Untangling the Russian web: Spies, proxies, and spectrums of Russian cyber behavior

Executive summary
The number of cyber operations launched from Russia over the last few years is astounding, ranging from the NotPetya malware attack that cost the global economy billions, to the SolarWinds espionage campaign against dozens of US government agencies and thousands of companies. Broad characterizations of these operations, such as “Russian cyberattack,” obscure the very real and entangled web of cyber actors within Russia that receive varying degrees of support from, approval by, and involvement with the Russian government. This issue brief describes the large, complex, and often opaque network of cyber actors in Russia, from front companies to patriotic hackers to cybercriminals. It analyzes the range and ambiguity of the Russian government’s involvement with the different actors in this cyber web, as well as the risks and benefits the Kremlin perceives or gets from leveraging actors in this group. The issue brief concludes with three takeaways and actions for policymakers in the United States, as well as in allied and partner countries: focus on understanding the incentive structure for the different actors in Russia’s cyber web; specify the relationship any given Russian actor has or does not have with the state, and calibrate their responses accordingly; and examine these actors and activities from Moscow’s perspective when designing policies and predicting the Kremlin’s responses.

Introduction
The number of cyber operations launched from Russia over the last few years is astounding, ranging from the NotPetya malware attack that cost the global economy billions to the SolarWinds espionage campaign against dozens of US government agencies and thousands of companies. Yet broad characterizations of these operations, such as “Russian cyberattack,” obscure the very real and entangled web of cyber actors within Russia that have varying degrees of support from, approval by, and involvement with the Russian government.

Contrary to popular belief, the Kremlin does not control every single cyber operation run out of Russia. Instead, the regime of President Vladimir Putin has to some extent inherited, and now actively cultivates, a complex web of Russian cyber actors. This network includes: cybercriminals who operate without state backing and inject money into the Russian economy; patriotic hackers and criminal groups recruited by the state on an ad hoc basis; and proxy organizations and front companies created solely for the purpose of conducting government operations, providing the Kremlin a veil of deniability. This web of cyber actors is large, often opaque, and central to how the Russian government organizes and conducts cyber operations, as well as how it develops cyber capabilities and recruits cyber personnel.

Referring to all cyber activities that take place inside of Russia as “Russian”—and even those launched from outside Russia by “Russian” actors—flattens the complexity of this network and undermines analysis of the range of actors at the Kremlin’s disposal. Likewise, assuming the Putin regime controls every single cyber activity emanating from Russia ignores the government’s spectrum of involvement with various actors and, in turn, the different opportunities the United States and its allies and partners may have to disrupt Moscow’s cultivation and use of this cyber ecosystem. While researchers continue to publish on the “cyber proxies” concept, proxy as a universal term fails to capture the gradations of the state’s involvement with hackers, assuming a top-down hierarchical relationship that is not always present in Russia. Public information about this cyber ecosystem is not perfect or complete, but its relationship with the Russian government demands deeper analysis.

Untangling this multifaceted web—and understanding how and why so many Russian cyber actors freely operate in, and oscillate between, state and non-state domains—will allow the United States to appropriately target negotiations and track the expansion of Russian cyber operations globally. This is particularly important now, with the Putin regime facing an unprecedented level of sanctions from governments around the world, and the country’s information technology (IT) “brain drain” accelerating since the regime’s (re)invasion of Ukraine in February 2022.1 Before these latest hostilities, the US government was negotiating a curtailment of ransomware attacks coming from within Russia; right after the war began, diplomatic talks between the Biden administration and the Kremlin quickly deteriorated.2 Arguably, understanding and disrupting Russian cyber operations in conflicts in Ukraine and other areas around the world is more important than ever for the US government and its allies and partners. However, the reality is that the US government cannot pursue these objectives effectively or comprehensively without first understanding and shaping its approach around the reality of Russia’s cyber ecosystem.

This four-part issue brief reviews the complex web of cyber actors in Russia, analyzes the range of Russian government involvement with these actors through specific examples, explains the risks and benefits the Kremlin perceives or gets from cultivating and leveraging this web of cyber actors, and provides three key takeaway-action pairings for US policymakers and its allies and partners.

A complex web: Inheritance meets cultivation
Russia is home to a convoluted web of cyber actors comprised of government-funded front companies, state-tapped individuals, cybercriminals, and “patriotic hackers,” among others. While some of these entities receive direct orders and financial support from Russian authorities, others have tacit permission to operate independently, so long as they do not upset the Putin regime. The Kremlin’s involvement with each of these actors follows a varied and ambiguous pattern of engagement that the next section discusses in more detail. First, it is necessary to understand why the Russian government values this kind of cyberspace proxy activity, and how this activity has evolved into the convoluted and opaque web that exists in Russia today.

