Cyberwarfare by Russia
In 2016, Russia formalized its approach to digital conflict through the Information Security Doctrine. This document defined information security broadly to include data, infrastructure, and human processes. It established goals to protect information sovereignty and secure critical systems against foreign threats. The doctrine fused technical network actions with psychological measures under the concept of informatsionnoye protivoborstvo, or information confrontation. A 2017 United States Defense Intelligence Agency assessment identified two main components within this strategy. The first component focused on computer network operations including defense, exploitation, and offensive attacks. The second aimed at influencing beliefs and behaviors to advance Russian state goals. Chief of the General Staff Valery Gerasimov argued in 2013 that non-military tools could be decisive when coordinated with limited force. His article is frequently cited in Western analysis but experts caution against viewing it as formal doctrine. Both Russian and Western analysts emphasize that it reflects long-standing military thinking rather than a new approach. Researchers at the Centre for Eastern Studies and Kennan Institute note how Russia combines legal, technical, and narrative tools. Domestic internet controls enable censorship and surveillance while supporting psychological operations abroad.
APT28, also known as Fancy Bear, is commonly linked to GRU Unit 26165. This group conducts operations against parliaments, broadcasters, and election campaigns across Europe. APT29, sometimes called Nobelium or Midnight Blizzard, connects to Russia's SVR and runs long-running espionage campaigns targeting governments and technology firms. Sandworm, assessed as GRU Unit 74455, has deployed destructive malware against Ukrainian targets. It carried out global campaigns like NotPetya which caused significant financial losses worldwide. Turla, tracked by Microsoft as Secret Blizzard, associates with FSB infrastructure and continues espionage operations including activity in 2025 targeting foreign embassies in Moscow. The FSB-linked Star Blizzard group, also known as Callisto or ColdRiver, faces sanctions and criminal charges for spear-phishing campaigns. These attacks target officials, academics, and NGOs globally. While attribution remains contested in some incidents, multiple governments have issued formal statements attributing responsibility to Russian state entities based on classified intelligence. Cybersecurity company reports and investigative journalism confirm the existence of these recurring groups. One identified young Russian hacker stated he was paid by Russian state security services to lead hacking attacks on NATO computers. His tuition was paid for by the FSB while studying computer sciences at the Department of the Defense of Information.
In April 2007, Estonia faced a series of cyberattacks following a diplomatic row over a Soviet war memorial. An enormous volume of spam transmitted by botnets took down financial, media, and government websites. Online banking became inaccessible and government employees could not communicate via email. Estonian officials traced the systems controlling the cyberattacks back to Russia. A year after the attack, NATO founded the Cooperative Cyber Defence Centre of Excellence in Tallinn as a direct consequence. On the 20th of July 2008, the website of Georgian president Mikheil Saakashvili was rendered inoperable for twenty-four hours. Hackers plastered images of Saakashvili and former Nazi leader Adolf Hitler on other government sites during the war. Many Georgian government servers were attacked and brought down, hindering communication and information dissemination. Technical experts consider this the first recorded instance in history of cyberattacks coinciding with an armed conflict. An independent US-based research institute report stated the attacks had little or no direct involvement from the Russian government. Some attacks originated from PCs located in Russia, Ukraine, and Latvia used willingly by supporters of Russia. In mid-January 2009, Kyrgyzstan's two main ISPs came under large-scale DDoS attacks shutting down websites and email within the country.
In 2015, hackers using malicious software attacked TV5Monde, a Paris-based French broadcasting service. The attack took all twelve channels off the air initially claimed by a group calling themselves the Cyber Caliphate. A more in-depth investigation revealed links to APT28, a GRU-affiliated hacker group. In May 2017, over 20,000 emails belonging to Emmanuel Macron's campaign were dumped on an anonymous file-sharing website. Word of the leak spread rapidly through the Internet facilitated by bots and spam accounts. Analysis by Flashpoint determined with moderate confidence that APT28 was behind the hacking and subsequent leak. Between late April and early May 2022, multiple Romanian government, military, bank, and mass media websites went down after DDoS attacks. These attacks came from a pro-Kremlin hacking group named Killnet following a statement by Senate president Florin Cîțu about providing Ukraine with military equipment. In 2023, Czech authorities exposed Voice of Europe, a Kremlin-funded influence operation based in Prague. This outlet aimed to sway European politics by channeling funds to far-right politicians while amplifying pro-Kremlin narratives. Investigations revealed this network attempted to bribe European lawmakers and influence elections including the 2024 European Parliament election.
