October 28, 2022 | CEEW Monograph

Possible Futures for Russia’s CEEW Playbook

October 28, 2022 | CEEW Monograph

Possible Futures for Russia’s CEEW Playbook


Over the past four years, Russia has used cyber operations to engage in espionage, disinformation campaigns, and supply chain disruptions. While the tools and tactics of each operation vary, their overarching goal is to weaken the United States through a digital assault on its diplomatic, intelligence, military, and economic wherewithal. The Kremlin has embraced an asymmetric strategy because it lacks the economic and conventional military might to compete directly with the United States.1 Indeed, Russia uses non-kinetic, covert, or deniable means such as CEEW.

Russian cyber operations have historically focused on military and political targets. But over the past decade, these operations have increasingly targeted economic assets such as critical infrastructure and software products.2 As Boris Zilberman explained in his 2018 FDD study on Russian CEEW, Moscow initially focused on infiltrating technology supply chains.3 These “beachheads” enabled Russian incursions into targets ranging from private-sector assets to public-sector data repositories. Now, Moscow’s focus has broadened further, aiming to “gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling — now or in the future — targets of interest to the Russian government,” according to a Microsoft report.4

American policymakers have long been aware of Chinese cyber-espionage operations within the U.S. economic sphere and have, of late, recognized China’s CEEW activity. However, U.S. officials have often underemphasized the economic impacts and indirect strategic effects of Moscow’s cyber operations, focusing more on the threat of Russian cyber-espionage and disinformation operations. It is now clear that Russia has the intention and capability to undermine key parts of the American economy.5

This chapter begins by examining two critical facets of Russian cyber strategy. First, the Kremlin has vigorously used cyber means to consolidate President Vladimir Putin’s political and economic control in Russia. However, the System of Operative Search Measures (SORM), Moscow’s surveillance dragnet, is not only a tool for domestic control but also a likely enabler of CEEW operations abroad.

Second, Russia is increasingly proficient in preventing Washington from definitively attributing hostile cyber actions to the Russian government. This is consistent with Russia’s long tradition of muddying the information space, including through cyber-enabled influence operations against economic targets to advance Russia’s strategic interests. Moscow obscures attribution by cooperating with cybercriminals. It has created a permissive environment for them in Russia that has helped fuel a cybercrime epidemic abroad, including Russian ransomware attacks against U.S. critical infrastructure. In addition, Russia’s intelligence services seem to understand, perhaps better than American lawmakers, the constraints on the U.S. intelligence community when a foreign adversary shifts — physically or virtually — from operating outside of America’s borders to operating from within.

After exploring these components of Russian strategy, this chapter presents two case studies showing how these techniques and tactics are operationalized. The chapter concludes with policy recommendations to help the U.S. and allied governments combat the Russian CEEW threat.

Russian CEEW Through the Lens of SORM

A systematic analysis of SORM sheds light on Moscow’s current and future cyber tactics. SORM enables Russia’s security services to monitor network traffic in Russia, including communications with the West — thereby helping to identify access vectors into the networks of Western companies. Moscow could use this access to obtain intelligence to provide Russian firms with advantages over their Western competitors.

An outgrowth of the KGB’s telephonic monitoring system, SORM allows Russia’s Federal Security Service (FSB) nearly unfettered access to all phone and internet-based communications that travel in or through Russia.6 Russia’s other security services can request access to SORM as well. The system sits on top of existing internet infrastructure and integrates with other platforms so that a wide range of assets can be monitored.7 Moscow requires telecommunications companies, internet service providers, and social media companies to install SORM equipment.8 Since 2013, Moscow has also required Russian telecommunications providers and foreign technology companies to retain their data inside Russia.9 Applications must be “SORM-compatible” to operate in Russia,10 and the Russian government has issued large fines for non-compliance.11