Political warfare is generally important to the Kremlin. The Putin regime, inside and beyond Russian borders, has carried out assassinations and attempted assassinations, funded propaganda front companies, spread disinformation, and launched disruptive cyber operations, among other activities. While the organizational structures that execute these activities, and the techniques used, vary, the goals are often similar: to disrupt, destroy, sabotage, and subvert enemies of the Russian state (read: enemies of the Putin regime) abroad and at home. This reflects a growing emphasis in Russia’s military doctrine and national security thinking on the importance of information, proxy, and below-threshold-of-war conflict.3 Russia’s 2000 Foreign Policy Concept stated that “while the [sic] military power still retains significance in relations among states, an ever greater role is being played by economic, political, scientific and technological, ecological, and information factors.4 Prominent Russian military theorists S. G. Chekinov and S. A. Bogdanov underscored this in their 2010 article that appeared in the Russian journal Military Thought, writing that “asymmetric actions, too, will be used extensively to level off the enemy’s superiority in an armed struggle by a combination of political, economic, information, technological, and ecological campaigns in the form of indirect actions and nonmilitary measures.”5 Some of these political warfare actions, like disruptive cyber operations, explicitly target Russia’s enemies, while others have intentional indirect effects. Scholars Adrian Hänni and Miguel Grossmann, for instance, argue that the Putin regime’s “public, theatrical form of murderous attacks on intelligence defectors” is a kind of “signaling through covert action” to Russia’s enemies, Russian defectors, and the Russian public.6
Russia is home to a convoluted web of cyber actors comprised of government-funded front companies, state-tapped individuals, cybercriminals, and “patriotic hackers,” among others.”

Political warfare is generally important to the Kremlin. The Putin regime, inside and beyond Russian borders, has carried out assassinations and attempted assassinations, funded propaganda front companies, spread disinformation, and launched disruptive cyber operations, among other activities. While the organizational structures that execute these activities, and the techniques used, vary, the goals are often similar: to disrupt, destroy, sabotage, and subvert enemies of the Russian state (read: enemies of the Putin regime) abroad and at home. This reflects a growing emphasis in Russia’s military doctrine and national security thinking on the importance of information, proxy, and below-threshold-of-war conflict.7 Russia’s 2000 Foreign Policy Concept stated that “while the [sic] military power still retains significance in relations among states, an ever greater role is being played by economic, political, scientific and technological, ecological, and information factors.”8 Prominent Russian military theorists S. G. Chekinov and S. A. Bogdanov underscored this in their 2010 article that appeared in the Russian journal Military Thought, writing that “asymmetric actions, too, will be used extensively to level off the enemy’s superiority in an armed struggle by a combination of political, economic, information, technological, and ecological campaigns in the form of indirect actions and nonmilitary measures.”9 Some of these political warfare actions, like disruptive cyber operations, explicitly target Russia’s enemies, while others have intentional indirect effects. Scholars Adrian Hänni and Miguel Grossmann, for instance, argue that the Putin regime’s “public, theatrical form of murderous attacks on intelligence defectors” is a kind of “signaling through covert action” to Russia’s enemies, Russian defectors, and the Russian public.10

This assessment has its roots in historical actions, bureaucracy, and thinking that inform how Moscow uses cyber and information capabilities today. The Soviet Union conducted political warfare-style operations under an umbrella of “active measures” against foreign and domestic targets. Akin to contemporary political warfare, these actions ranged from assassinating émigré leaders who participated in anti-Soviet activities to manufacturing and spreading the lie that the Pentagon started the AIDS epidemic.11 Of course, the parallels are not perfect, and the information environment today is fundamentally different than it was decades ago. For example, the scale and speed of microtargeting alone, enabled by the internet, is unprecedented. Regardless, the Putin regime and the Russian security apparatus continue to emphasize many of the same Soviet-era, active measures-type ideas, such as deniability, covertness, and the use of proxies, which carries over to cyber operations.12 Russia’s modern structure for information operations reportedly even mirrors the Soviet approach; after the collapse of the Soviet Union, the military transferred its propaganda directorate to the military intelligence agency (Glavnoye Razvedyvatelnoye Upravlenie, or GRU), rebranding it GRU Unit 54777 in 1994.13 This unit still exists today and,14 per the US Department of the Treasury’s 2021 sanctions, falls under Russia’s Information Operations Troops.15 From strategic thinking to operational style to intelligence structure and culture, many similarities exist between the active measures of the Soviet Union and the political warfare activities of contemporary Russia.

To some extent the Putin regime inherited this convoluted web of cyber actors. Economic decline and political instability following the demise of the Soviet Union contributed to an explosion of crime,16 including cybercriminal activity. Among other reasons, a lack of laws and enforcement related to cybercrime, limited economic opportunities, and “highly educated and technologically empowered segments of [the] population with the capability to conduct sophisticated criminal operations” all accelerated the pace of cybercrime in 1990s Russia.17 This activity evolved from software piracy to more serious forms of profit generation like hacking banks and stealing identities.18 By the time Putin ascended to the presidency in December 1999, there were already numerous nonstate hackers in Russia engaged in criminal behavior.

Instead of cracking down, the Kremlin actively cultivated this network of cyber actors, and continues to leverage this ecosystem for purposes that extend beyond criminal activity. The Putin regime allows cybercriminals and patriotic hackers to operate freely within Russia, so long as they focus on foreign targets, do not undermine the Kremlin’s objectives, and answer to the state when asked. The Federal Security Service (FSB), Russia’s internal security agency with some foreign purview, recruits cybercriminals to carry out operations on its behalf. The Foreign Intelligence Service (SVR) sets up front organizations to conduct cyber and information operations against foreign targets. The Kremlin permits private military companies (PMCs) to operate around the world and to sell their military and protective services to foreign governments; at least one Russian PMC has developed a cyber unit.19, 520 While Putin did inherit an ecosystem of both legitimate technology companies and technically talented individuals engaged in cybercrime, the regime has purposefully shaped this resource pool of Russian cyber actors to its own benefit, though not without accompanying risks.