In March 2014, a Russian cyber weapon called Snake or Ouroboros created havoc on Ukrainian government systems. The toolkit began spreading into Ukrainian computer systems in 2010 performing highly sophisticated Computer Network Exploitation and Attacks. From 2014 to 2016, the Russian APT Fancy Bear used Android malware to target the Ukrainian Army's Rocket Forces and Artillery. They distributed an infected version of an Android app whose original purpose was to control targeting data for the D-30 Howitzer artillery. CrowdStrike claimed the attack was successful with more than 80% of Ukrainian D-30 Howitzers destroyed though the Ukrainian army denies these figures. The U.S. government concluded after a study that a cyberattack caused a power outage in Ukraine leaving over 200,000 people temporarily without power. Sandworm or the Russian government were possibly behind the malware attack on the Ukrainian power grid as well as a mining company and railway operator in December 2015. In February 2021 Ukraine accused Russia of attacking the System of Electronic Interaction of Executive Bodies via uploaded documents containing macroscripts. These scripts would download malware allowing hackers to take over computers if enabled.
In 1999, Moonlight Maze became the US investigation of a 1996-1999 Russian cyberattack against NASA, the Pentagon, and civilian academics. The cyberattack was attributed to Russian-state-sponsored hackers. In April 2015, CNN reported that Russian hackers had penetrated sensitive parts of White House computers in recent months. Federal law enforcement categorized the hack of the State Department email system as the worst ever intrusion against a federal agency. In 2016, hacked emails belonging to the Democratic National Committee and John Podesta were released through DCLeaks and WikiLeaks. Senior Kremlin advisor Andrey Krutskikh told a Moscow conference in February 2016 that Russia was testing strategies equivalent to a nuclear bomb for the information arena. Over several months in 2020, APT29 breached multiple U.S. government agencies including Treasury, Commerce, and Energy departments through SolarWinds Orion. The hacks occurred through a network management system used by top cybersecurity firms. In June 2019, the New York Times reported that hackers from United States Cyber Command planted malware potentially capable of disrupting the Russian electrical grid. The Kremlin warned that intrusions could escalate into a cyberwar between the two countries.
Continue Browsing
Common questions
What is the Information Security Doctrine of Russia and when was it formalized?
Russia formalized its approach to digital conflict through the Information Security Doctrine in 2016. This document defined information security broadly to include data, infrastructure, and human processes while establishing goals to protect information sovereignty.
Which Russian hacker groups are linked to specific government agencies according to the script text?
APT28 known as Fancy Bear is commonly linked to GRU Unit 26165 while APT29 sometimes called Nobelium connects to Russia's SVR. Sandworm assessed as GRU Unit 74455 has deployed destructive malware against Ukrainian targets and Turla associates with FSB infrastructure.
When did Estonia face cyberattacks following a diplomatic row over a Soviet war memorial?
In April 2007 Estonia faced a series of cyberattacks following a diplomatic row over a Soviet war memorial. An enormous volume of spam transmitted by botnets took down financial media and government websites during this period.
How did Russia use cyber weapons against Ukraine between 2014 and 2016?
In March 2014 a Russian cyber weapon called Snake or Ouroboros created havoc on Ukrainian government systems. From 2014 to 2016 the Russian APT Fancy Bear used Android malware to target the Ukrainian Army's Rocket Forces and Artillery.
What happened during the SolarWinds breach in 2020 involving APT29?
Over several months in 2020 APT29 breached multiple U.S. government agencies including Treasury Commerce and Energy departments through SolarWinds Orion. The hacks occurred through a network management system used by top cybersecurity firms.