In a 2018 publication for Lawrence Livermore National Laboratory, researcher J.A. Kerr predicted that SORM-related surveillance technologies and accompanying legal frameworks will continue to proliferate “across the former Soviet region, as these states share legal and institutional legacies, participate in common regional organizations, and also often share overlapping media markets and Internet resources.” Likeminded regimes may grant Moscow access to their systems because they are indebted to Russia or to augment their own domestic surveillance capabilities. Russian hackers may also find these systems easier to penetrate because of their similarity to Russian systems. Kerr added that “experimentation and learning around information control at home can drive advances in ‘political’ or ‘information’ warfare capabilities in international competition.”12 The same holds true for augmenting CEEW capabilities; information collected can help guide the timing and targeting of attacks against adversarial economies.

Russia refined its surveillance techniques during the 2014 Winter Olympics in Sochi, where the Kremlin used SORM to monitor both Russian dissidents and foreigners. The FSB monitored every athlete, coach, journalist, politician, diplomat, company, vendor, and spectator who attended the games. Putin even placed senior FSB counterintelligence official Oleg Syromolotov in charge of Olympic security.13

At the time, the U.S. State Department’s Bureau of Diplomatic Security warned that “trade secrets, negotiating positions, and other sensitive information may be taken and shared with competitors, counterparts, and/or Russian regulatory and legal entities.”14 For Moscow, the Olympics were an opportunity not only to showcase Russian athleticism and culture, but also to collect data for Russian CEEW efforts.15 Every company or vendor that attended the games put at risk proprietary trade secrets and valuable IP that the FSB could funnel to state-backed entities or use to undercut or extort their competitors.

Such SORM-enabled surveillance would be particularly advantageous for the Russian energy sector. The Russian partner in any joint venture with a foreign firm — be it a state-owned bank such as Sberbank or state-controlled energy giant Rosneft — could employ surveillance that facilitates cyber-espionage against its foreign partner, including data acquisition outside the scope of the joint venture. For example, information gleaned through joint ventures with Saudi Arabian firms — such as those to which Riyadh agreed during Putin’s October 2019 visit — could empower Moscow during a potential reprisal of the 2020 Russian-Saudi oil price war.16

Intergovernmental agreements on cybersecurity could also facilitate Russian CEEW through SORM. Russia has signed dozens of such agreements.17 Any time foreign systems are connected to Russia, Moscow’s intelligence services can use SORM to penetrate foreign entities by using information that passes through Russian phone exchanges, including calls, messages, and other data.18 Washington and its allies and partners need to better understand how SORM facilitates covert Russian access to international trade and commerce data.

Russia Leverages the Complications of Attribution 

After a cyber-enabled attack, identifying the perpetrator is not simple. To be sure, U.S. intelligence and private cybersecurity firms can track packets of information, malware, and network infrastructure around the world. But the need to correlate that information with signals and human intelligence as well as assessments of the attacker’s tradecraft may complicate the government’s ability to quickly determine the party responsible. And absent “high confidence and timely assessments,” explains cybersecurity analyst Sarah Freeman, “accountability within the international space cannot be guaranteed.”19

Russia — like all sophisticated cyber actors — understands these challenges and therefore uses multiple tactics to delay attribution and frustrate Washington’s ability to respond. Beyond strategies to evade detection and complicate attribution at a technical level, Moscow also employs cybercriminals and other non-state hackers to obscure its role. The U.S. government and the press have documented this longstanding FSB practice.20

Beyond sowing disinformation and hiding behind cyber proxies, Russia is adept at exploiting protections guaranteed under the U.S. Constitution. In a May 2018 speech, then-General Counsel of the National Security Agency (NSA) Glenn Gerstell raised the possibility that the Fourth Amendment (barring unreasonable searches and seizures) may hamstring U.S. efforts to stop cyberattacks when the hackers operate from within the United States. In effect, once foreign adversaries step onto U.S. shores (whether physically or virtually), they receive protections under the U.S. Constitution and cannot be surveilled to the same extent as when they are abroad.