It is worth noting that this issue brief focuses primarily on cyber operations as understood by the United States (pertaining to code) but also mentions information operations throughout (pertaining to, in the US view, human-readable content). Russia’s conceptualization of the information space does not make such a firm distinction. Therefore, this issue brief errs toward depicting the Russian understanding of the space, as well as highlighting some of the similarities between the ways Russian actors have conducted cyber and information operations, such as the government setting up cyber and information front organizations in other countries.

The spectrum of Russian government involvement
Putin does not control every single cyber operation that occurs within or comes out of Russia. In fact, as Candace Rondeaux writes, the “narrative of a grand chess master, whether Putin, a Kremlin insider, or a mercenary group, singlehandedly orchestrating Russia’s proxy warfare strategy is a useful fiction for the Kremlin.”21 Simply put, “Vladimir Putin is not omnipotent,” as journalist Julia Ioffe remarked in 2013.22 In reality, there are degrees of Russian government involvement with most Russian cyber actors, whether it is through active financing, tacit approval, or another kind of engagement entirely. It is also possible that some activity is entrepreneurial by design, with nonstate hackers and developers auditioning their capabilities to capture the attention of the state.23 Further, for all that Russian doctrines and military thinking emphasize the importance of political warfare and cyber and information operations, there is a great deal of complexity, competition, and internal conflict in how the Russian government bureaucracy attempts to operationalize those doctrines and ideas. Unpacking this spectrum of Russian government involvement with hackers is essential for the United States and its allies and partners to accurately analyze the Russian cyber web, as well as to identify areas to disrupt Russian government or government-directed activity.

In 2011, Jason Healey described a spectrum of state involvement in cyber activity,24 identifying ten separate types of hacking: state-prohibited, state-prohibited-but-inadequate, state-ignored, state-encouraged, state-shaped, state-coordinated, state-ordered, state-rogue-conducted, state-executed, and state-integrated.25 While Healey’s intention was to enhance the conversation around government responsibility for cyber operations beyond technical attribution, his framework alone illustrates that governments can maintain a range of relationships with hackers to suit their purposes. Putin’s regime has taken—and continues to take—this exact approach.

The extensive Russian network includes: internal government cyber and information units; front companies established and run by the government; private companies leveraged by the government to develop capabilities and recruit talent; criminals recruited by state officials; industry developers recruited by state officials; independently operating patriotic hackers (often with state encouragement or as cover for state-run action); hackers independently building their capabilities and pitching them to the state; and murky, mafia-style familial entanglements between hackers and Russian government officials. Experts have published excellent research on cyber proxies,26 yet, in Russia’s case, questions remain about the exact nature of those relationships, as they sometimes defy the frequent assumption that proxy activity refers to a top-down hierarchical relationship, with the state as the primary actor. Considerable portions of Russia’s cybercriminal ecosystem operate with a sort of Darwinian entrepreneurialism, akin to the approach of Russian criminal enterprises and protective services in the 1990s.Thanks to several individuals for discussion of this point.27 Criminals often have substantial agency to drive this activity. And when there are quasi-symbiotic relationships at play with the state—a local FSB official, for instance, taking money on the side to provide a “roof” (krysha) of protection for hackers—these relationships do not entirely follow top-down or state-dominated definitions. It is also important to note, before diving into examples of actors in the Russian cyber web, that each case study raises questions about replicability.28 Some examples may be entirely or somewhat replicable, while others could be one-off cases, shaped by factors such as the Russian government’s operational needs, budgetary resources, technical constraints, and others.

The Russian government has many internal teams carrying out cyber operations. The FSB, GRU, and SVR all have cyber units, in addition to the cyber organizations located within other parts of the Russian military and security service apparatus.29 For example, the FSB’s 16th Center has signals intelligence capabilities, and its 18th Center has been responsible for hacks of Yahoo, Ukrainian targets, and others.30 The GRU has multiple cyber teams, including Unit 26165 (“Fancy Bear”),31 that carried out the 2016 hack of the Democratic National Committee,32 and Unit 74455 (“Sandworm”), that hacked power grids in Ukraine.33 Even though less is known about its internal cyber structure,34 the SVR has also carried out major operations, such as the SolarWinds hack in 2020.35 Often these operations are launched from within Russia, but at other times, state hackers have gone abroad to attack targets. In 2018, for example, operatives from GRU Unit 26165 traveled to the Netherlands to hack into and disrupt the investigation of the Organization for the Prohibition of Chemical Weapons (OPCW) into the poisoning of Sergei Skripal and his daughter.36 GRU Unit 26165 hackers, apparently part of the same sub-team of GRU Unit 26165, were also on site in Rio de Janeiro, Brazil and Lausanne, Switzerland to break into systems of the US Anti-Doping Agency, the World Anti-Doping Agency, and the Canadian Center for Ethics in Sport.37
Moscow finances and directs cyber and information operations through front organizations and websites used by the GRU, the SVR, and the FSB to spread disinformation.38 The Russian government also uses companies like Neobit and AST to technically support cyber and information operations, with some companies acting like contractors but in a covert capacity.39 It is possible that the Russian government is increasingly stationing these cyber and information assets overseas. One of the Russian spies the United States caught and deported in June 2010 was working at Microsoft. The man had no apparent links to the Russian intelligence community. However, federal authorities knew that he had previously worked at Neobit,40 currently linked, per the US Department of the Treasury’s April 2021 sanctions, to the Russian Ministry of Defense, the FSB, and the SVR.41 In 2019, a Czech magazine reported that the Czech Security Information Service had shut down two private IT companies in early 2018 that were fronts for Russian hackers, reportedly part of a broader international network.42 Outside of what the United States considers cyber operations, but well within the Russian government’s cohesive conception of the information space, the Internet Research Agency has since 2016 been setting up overseas offices in Ghana, Nigeria, and Mexico to covertly run information operations.43 Yevgeny Prigozhin, Putin’s “chef” and confidante, heads these operations that, even while coordinated surreptitiously by the Kremlin, may not involve constant or direct government control.

