the National Nuclear Security Administration, through the SolarWinds Orion network management platform. In May 2021, the Colonial Pipeline was struck by ransomware deployed by the Russian-language group DarkSide. The Department of Justice later recovered the bitcoin ransom paid to the attackers.

    In the Czech Republic, authorities in 2023 exposed a Kremlin-funded influence network called Voice of Europe, based in Prague and led in part by Ukrainian politician Viktor Medvedchuk. Czech intelligence investigations in 2024 revealed the network had attempted to bribe European lawmakers and sway the 2024 European Parliament election, using local intermediaries to channel funds to far-right and Eurosceptic politicians while amplifying pro-Kremlin narratives.

  • A 1999 US investigation called Moonlight Maze traced a 1996-1999 Russian cyberattack against NASA, the Pentagon, civilian academics, and government agencies. It was one of the earliest formal attributions of a state-sponsored cyber operation, and it established a pattern: attacks are often discovered and attributed long after they begin.

    The 2007 Estonia attacks illustrated the problem clearly. Even when IP addresses, language, and coordination pointed toward Russia, experts disagreed about whether the Russian state had directly ordered the campaign. In Georgia in 2008, a report by the US-based research institute US Cyber Consequences Unit concluded that the attacks on Georgian government websites had little or no direct involvement from the Russian government or military, finding that many originated from civilian computers whose owners were supporters of Russia during the conflict.

    False alarms have compounded the challenge. On the 30th of December 2016, Vermont's Burlington Electric Department announced that code associated with the Russian hacking operation dubbed Grizzly Steppe had been found on one of its computers. Early reporting created the impression that the US electric grid had been compromised. A subsequent correction clarified that the affected computer was not connected to the grid at all. Multiple governments have since moved toward coordinated formal attribution statements as a response to these ambiguities, pairing technical evidence with classified intelligence to publicly name Russian state entities responsible for specific attacks. The Viasat satellite attack at the start of Russia's 2022 invasion of Ukraine prompted one such coordinated international response, bringing allied governments together in a joint attribution that carried direct diplomatic and legal weight.

Common questions

What is cyberwarfare by Russia and when did it begin?

Cyberwarfare by Russia comprises denial-of-service campaigns, hacking operations, disinformation programs, and state-directed online repression carried out by Russian security and intelligence agencies since the 1990s. The operations are designed to advance Kremlin geopolitical objectives and are framed within a Russian doctrine called informatsionnoye protivoborstvo, or information confrontation.

Which Russian hacker groups are linked to state-sponsored cyberattacks?

The main groups include APT28 (Fancy Bear), linked to GRU Unit 26165; APT29 (Midnight Blizzard), linked to the SVR; Sandworm, assessed as GRU Unit 74455; Turla, associated with FSB infrastructure; and Star Blizzard (also known as Callisto or ColdRiver), linked to the FSB Information Security Center. Attribution is based on US Department of Justice indictments, cybersecurity company reports, and investigative journalism.

What happened during the 2007 cyberattacks on Estonia?

In April 2007, following a diplomatic dispute over a Soviet war memorial, Estonia was struck by large-scale distributed denial-of-service attacks that took down financial, media, and government websites. Online banking became inaccessible, government email failed, and media outlets could not publish. A year later, NATO founded the Cooperative Cyber Defence Centre of Excellence in Tallinn as a direct response to the attacks.

What was the NotPetya malware campaign and who carried it out?

NotPetya was a destructive malware campaign attributed to Sandworm, assessed as GRU Unit 74455, that caused global financial losses. It was one of several major attacks Sandworm deployed against Ukrainian targets and beyond. A 2021 Dragos report also found that Sandworm had been targeting US electric utilities, oil and gas, and other industrial firms since at least 2017.

How did Russia interfere in the 2014 Ukrainian presidential election?

The pro-Russian hacker group CyberBerkut attacked the May 2014 Ukrainian presidential election over several days, releasing hacked emails, attempting to alter vote tallies, and using denial-of-service attacks to delay results. A file falsely declaring far-right candidate Dmytro Yarosh the winner was discovered inside the Central Election Commission network less than an hour before polls closed. Channel One Russia broadcast the fabricated graphic despite it never having appeared on the election commission's website.