Gerstell noted that U.S. “privacy laws in this area are generally backward looking,”21 having failed to keep pace with rapidly evolving technology. For example, the legal definition of search and seizure has not adapted to account for when law enforcement authorities are pursuing bits or bytes that can be moved or destroyed in a millisecond. Nor has the law adequately grappled with what it means to be on U.S. soil when computer network infrastructure is global.

As Cyber Command and NSA chief General Paul Nakasone noted in March 2021 following the SolarWinds attack (described below), America’s cyber adversaries understand and exploit legal constraints on U.S. authorities. The issue is not that U.S. intelligence and law enforcement “can’t connect the dots,” he explained. Rather, they “can’t see all of the dots.” Even when the intelligence community can “see what is occurring outside of the United States,” America’s “adversaries understand that they can come into the United States,” use American internet service providers to conduct a malicious operation, and then quickly dismantle the infrastructure before U.S. civilian authorities can obtain a warrant and begin surveillance. Nakasone pleaded with lawmakers to enable the U.S. government (but not necessarily the NSA or Cyber Command) to increase its visibility into adversarial cyber-enabled attacks against government and private-sector entities.22

Case Studies

Russian cyber operations span a wide spectrum and exploit both software and hardware. While the motivations behind attacks vary, the capabilities employed reveal Russia’s range of tools and how it exploits both SORM and the seams in American cyber defenses.

SolarWinds: Exploiting the Seams

Russia is exploiting attribution challenges and gaps in U.S. intelligence capabilities as it seeks to gain footholds throughout the global information technology supply chain. From these footholds, it can launch further cyber operations.23 The SolarWinds operation provides a case in point.

In December 2020, the cybersecurity firm FireEye discovered that hackers, later determined to be associated with Russia’s Foreign Intelligence Service (SVR), had compromised the Texas-based software company SolarWinds’ Orion network management software. The hackers then used that access to produce and distribute malware to roughly 18,000 of the software’s users across the U.S. government and private sector.24 Once the victims inadvertently installed the Russian malware, the program deployed measures to evade detection,25 then opened a backdoor through which the attackers conducted follow-on operations against select victims.26 The Pentagon and intelligence agencies appear to be the only government bodies that avoided compromise. The hackers also compromised numerous private-sector entities, including major technology firms, hospitals, power companies, and financial institutions.27

During a press briefing at the White House on February 17, 2021, Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger tells reporters that nine federal agencies and around 100 companies were impacted by the SolarWinds hacking event. (Drew Angerer/Getty Images)

While the malware’s technical components helped prevent detection, there was a bigger problem: U.S. intelligence was nearly blind to the hackers’ activity. Anne Neuberger, deputy national security advisor for cyber and emerging technology, plainly stated: “The intelligence community largely has no visibility into private-sector networks. The hackers launched the hack from inside the United States, which further made it difficult for the U.S. government to observe their activity.”28 The hackers seemed to understand this. They attacked at the seams of the U.S. government’s authorities, jumping from foreign to U.S. infrastructure, renting servers from American “infrastructure-as-a-service” (IaaS) providers such as Amazon and GoDaddy before launching their intrusion.29 In so doing, the hackers exploited the fact that domestic investigations are largely the purview of U.S. law enforcement and homeland security.

While the goal of the SolarWinds operation appears to have been espionage rather than a disruptive or destructive attack, the intelligence gleaned could undermine U.S. economic statecraft. For example, during the operation, the hackers searched U.S. government systems for information on potential sanctions against Russia.30 Such information could allow potential Russian targets to better hide or secure their assets, reducing the effectiveness of U.S. sanctions.