The Russian government also recruits hackers and cybercriminals on an ad hoc basis to conduct operations.44 Authorities allow the Russian cybercriminal apparatus to thrive for a variety of reasons, including the fact that cybercrime brings money into Russia, and the talent base it cultivates gives the Kremlin proxies to tap as needed. It is also part and parcel of the pervasive corruption in the Russian business and government world. Through the “social contract” these hackers have with the Kremlin, they generally get permission to operate freely, as long as they focus mainly on foreign targets and do not undermine the Kremlin’s objectives. They must also be responsive to Russian government requests, even if the motives of these cybercriminals are primarily financial.45 (In the rare, publicly reported instances of Russian authorities arresting cybercriminals, the hackers involved had either stolen from or targeted Russian citizens.46 Even former FSB-linked hackers may not be safe if they violate the Kremlin’s social contract.47) As Nina Kollars and Michael Petersen write, “institutional boundaries have become porous, allowing private citizens and organizations to conduct sanctioned state activities and allowing the state to mine society for autonomous assets to carry out state functions.”48

Several cases underscore how the Russian government recruits programmers and criminal hackers as needed, often through the FSB. In the late 2000s, the FSB reportedly contacted an individual tied to a patriotic hacker website in an attempt to establish a cooperative relationship.49 Around the time of the Russo-Georgian War in 2008, Russian intelligence agencies tried to create an online forum to recruit hackers to attack Georgian targets.50 In September 2015, the independent Russian news website Meduza reported that Alexander Vyarya, who worked at a Russian company building distributed denial-of-service (DDoS) defense software, said Rostec, Russia’s defense conglomerate, approached him requesting his help to improve the government’s DDoS attack capabilities.51 Vyarya noted that, at a meeting in Sofia, Bulgaria, software developers showed him an existing Russian government DDoS capability, which was demonstrated on the websites of the Ukrainian Ministry of Defense and the Russian edition of Slon.ru (an online magazine);52 Vyarya refused to get involved and then left Russia.53 This last example illustrates an additional set of risks and incentives—those of individuals working as company programmers tapped by the Russian government to provide assistance who must assess the consequences of refusal.

In 2017, the US Department of Justice charged two FSB officers and their criminal collaborators with hacking into Yahoo and millions of email accounts.54 The indictment alleged that the officers “conspired together and with each other to protect, direct, facilitate, and pay criminal hackers to collect information through computer intrusions in the US and elsewhere.”55 The document stated that the officers tasked hackers with targeting Yahoo email accounts; when they wanted information from non-Yahoo emails, they tasked a hacker and paid them a “bounty.”56 The indictment described one officer, in particular, as a hacker’s “handling FSB officer.”57 Yet these FSB officers went a step beyond material direction and financing. In line with other nominally state-sanctioned criminal activities in Russia, the FSB officers allegedly provided one of the hackers with “sensitive FSB law enforcement and intelligence information that would have helped him avoid detection by law enforcement, including information regarding FSB investigations of computer hacking and FSB techniques for identifying criminal hackers.”58
Other accounts describe parts of the Russian government, including the FSB, the GRU, and the Ministry of Internal Affairs, cultivating close relationships with nonstate hackers.59 Positive Technologies, a Russian IT firm sanctioned by the US government, hosts conventions that the FSB and the GRU use as recruiting events.60 The US Treasury Department stated in April 2021 that the FSB cultivated and coopted the ransomware group Evil Corp.61 The FSB had apparently given one of Evil Corp’s alleged members, Igor Turashev, enough cover to register three Russian companies in his name, in a building known for crypto firm money laundering.62 Despite this apparent brazenness, most nonstate hacker recruitment occurs in the more obscure corners of the Russian cyber web. As journalist and Russian intelligence expert Andrei Soldatov has said, “We know there is a huge pool of capable talent, and at least some people who are willing to do things that are suggested to them. We know such things are being done. What we don’t know is how or why such orders are formulated, and who exactly may be involved.”63 To Soldatov’s point, different elements of the Russian security apparatus may tap hackers for different purposes, ranging from strategic to highly tactical; nonstate hacker recruitment does not necessarily originate from the same level of the Russian government.

