Contrary to popular belief, Vladimir Putin does not control every Russian cyber operation. Many Russian cybercriminals operate without active state backing. Patriotic hackers and criminal groups align with the state on an ad-hoc basis. Proxy organizations and front companies conduct Kremlin operations under a veil of deniability.

Untangling this complex web is essential to track and combat the Russian government’s cyber operations.

Start with private cybercrime. After the Soviet Union imploded, economic decline and political instability contributed to an explosion in crime, including cybercriminal activity. Sophisticated criminal operations emerged. They focused on software piracy, expanding soon into operations to hack banks and steal digital identities. By the time Vladimir Putin ascended to the presidency in December 1999, cybercriminals thrived in Russia.

The Kremlin cultivates this web of cyber actors, leveraging it for purposes beyond hackers’ own criminal motivations. Government involvement ranges from active financing to tacit approval. In many cases, the exact nature of the relationship between the state and specific hackers remains unclear. Russia’s cybercriminals operate with a sort of Darwinian entrepreneurialism, taking their own initiatives while forming a quasi-symbiotic relationship with the state—a local Federal Security Service (FSB) official, for instance, will take money on the side to provide the “roof” (krysha) of protection for private hackers.

Among government-directed cyber warriors, no top-down, state-dominated cyber command exists. As Andrei Soldatov and Irina Borogan describe in their recent CEPA report, numerous agencys’ teams carry out Russian cyber operations. The FSB, the military intelligence agency (GRU), and the foreign intelligence agency (SVR) all have their own cyber units.

These organizations launch operations from within Russia, and other times send state operatives abroad to hack into targets. GRU Unit 26165 hackers traveled in 2018 to the Netherlands to hack into and disrupt the Organization for the Prohibition of Chemical Weapons’ investigation into the poisoning of Russian defectors Sergei Skripal and his daughter.

The GRU, SVR, and FSB often set up front organizations and websites to spread disinformation. They use private companies like Neobit and AST to technically support their cyber operations, and the Russian intelligence community has even reportedly created fake “IT” companies to covertly run operations.

Get the Latest
Sign up to receive regular emails and stay informed about CEPA’s work.

The FSB recruits programmers and cybercriminals. Around the time of the Russo-Georgian War in 2008, Russian intelligence agencies tried to create an online forum to recruit hackers to attack Georgian targets. In September 2015, independent media outlet Meduza reported that state-run defense company Rostec attempted to contract private developers to improve the government’s DDoS attack capabilities. Two years later, the Justice Department indicted two FSB officers for paying cybercriminals to hack into Yahoo.

Russian officials encourage so-called patriotic hackers, who genuinely identify as patriotic, to launch operations against foreign targets. When the Estonian government relocated a statue of a Soviet soldier in 2007, the hackers echoed the Kremlin’s bogus cries of “fascism.” Putin himself has said hackers are “like artists,” explaining that “they wake up in the morning, they read about some developments in international affairs, and if they have a patriotic mindset, then they try to make their own contribution the way they consider right into the fight against those who have bad things to say about Russia.”

Russian state involvement with nonstate hackers often remains blurry. Maxim Yakubets runs the hacking group “Evil Corp.” He reportedly married the daughter of a former FSB officer, described as a “de-facto spokesman for Department V,” or Vympel, the FSB’s externally focused “antiterrorist” unit. Since the marriage, Yakubets has worked for the FSB, “to include acquiring confidential documents through cyber-enabled means and conducting cyber-enabled operations on its behalf,” and is even in the process of getting a Russian government security clearance.

US and European policymakers should focus on understanding this web of Russian cyber actors—and the shifting and thorny nature of the relationships between these actors and the Russian government. US public messaging often fails to reflect an understanding of how these groups operate. Policies, for example, could target cybercriminal revenue streams as a way of undermining the Kremlin’s ability to recruit highly skilled nonstate hackers.

The Putin regime is responsible for allowing a cybercriminal ecosystem to flourish. Prospects are dim for US and European diplomacy with Moscow on cyber issues, particularly in the domain of offensive operations. An effective response must begin with a nuanced grounding in the Kremlin’s spectrum of engagement with hackers.

Justin Sherman (@jshermcyber) is a fellow at the Atlantic Council’s Cyber Statecraft Initiative and the author of the recent report “Untangling the Russian Web.”

This article is part of the Center for European Policy Analysis (CEPA)’s ongoing work to better understand Russia’s cyber operations and command and control structure. A recent report by Andrei Soldatov and Irina Borogan, “Russian Cyberwarfare: Unpacking the Kremlin’s Capabilities,” found that Russia’s cyber arsenal consists of a complex web of actors, not an efficient, centralized, top-down operation. As Justin Sherman argues, untangling this web is an important step toward preventing future attacks.

This publication was funded by the Russia Strategic Initiative, US European Command, Stuttgart, Germany. Opinions, arguments, viewpoints, and conclusions expressed in this work do not represent those of RSI, US EUCOM, the Department of Defense, or the US Government. This publication is cleared for public release.

Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions are those of the author and do not necessarily represent the position or views of the institutions they represent or the Center for European Policy Analysis.

Read More From Bandwidth
CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy.
Read More