Likewise, the hackers compromised the National Telecommunications and Information Administration, which advises the president on telecommunications policy, including internet and electromagnetic spectrum policy. Penetrating that organization could enable Moscow to identify companies the U.S. government believes are “untrusted vendors,” thus enabling Russia to prioritize cyber-espionage against trusted vendors that will gain market share. Moscow could also glean how the U.S. government uses and prioritizes the electromagnetic spectrum, potentially enabling Russia to undermine U.S. government communications during a crisis.

Furthermore, Russian hackers could use this type of supply chain breach for a wide range of other nefarious purposes. Even if initially intended merely for espionage, gaining access to internal systems establishes a “beachhead” that Russian actors can use to exert influence, sow disinformation, or even launch disruptive or destructive attacks against the American economy.

As Zilberman warned in his 2018 study on Russian CEEW, the U.S. technology supply chain’s vulnerability poses a growing threat to U.S. national security and economic prosperity.31 After discovering the SolarWinds hack, the Biden administration took initial steps to address this threat, such as launching a supply chain review and issuing an executive order that increased cybersecurity and software transparency requirements for federal contractors.32 Still, much more remains to be done.

Ransomware: Getting More Than Their Money’s Worth

Ransomware groups are taking a toll on the U.S. economy as the frequency and severity of attacks skyrockets. Russia is home to many of the attackers.33 As much as three quarters of all ransomware revenue in 2021 “went to organizations highly likely to be affiliated with Russia in some way,” the blockchain data firm Chainalysis concluded.34

While the Russian government’s role in these attacks remains unclear, Moscow has created a permissive environment for cyber criminals.35 A cache of leaked files from the Russia-based ransomware group Conti, for example, indicated these hackers enjoyed a mutual understanding with Russian authorities.36 In return for making their services available to the state when required, Russian cybercriminals are generally free to continue hacking so long as they “don’t ever work against [Russia or Russian] businesses,” as Karen Kazaryan, CEO of the Moscow-based Internet Research Institute, put it. “If you steal something from Americans, that’s fine.”37

The chaos and damage these cybercriminals can cause was on full display in May 2021, when the Russia-based gang DarkSide launched a ransomware attack against Colonial Pipeline.38 Colonial supplies over 45 percent of the fuel consumed on the U.S. East Coast and provides critical support for military, residential, and commercial facilities.39 The U.S. government therefore considers Colonial Pipeline to be critical infrastructure — that is, infrastructure “considered so vital to the United States that [its] incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”40

On May 7, 2021, the hackers sent Colonial a note saying they had “exfiltrated” company data and encrypted its information technology systems, offering to return the files for $5 million.41 The company immediately shut down all 5,500 miles of its pipelines to stop the malware’s spread and to protect the company’s operational networks.42 Ultimately, Colonial paid the ransom after shutdowns caused gasoline shortages and major disruptions to land and air transportation across the East Coast, prompting the Federal Motor Carrier Safety Administration to declare a state of emergency.43

Less than two months later, another ransomware attack, this time attributed to the Russian ransomware group REvil,44 hit meat processing company JBS. The world’s largest meat company by sales and the processor of one-fifth of America’s meat supply, JBS paid the $11 million ransom.45 President Joe Biden warned Putin to “take action” against Russia-based cybercriminals, threatening consequences if Russia failed to act.46

While Biden continued to raise these issues during bilateral conversations with Putin over the following six months,47 U.S. officials found “no reduction in the overall pace of ransomware attacks” since the previous summer,48 although attacks against high-profile targets apparently declined. “My guess is the Kremlin gave the message to criminals to stay off the front pages,” said cyber expert Jim Lewis.49 There is no public evidence, however, of such an order. It is equally likely that U.S. and allied counterattacks to confiscate ransomware profits and disable the network infrastructure of criminal groups convinced ransomware groups to refrain from attacking critical infrastructure.50