Beyond the outright backing and recruitment of nonstate cyber actors, the Kremlin also engages in other target activities, such as encouraging individuals to carry out cyber operations. Patriotic hacking groups are a prime example. These collectives, ranging from loosely to more formally organized, are composed of technically skilled people who conduct operations in line with government interests (or what they perceive as government interests). Some of these activities began with a domestic bent, such as the policing and targeting of regime critics online,64 but have since expanded into the foreign arena. Following the Russia-originating cyber operations against Estonia in 2007, a representative of the Unified Russia party said his assistant—a member of the pro-Kremlin youth group Nashi—participated in the attacks.65 During the 2008 Russo–Georgian War, it appears patriotic hackers may have taken part in launching DDoS attacks against Georgian websites.66

These individuals genuinely believe they are expressing patriotism for the Russian nation. An analysis of pro-Russian and pro-Ukrainian patriotic hacker Twitter posts between 2014 and 2017, after the Putin regime’s invasion and annexation of Crimea, found that the hackers created a “popular, even populist identity” online based on patriotism.67 In 2007, malicious web queries transmitted to Estonian websites by Russian actors (believed to be patriotic hackers) invoked false claims of fascism in reference to Andrus Ansip, Estonia’s then-prime minister, with phrases such as “ANSIP_PIDOR=FASCIST,”68 echoing a nationalistic narrative espoused by members of the Russian parliament.69

Meduza reports that several Russian-speaking, nonstate hackers identified the 2008 Russo–Georgian War as a catalyst for Russian intelligence service recruitment of patriotic hackers.70 There has recently been speculation about the Russian government encouraging the patriotic hacking of Ukrainian targets.71 Yet, hacks of this kind are not always state-directed. Something as simple as a Kremlin official getting on TV and criticizing a foreign country might be the only prompt a patriotic hacker needs to act. After browsing online forums that shared software for possible use to attack Georgia, journalist Evgeny Morozov said in August 2008:

In less than an hour, I had become an internet solider. I didn’t receive any calls from Kremlin operatives; nor did I have to buy a web server or modify my computer in any significant way.…Paranoid that the Kremlin’s hand is everywhere, we risk underestimating the great patriotic rage of many ordinary Russians, who, having been fed too much government propaganda in the last few days, are convinced that they need to crash Georgian websites.72

Speculation also exists that the Russian government encourages patriotic hacking to provide cover for state-run operations.

Although these individuals and organizations have permission to operate independently, Moscow does not hide its affinity for these hackers or their cyber capabilities. In a June 2017 meeting with international media, Putin compared patriotic hackers to painters, saying that “hackers are free people. They are like artists. If they are in a good mood, they get up in the morning and begin painting their pictures.”73 He elaborated that “hackers are the same. They wake up in the morning, they read about some developments in international affairs, and if they have a patriotic mindset, then they try to make their own contribution the way they consider right into the fight against those who have bad things to say about Russia.”74 Explicitly directed or not, Putin is well aware that patriotic hackers are a component of the Russian cyber web that the government can leverage at will.

Otherwise, most Russian state involvement with nonstate hackers is ill-defined. The Russian hacking group Evil Corp, indicted by the United States in November 2019 and sanctioned that December, is an illustrative example.75 The group is run by Maxim Yakubets, a Russian hacker reportedly married to Alyona Eduardovna Benderskaya, the daughter of Eduard Bendersky.76 A former FSB Spetsnaz officer, Bendersky owns multiple private Russian security firms and, according to Bellingcat, is a “de-facto spokesman for Department V” or Vympel,77 the FSB’s externally focused “antiterrorist” unit that has carried out multiple overseas assassinations.78 Since 2017, the year he and Bendersky’s daughter presumably married, Yakubets79 Yakubets has been in the process of getting a Russian government security clearance since April 201880 He is still at large in Russia, despite alleged Russian arrests of affiliates of a different ransomware group, REvil, in February 202281 that had provided a glimmer of (wishful) hope that Moscow was, in fact, actually cracking down on ransomware and other cybercriminal activity. One senior US official, for example, had—quite idealistically—told reporters following the REvil arrests that “these are very important steps, in that they represent the Kremlin taking action against criminals operating from within its borders, and they represent what we’re looking for with regard to continued activities like these in the future.”82

[Hackers] wake up in the morning, they read about some developments in international affairs, and if they have a patriotic mindset, then they try to make their own contribution the way they consider right into the fight against those who have bad things to say about Russia.”

Vladimir Putin, June 2017

Putin does not control all these groups, and even if the FSB does engage with a hacker on a local level, Putin is (by and large) not involved in the day-to-day minutiae. Nevertheless, the Kremlin clearly allows cybercriminals and other nonstate hackers to thrive in Russia. Moreover, for the largest groups in the cyber web, the regime to a certain extent actively decides to look the other way. Given these circumstances, the next section discusses the benefits the regime gets, or perceives it gets, from leveraging this network of Russian cyber actors.