What is the Voice of Europe influence operation linked to Russia?

Voice of Europe was a Kremlin-funded influence network based in Prague, exposed by Czech authorities in 2023. It was led in part by Ukrainian politician Viktor Medvedchuk and attempted to bribe European lawmakers, channel funds to far-right and Eurosceptic politicians, and sway the 2024 European Parliament election. Czech intelligence investigations in 2024 detailed how the network used local intermediaries to promote Kremlin positions across European Union member states.

All sources

134 references cited across the entry

  1. 13press releaseJustice Department Disrupts Russian Intelligence Spear-Phishing EffortsU.S. Department of Justice — 3 October 2024
  2. 15newsHow a cyber attack transformed EstoniaDamien McGuinness — 27 April 2017
  3. 19newsRussia's radical new strategy for information warfareDavid Ignatius — 18 January 2017
  4. 26bookHandbook of Russian Information WarfareKeir Giles — NATO Defense College — November 2016
  5. 28journalThe Value of Science Is in the ForesightValery Gerasimov — January–February 2016
  6. 29journalGetting Gerasimov RightCharles K. Bartles — January–February 2016
  7. 32reportThe Anatomy of Russian Information Warfare: The Crimean Operation, a Case StudyJolanta Darczewska — Centre for Eastern Studies — May 2014
  8. 33reportA Closer Look at Russias Hybrid WarMichael Kofman et al. — Kennan Institute, Wilson Center — April 2015
  9. 38journalRussian propaganda on social media during the 2022 invasion of UkraineDominique Geissler et al. — December 2023
  10. 46webHow France's TV5 was almost destroyedGordon Corera — 10 October 2016
  11. 53newsWikileaks: Sicherheitskreise: Russland hackte geheime BundestagsaktenMarkus Wehner et al. — Frankfurter Allgemeine Zeitung — 11 December 2016
  12. 54newsVor Bundestagswahl: BND warnt vor russischen HackerangriffenSPIEGEL ONLINE — 29 November 2016
  13. 60webGerman Election Mystery: Why No Russian Meddling?Michael Schwirtz — 21 September 2017
  14. 64webBefore the Gunfire, CyberattacksJohn Markoff — 13 August 2008
  15. 65webHackers Stole IDs for AttacksSiobhan Gorman — 18 August 2009
  16. 67webDanny Bradbury investigates the cyberattack on KyrgyzstanDanny Bradbury — 5 February 2009
  17. 68webKyrgyzstan Knocked OfflineChristopher Rhoads — 28 January 2009
  18. 70webRussia's cyber weapons hit Ukraine: How to declare war without declaring warThe Christian Science Monitor — 12 March 2014
  19. 71bookThe Evolution of Cyber WarBrain M. Mazanec — University of Nebraska Press — 2015
  20. 84webCyberattack hits Ukrainian banks and government websitesLauren Feiner — CBNC — 2022-02-23
  21. 91webMPs and media create Brexit hacking scarePeter Teffer — 12 April 2017
  22. 98newsDefending a New DomainWilliam J. Lynn III — 2020-10-16
  23. 99newsHow the U.S. thinks Russians hacked the White HouseEvan Perez et al. — 8 April 2015
  24. 100webSources: State Dept Hack the 'worst ever'Evan Perez and Shimon Prokupecz — 10 March 2015
  25. 103newsUS officially accuses Russia of hacking DNC and interfering with electionSpencer Ackerman et al. — 8 October 2016
  26. 104newsCan US election hack be traced to Russia?Gordon Corera — 22 December 2016
  27. 109newsRussian Hackers Attacking U.S. Power Grid and Aviation, FBI WarnsJennifer Dlouhy et al. — 15 March 2018
  28. 111webNuclear weapons agency breached amid massive cyber onslaughtNatasha Bertrand — 17 December 2020
  29. 120newsExclusive: Russian hackers targeted U.S. nuclear scientistsJames Pearson et al. — 6 January 2023
  30. 134newsUS says it disrupted Russian efforts to hack government agenciesDavid Ljunggren et al. — 3 October 2024