Unless held accountable by Washington and its allies, the Kremlin is unlikely to dismantle criminal enterprises that it can leverage for strategic gain. While Russia’s security services might not be responsible for all cybercrime emanating from Russia, SORM ensures that Moscow knows who the perpetrators are. If it wanted, the Russian government could shut them down. The criminal activity has “served too many valuable purposes,” Michael Daniels, a former White House cyber coordinator, noted.51 Even the FSB’s January 2022 arrest of REvil members, just as U.S.-Russia tensions were escalating ahead of the war in Ukraine, appeared to be geared toward sending a message to Washington, as opposed to cracking down on criminal hackers.52 That message: Russia could be helpful against cybercriminals if America acquiesces to Russia’s designs in Ukraine. As the war in Ukraine continued, Moscow dropped the charges and reportedly explored recruiting the REvil hackers to work for the state.53

In addition to directly harming U.S. companies, ransomware attacks by Russia-based cybercriminals could support Russian intelligence collection. The hackers who attacked Colonial Pipeline obtained about 100GB of data on some 5,180 current and former Colonial employees, including personally identifiable information.54 The FSB has a long history of using cybercriminals to collect intelligence abroad.55 The FSB could also use SORM to obtain the data stolen by ransomware groups. Therefore, the United States should assume Moscow can use information stolen by cybercriminals to support CEEW or other cyber operations.


In his 2018 paper on Russian CEEW, Zilberman provided recommendations aimed at increasing private-sector awareness of the risks posed by Russian technology companies. He urged Washington to safeguard U.S. supply chains from malicious technology and to deny Russia access to advanced U.S. technology.56

Even prior to Russia’s February 2022 invasion of Ukraine, the United States had done this. The Commerce Department has added Russian cyber entities to its growing Entity List, barring exports and re-exports of U.S. technology to designated entities and, in many circumstances, to Russia as a whole.57 The Treasury Department has imposed sanctions prohibiting transactions with designated individuals or entities.58 The Justice Department has charged numerous Russian state and criminal hackers.59 The issue has been featured in public congressional hearings.60 Since February, Washington has sanctioned numerous entities in the Russian technology sector, including ones supporting the Russian military.61

Moscow’s CEEW strategy, however, is purposefully broad, employs a variety of actors, and feigns ignorance regarding cybercrime emanating from Russian territory. As such, the U.S. government not only needs new and flexible approaches to deterrence and mitigation but also better intelligence collection and analysis regarding Russia’s CEEW playbook, including the role of SORM. It is also past time to consider whether and how some U.S. laws constructed prior to the cyber age may need to be revised.

1. Resource and prioritize intelligence collection and analysis concerning Russian CEEW. A better understanding of the officials and institutions directing and implementing Moscow’s cyber policies, operations, and technological development will help Washington predict — and hopefully deter or defend against — future Russian CEEW activities. Washington should focus particularly on gaining a thorough understanding of SORM and the relationship between Russia’s security services and the various cybercriminal groups operating in Russia.

2. Require IaaS providers to “know your customer.” Today, legitimate and illegitimate actors alike are utilizing off-site servers, cloud storage, and virtual machines for operational simplicity. These IaaS providers offer servers, storage, and hardware on demand. Companies use IaaS providers instead of investing in their own network servers. By requiring IaaS providers to conduct due diligence on their clients, Washington can help prevent hackers from using American companies to support cyberattacks. This information could also help law enforcement agencies hunt down malicious cyber actors. Anti-money laundering laws require financial institutions and others to conduct “Know Your Customer” due diligence on potential clients and to continuously monitor those clients’ use of their financial services. The U.S. government should require IaaS providers to do the same.
The Trump administration attempted to address this challenge by issuing Executive Order 13984, mandating regulations that require IaaS providers to conduct due diligence on their customers.62 President Biden wisely left the executive order in place.63
This is a good first step, but Washington works best when the executive and legislative branches act in unison. Executive Order 13984 would function better as a statute, with strict penalties for violations. Congressional hearings can further help to assess the threat IaaS poses and to produce effective legislation to counter it. 