The risks and benefits of the cyber web for the Kremlin
From the Kremlin’s perspective, the web of Russian cyber actors—from nonstate patriotic hackers and cybercriminals to state-funded front companies—can provide numerous benefits. Principally, the returns include deniability, the power to wage covert political warfare below the threshold of outright war, and potentially reduced costs to maintain cyber capabilities. Additionally, the economic benefits should not be downplayed. While exact figures are hard to come by, cybercriminals are clearly bringing money into Russia, with billions of dollars estimated to have been raked in already by 2014.83 In 2021 alone, it was reported that 74 percent of global ransomware revenue went to Russian hackers, to the tune of $400 million in cryptocurrencies.84 That said, this activity also comes with many risks, including having to deal with competence and discipline issues that contribute to political-criminal tensions within hacking groups, undermining effectiveness. Recruiting from overlapping groups can also lead to political problems when the hackers act outside their remit or no longer work for the state but are identified as state actors. There is a simultaneous interplay between all these dynamics.

As noted, deniability is a pivotal factor in the Kremlin’s strategic and operational decision-making. Putin is not a micromanager.85 Instead, he operates an “adhocracy” that allows elites to “become policy entrepreneurs, seeking and seizing opportunities to develop and even implement ideas that they think will further the Kremlin’s goals.”86 In practice, this creates ambiguity and, from the Kremlin’s perspective, plausible deniability.87 This approach is particularly conducive to cyber and information operations because they can be conducted remotely from behind a computer screen. Some argue that this deniability is implausible, correctly pointing out that Moscow often poorly obscures links between Kremlin officials and supposedly non-state-affiliated proxies,88 such as in the case of the patriotic hackers targeting Estonia, Georgia, and Ukraine. In some instances, Russian officials blatantly lie, even when faced with overwhelming evidence to the contrary. In 2018, when Dutch intelligence caught and publicly exposed the GRU Unit 26165 operatives who flew to The Hague to disrupt the OPCW investigations, one retired Russian lieutenant general said, “You say this is evidence. It’s not evidence to me. Russian intelligence was believed to be among the best in the world. Now you want to present a bunch of fools, absolutely incompetent, absolutely stupid, non-professional idiots? It’s insulting.”89

Regardless, the Kremlin does have periods when it can deny knowledge of, association with, and/or responsibility for cyber and information activities. While the ongoing war in Ukraine is an example of (Western) government intelligence exposing Russian plans and activities in near to real time, there are many prior instances when the state had plenty of time to deny cyber operations emanating from Russia before evidence emerged.90 This ambiguity between the Russian government and cyber actors—whether a GRU front company or a ransomware group working with an FSB officer—gives the Kremlin space, however small, to claim no involvement. The fact that this is sometimes genuinely true, like when the Russian government permits cybercriminals to do what they want without actively supervising or directing them, helps bolster Moscow’s objections. Moscow can engage with other governments knowing that sometimes, its denials of involvement are true and in cases when it is not (such as when the government is, at minimum, complicit in choosing not to investigate certain cyber operations), officials can lean into the ambiguity that surrounds its control over the Russian cyber web. Leveraging this extensive and opaque web of cyber actors also enables the Kremlin to make absurd demands of the United States, such as in June 2021, when Putin said that Russia would allow the extradition of cybercriminals to the United States, if the US government would agree to do the same for Russia.91 Touting these bad faith gestures as genuine attempts at diplomacy is reminiscent of the Kremlin’s legalistic approach to international norms on cyber issues more broadly, with legal concepts about “sovereignty” cited to promote a government-controlled vision of the internet.92 Furthermore, even if deniability is “implausible” to outside observers, that does not mean the claim is worthless. As Rory Cormac and Richard Aldrich have argued, implausible deniability can still exploit a target’s decision-making gaps, building powerful narratives (e.g., around Putin’s omnipotence) and signaling resolve, among other benefits.93

Leveraging the cyber web empowers Moscow to wage political warfare in what the West would call the “gray zone,” below the threshold of armed conflict. The Russian state has a history of operating in the sphere of political warfare, and recent Russian military thinking has carried this mindset into the modern age. Valery Gerasimov, Chief of the General Staff of the Russian Armed Forces and First Deputy Defense Minister, wrote an article in 2013 arguing that “the role of nonmilitary means of achieving political and strategic goals has grown, and, in many cases, they have exceeded the power of force of weapons in their effectiveness.”94 While often wrongly cited as the “Gerasimov doctrine,” when it is neither a doctrine nor binding,95 and often used to incorrectly argue that hybrid warfare is a new kind of Russian thinking,96 the article nonetheless recognized the importance of nonmilitary tactics in modern conflict. As Eugene Rumer explains, Russia’s foreign and military policy over the last two decades clearly emphasizes that “military power is the necessary enabler” of what many refer to as hybrid warfare, where “hybrid tools can be an instrument of risk management when hard power is too risky, costly, or impractical, but military power is always in the background.”97

Leveraging the cyber web empowers Moscow to wage political warfare in what the West would call the “gray zone,” below the threshold of armed conflict.”

The Russian government can employ these measures continuously by leveraging the Russian cyber web both during war and peace. For decades, the Russian state has leveraged private Russian technology companies and their technical personnel to support state cyber and information operations. Through the FSB and other security agencies, the Kremlin has used hackers to assist with espionage and other activities below the threshold of armed conflict. It has even permitted ransomware and cybercriminal groups to thrive, so long as they toe the Kremlin’s political line and focus on foreign targets. The Kremlin can also leverage cyber operators in gray zone conflicts, such as its illegal invasion and annexation of Crimea in 2014, and its encouragement of patriotic hackers to go after Ukrainian targets. From the Kremlin’s perspective, all of this is an inherent benefit of having a large network of cyber actors to leverage as needed.

Operating in the gray zone with proxies also conveys the benefit of creating uncertainty for adversaries about how to respond. The cyber and information operations that targeted US elections, for instance, generated intense debates in the United States about if and how to respond; if a response were taken, concern about how to employ different ladders of escalation and to classify that action under international law resulted in the US government hesitating to take forceful action. According to the Senate Intelligence Committee’s investigation into Russia’s 2016 election interference, Obama administration officials were concerned about “appearing to act politically on behalf of one candidate, undermining public confidence in the election, and provoking additional Russian actions.”98 This reluctance to act, including the associated political concerns, illustrates the benefit the Russian government receives from the below-threshold nature of internet-based political warfare. Individual actors might engage in phishing and ransomware attacks most days of the week, with one day set aside to steal data for a GRU officer. In this way, Moscow effectively blurs the lines between criminal activity, independent technology development, and espionage, muddling Western policy responses.

Finally, the ability to tap into a nebulous web of cyber actors also means that the Kremlin can leverage capabilities without the need to constantly supervise everything. There is, once again, a spectrum of financial, training, and supervisory costs. The front companies that run FSB, SVR, and GRU cyber and information operations ostensibly pay for by those activities themselves, leveraging intelligence personnel (although that is unclear). The Internet Research Agency and state-supporting companies like Neobit operate in an undefined zone, where Putin cronies spend state-granted wealth and the Russian government contracts nonstate support and capabilities. Then there are the many cybercriminals, patriotic hackers, legitimate Russian IT company employees, and others who may operate independently, but do so with the state’s permission and may receive requests to redirect resources to government activities. The publicly available evidence is anecdotal, but these efforts sometimes cost the government next to nothing. In the previously mentioned 2017 indictment of two FSB officers, one of the hackers confessed that he was paid about $100 “for each successful hack,” wired by the FSB through PayPal, WebMoney, and other non-Russian online payment systems.99

While leveraging non-state actors in the Russian cyber web saves the Kremlin resources in some cases, the government may have to deal with competence and discipline issues;100 cybercriminals might not operate with the same diligence as state hackers. Individual programmers recruited to develop capabilities for the state are likely untrained in Russian government methods of secrecy protection. Patriotic hackers might not use very sophisticated tools and instead, as the reporting suggests, use off-the-shelf capabilities posted on web forums.

Dueling political and criminal dynamics can also generate internal fractions within hacker groups, which affects their ability to operate for the state. Leaked documents from the Russian hacker group Conti, for instance, highlighted divisions over the group’s official position on the war in Ukraine.101 The government itself might not coordinate operations very well either. Analysts already debate whether the GRU and the FSB coordinated the hack on the Democratic National Committee in 2016,102 and the Russian security services, in general, have a long history of turf wars and infighting.103 It is possible that multiple Russian security organizations—or even multiple units within a single Russian security organization—recruit hackers for overlapping purposes, such as developing information interception capabilities or launching destructive cyber operations that generate additional complexities.

There is also the risk of an actor becoming so closely associated with the government that they create problems when they act in line with their own preferences—the actor or group may no longer be working with the Russian government, but others might assume otherwise. Theoretically, a Russian government agent could be held internally responsible for this kind of activity, with superiors believing that the agent was sanctioning a cybercriminal operation like stealing from Russians or going after politically sensitive targets abroad. Other hypothetical cases could involve an entire government organization being blamed by the Kremlin for how it handled a relationship with a cyber web actor. In this sense, the risk of cyber actors behaving out of line could range from individual-level repercussions to broader ones, generating a different set of issues for government officers to worry about. Some scholars have argued that, in general, governments empowering proxies with “more expansive, or less restrained, political agendas” can lead to escalatory situations,104 although that remains unclear in practice.

Recommendations and conclusion
Putin does not control every cyber operation within Russia, nor does the Russian government manage every single cyber actor in the country. It is highly unlikely that senior Kremlin officials are discussing a small-scale Russian phishing ring or a group of Russian hackers targeting Western credit card companies. FSB officers who recruit cybercriminals on an as-needed basis likely have no desire to manage the day-to-day activity of that cybercriminal operation. However, the Putin regime inherited, and now cultivates, an extensive network of cyber actors in Russia. The government rarely engages with some elements of this network, even at a local law enforcement level, but it recruits, encourages, and may even directly finance other constituencies. Moscow creates an environment in which cybercrime thrives (including by permitting corruption to flourish) and, in doing so, protects many cybercriminals in Russia. The United States and its allies and partners must gain a better understanding of this network and of Russian cyber and information capabilities, especially as they try to disrupt operations coming out of Russia. Russia should also act as a case study for how a government can cultivate and leverage a large web of cyber and information actors to augment its power. In particular, the United States and its allies and partners should note and consider the following actions.