3. Conduct studies on the tradeoffs between privacy and security for intelligence collection against adversarial foreign persons. In the years before the 9/11 attacks, al-Qaeda realized the United States had a vulnerable gap between law enforcement and intelligence authorities — a gap the terrorists exploited to deadly effect. Following 9/11, the legislative and executive branches worked collaboratively to help prevent future attacks against the homeland.
Today, by using IaaS providers to launch attacks, hackers can evade U.S. intelligence agencies, which cannot surveil domestic entities and individuals in the same way they can against targets abroad. As then-National Security Advisor Robert O’Brien stated in January 2021, “abuse of United States IaaS products” by malign cyber actors “has played a role in every cyber incident during the last four years, including the actions resulting in the penetrations of the United States firms FireEye and SolarWinds.”64 The executive and legislative branches must again wrestle with the authorities governing intelligence and law enforcement activity, both at home and abroad.

As technology evolves and surveillance by states, non-state actors, and private companies becomes more ubiquitous, the debate regarding privacy and security will only grow more heated. In the context of understanding and deterring Russian CEEW, however, one should frame the security vs. privacy debate through the lens of whether current Foreign Intelligence Surveillance Act requirements limit the intelligence community’s ability to collect against valid foreign targets once they arrive in the United States. U.S. adversaries know how to exploit these constraints. Congress should mandate a commission or direct government agencies to conduct an in-depth study of the costs and benefits of the prohibition against collection against non-U.S. persons physically or virtually located inside the United States. The first step in fixing this problem is to understand the current legal framework’s tradeoffs and limitations.

4. Increase analysis and public awareness of Russian CEEW information operations. Part of Washington’s challenge in countering Russian CEEW stems from a lack of understanding across the executive and legislative branches and by the American public. The U.S. National Counterintelligence Strategy for 2020–2022 noted that “defend[ing] against hybrid attack methods that involve supply chain, cyber, technical means and insider enabled attacks” requires, among other things, “deepening our understanding of our adversaries’ cyber and technical threat intent and capability.” It also necessitates “work[ing] across the whole-of-government, the private sector, and the American public to enhance mechanisms for information sharing and implement more effective defenses.”65
Congress and the executive branch must work together to fully resource and implement that strategy. For example, the aforementioned strategy notes that to achieve its goals, the intelligence community must “[d]evelop, train, and retain a cadre of cyber counterintelligence and technical security experts” to “allow for more rapid recognition of threats and vulnerabilities, and more agile responses and integrated approaches to counter adversary cyber and technical activities.” The intelligence community also needs “new capabilities to track and counter foreign cyber and technical operations against the United States and leverage partnerships with the private sector to develop effective countermeasures.”66

5. Enhance cyber diplomacy to combat ransomware and other cyber threats from Russia. Given its SORM capabilities, Moscow likely knows who is responsible for the cybercrime emanating from its borders but is unlikely to do anything about it. Washington needs a more robust diplomatic engagement strategy with U.S. allies to combat ransomware attacks and other cybercrimes originating in Russia.

Until recently, there had been no individual at the State Department with both the appropriate seniority and exclusive mission to take on this problem. In April, the department inaugurated its new Bureau of Cyberspace and Digital Policy, realigning teams across the department.67 A Senate-confirmed ambassador will lead the bureau. Congress should codify this new bureau into law. With congressional backing, the bureau and its leader can marshal the bureaucracy to communicate U.S. positions on cyber policy and rally U.S. allies to combat cyber challenges. This could include a concentrated effort at the United Nations, the Organization for Security and Cooperation in Europe, and elsewhere. It should also include ensuring European governments and companies understand SORM and how it puts European privacy at risk. The head of the new bureau should also lead efforts to counter the proliferation of SORM-related technologies and legal frameworks in developing countries.