Takeaway: The Putin regime perceives that it benefits—and in many cases, does materially benefit—from leveraging the Russian cyber web because it can claim deniability, has more power to wage covert political warfare below the threshold of outright war, and has potentially lower costs for cyber capabilities. Cybercriminals also bring money into Russia, an increasingly important factor for a heavily sanctioned country with a declining economy. Overall, the Putin regime has many incentives for continuing to allow cybercrime to thrive in Russia, as well as for creating front companies, leveraging cybercriminals and patriotic hackers, filching private company employees, and letting PMCs develop cyber capabilities.
Action: US policymakers, working with allies and partners, should focus more on understanding the incentive structure behind the Russian cyber web, the wide range of actors within it, and the relationships those actors have with the Russian government at different points in time. Some US public messaging—such as policymaker excitement about Moscow’s reported “arrests” of REvil ransomware members—does not reflect (or perhaps does not demonstrate) an understanding of the Russian government’s incentives vis-à-vis these groups. Alongside conversations about how to disrupt particular activities, US policymakers should also focus on understanding these particular incentives. For example, cybercriminals who target individuals in Russia as well as the United States are much more likely to attract Russian government enforcement actions than cybercriminals who just target US individuals. This would be a relatively more effective area to direct US law enforcement cooperation with Russia than, say, ransomware actors who have no impact on the Russian population. Targeting cybercriminals who moonlight as government hackers to “put them out of business” could similarly leverage the incentive structure of the Russian cyber web by indirectly going after the state’s capabilities. If these cybercriminals cannot afford to keep the lights on, then those hackers are also unable (at least in the immediate sense) to use those capabilities for the state’s benefit when the government comes knocking. US policymakers must understand this incentive structure to develop the most effective responses.

Takeaway: Putin does not control every cyber operation conducted within and from Russia. Although he personally ordered the efforts to influence the 2016 US election,105 many cybercriminals (like those conducting phishing scams) do not receive direct instructions from the top levels of the Russian government. There are also many elements of Russia’s security apparatus that recruit nonstate hackers directly (e.g., through a local FSB office), which means that high-level Kremlin knowledge of specific recruitment activities is unclear. Nonetheless, the fact remains that the Putin regime cultivates and actively leverages different actors in the Russian cyber web, and it could take action against specific groups if it chooses.

Action: The US government should be precise about how it specifies and communicates the type of relationship the Russian government has with a given Russian cyber actor. If US policymakers continue to engage with the Putin regime about cracking down on nonstate hackers, particularly cybercriminals, they should identify whether the state actively recruited or engaged with a particular hacking entity before branding it a state-affiliated actor. Within the realm of state-linked actors, the US government should specify in public messaging, internally or in private discussions with Russian counterparts—depending on the case—what that link looks like, such as financing and supervision, ad hoc recruitment, or tacit approval. This matters because establishing any consistency or escalation ladder in the US response will require matching that response to factors such as the group, the group’s actions, and the degree of Russian government involvement. The need for consistency also applies to public messaging, accurately distinguishing between espionage, disruptive attacks, hack-and-leak operations, and other actions. The degree of Russian government involvement in a cyber operation or with a cyber group may determine whether the responses taken by the United States and its allies and its partners target the actor behind the keyboard or specific parts of the Russian government. This is not to say that the Putin regime does not share responsibility for allowing a cybercriminal ecosystem to flourish (it does), nor that the prospects for US–Russian diplomatic engagement on cyber operations are great (they are not),106 but that an effective response must begin with a nuanced grounding in the Kremlin’s spectrum of engagement with hackers.

Takeaway: Even though modern internet capabilities enable unprecedented levels of microtargeting and global reach, Russian government thinking around information technology draws on decades of Russian political and security culture. Russian thinking centers around information security, taking a sweeping view of the modern information environment and how the state should shape it. This view does not make the same, firm distinctions between cyber operations (e.g., in code) and information operations (e.g., in human-readable content) that the United States and its allies and partners do. Cyber and information operations reside within a broad set of Russian government political warfare activities, which, on the whole, emphasize deniability, covertness, the use of proxies, and operations below the threshold of armed conflict, among others.

Action: When talking, writing, and thinking about Russian cyber and information operations, US, ally, and partner policymakers, as well as intelligence analysts, must focus on the Russian government’s unique views on the internet and information space, rather than projecting their own perspectives. Unfortunately, too many publications and analyses from the United States and other governments fail to grasp Russia’s viewpoints, such as dismissing Russian statements about the global internet as mere propaganda and not genuine Kremlin belief. This is not to say that the Kremlin’s more paranoid views about color revolutions or the internet as a CIA project are legitimate, nor that Moscow’s thinking is the most effective in practice. Perhaps the concept of information security is beneficial for its perceived cohesion, or, possibly, because it becomes so encompassing that it hampers actual operational and tactical action. However, understanding the Kremlin’s view of cyber and information activity, and situating it within other Russian thinking about political warfare and nonmilitary means of conflict, will move the United States and its allies and partners toward a more accurate picture of Russian cyber and information behavior. Arriving at this deeper understanding of Kremlin thinking will help the United States calibrate better policy responses to Russian government behavior, as well as predict how Moscow might respond to certain US actions.
It is impossible to predict how the Russian cyber ecosystem will evolve in the coming months and years, particularly as Western sanctions continue to erode the Russian economy. Additionally, Russia is facing an IT “brain drain,” with technological talent fleeing the country for more economically stable—as well as freer and safer—work environments. That said, Russia’s web of cyber actors does not appear to be disappearing, which makes deciphering it all the more vital for grappling with the Kremlin’s political warfare and how it uses nonstate actors to augment cyber and information power.