Finally, Washington should also establish an Interagency Working Group (IWG) for ransomware, as recommended by the Ransomware Task Force. The task force stated that the National Security Council, Office of the National Cyber Director, State Department, Department of Homeland Security, Justice Department, Treasury Department, and other relevant IWG members “should engage international allies and partners to build a like-minded coalition against ransomware and ensure policy coordination.” The U.S. government should also “establish an international coalition to combat ransomware criminals” by “building [the] legal case against criminal actors, pursuing targets/groups through pooling resources and tools, and amplifying takedowns when they happen.”68


In 1972, the late RAND analyst Andrew Marshall (who later created the Pentagon’s Office of Net Assessment, which he ran for more than 40 years) wrote a classified report titled “Long-Term Competition with the Soviets: A Framework for Strategic Analysis.” Declassified in 2010, the report argued that Washington needed “improved models of Soviet decisionmaking processes,” and that more “account must be taken of the fact that Soviet force posture emerges … from a complex decisionmaking process involving many organizations with conflicting goals.”69

Today’s challenge is to understand Moscow’s CEEW decision-making process from the ground up — the technology on which it depends to gather data (SORM); the advantages Russian hackers perceive and exploit in the gaps in U.S. law enforcement and intelligence gathering authorities; and the personnel and policies that direct and operationalize Russian cyber and information operations. As Marshall surmised in that Cold War treatise, the U.S.-Soviet “competition will be prolonged — indeed, for planning purposes, endless.” So, too, with the challenge America faces from Russian CEEW.


  1. Robert Berls Jr., “The State of the Russian Economy: Balancing Political and Economic Priorities,” Nuclear Threat Initiative, July 13, 2021. (https://www.nti.org/analysis/articles/state-russian-economy-balancing-political-and-economic-priorities)
  2. Robert Windrem, “Timeline: Ten Years of Russian Cyber Attacks on Other Nations,” NBC News, December 18, 2016. (https://www.nbcnews.com/storyline/hacking-in-america/timeline-ten-years-russian-cyber-attacks-other-nations-n697111)
  3. Boris Zilberman, “Kaspersky and Beyond: Understanding Russia’s Approach to Cyber-Enabled Economic Warfare,” Foundation for Defense of Democracies, June 19, 2018. (https://www.fdd.org/analysis/2018/06/24/kaspersky-and-beyond-understanding-russias-approach-to-cyber-enabled-economic-warfare)
  4. Tom Burt, “New Activity from Russian Actor Nobelium,” Microsoft, October 24, 2021. (https://blogs.microsoft.com/on-the-issues/2021/10/24/new-activity-from-russian-actor-nobelium)
  5. Bob Weiss, “A Timeline of Russian Cyber-Exploits,” WyzGuys Cybersecurity, December 21, 2020. (https://wyzguyscybersecurity.com/a-timeline-of-russian-cyber-exploits)
  6. Andrei Soldatov and Irina Borogan, The Red Web: The Kremlin’s War on the Internet (NYC: Hachette Book Group, 2015), pages 83–84.
  7. Adam Satariano, Paul Mozur, and Aaron Krolik, “When Nokia Pulled Out of Russia, a Vast Surveillance System Remained,” The New York Times, March 28, 2022. (https://www.nytimes.com/2022/03/28/technology/nokia-russia-surveillance-system-sorm.html)
  8. Alina Polyakova, “Russia is Teaching the World to Spy,” The New York Times, December 5, 2019. (https://www.nytimes.com/2019/12/05/opinion/russia-hacking.html). See also: Adam Satariano and Paul Mozur, “Russia is Censoring the Internet, With Coercion and Black Boxes,” The New York Times, October 22, 2021. (https://www.nytimes.com/2021/10/22/technology/russia-internet-censorship-putin.html)
  9. Zack Whittaker, “Documents Reveal How Russia Taps Phone Companies for Surveillance,” TechCrunch, September 18, 2019. (https://techcrunch.com/2019/09/18/russia-sorm-nokia-surveillance); Daria Litvinova, “Russia Fines Google for Violating Data Storage Law,” Associated Press, July 29, 2021. (https://apnews.com/article/technology-europe-business-russia-data-storage-8cfce05469d996b6342899a2195ce6df)
  10. Mitchell Clark, “Apple just gave Russia a spot on the iPhone to advertise its favorite apps to citizens,” The Verge, March 16, 2021. (https://www.theverge.com/2021/3/16/22334641/apple-follows-russian-default-apps-law-setup-screen-options-user)
  11. Andrei Soldatov and Irina Borogan, The Red Web: The Kremlin’s War on the Internet (NYC: Hachette Book Group, 2015), pages 211–212.
  12. Jaclyn A Kerr, “The Russian Model of Internet Control and Its Significance,” Lawrence Livermore National Lab, December 18, 2018. (https://www.osti.gov/servlets/purl/1491981)
  13. Shaun Walker, “Russia to Monitor ‘all communications’ at Winter Olympics in Sochi,” The Guardian (UK), October 6, 2013. (https://www.theguardian.com/world/2013/oct/06/russia-monitor-communications-sochi-winter-olympics); “The 2014 Sochi Winter Olympics: Security and Humans Rights Issues,” Congressional Research Service, January 26, 2014. (https://fas.org/sgp/crs/misc/R43383.pdf)
  14. Shaun Walker, “Russia to Monitor ‘all communications’ at Winter Olympics in Sochi,” The Guardian (UK), October 6, 2013. (https://www.theguardian.com/world/2013/oct/06/russia-monitor-communications-sochi-winter-olympics)
  15. Andrei Soldatov and Irina Borogan, The Red Web: The Kremlin’s War on the Internet (NYC: Hachette Book Group, 2015), pages 241–245.
  16. “Saudi Aramco signs 1 SPA and 9 MOUs with Russian Companies at the Saudi — Russian CEO Forum,” Saudi Aramco, October 14, 2019. (https://www.aramco.com/en/news-media/news/2019/saudi-aramco-signs-1-spa-and-9-mous-with-russian-companies-at-the-saudi-russian-ceo-forum)
  17. Zachary Greenhouse with George Barros. “The Kremlin Leverages Cyber Cooperation Deals,” Institute for the Study of War, August 13, 2020. (http://www.understandingwar.org/backgrounder/kremlin-leverages-cyber-cooperation-deals)
  18. Zach Whittaker, “Documents Reveal how Russia Taps Phone Companies for Surveillance,” TechCrunch, September 18, 2019. (https://techcrunch.com/2019/09/18/russia-sorm-nokia-surveillance)
  19. Sarah Freeman, “Challenges of Cyber Attribution,” Women in International Security, December 2, 2020. (https://www.wiisglobal.org/challenges-of-cyber-attribution)
  20. U.S. Department of Justice, Press Release, “U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts,” March 15, 2017. (https://www.justice.gov/opa/pr/us-charges-russian-fsb-officers-and-their-criminal-conspirators-hacking-yahoo-and-millions); Lesley Stahl, “The Growing Partnership Between Russia’s Government and Cybercriminals,” CBS News, April 21, 2019. (https://www.cbsnews.com/news/evgeniy-mikhailovich-bogachev-the-growing-partnership-between-russia-government-and-cybercriminals-60-minutes); Garrett Graff, “Inside the Hunt for Russia’s Most Notorious Hacker,” Wired, March 21, 2017. (https://www.wired.com/2017/03/russian-hacker-spy-botnet); U.S. Department of the Treasury, Press Release, “Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware,” December 5, 2019. (https://home.treasury.gov/news/press-releases/sm845); Frank Bajak, “The Kremlin is Providing a Safe Harbor for Ransomware,” Fortune, April 16, 2021. (https://fortune.com/2021/04/16/kremlin-cybercriminals-ransomware-us-russia-sanctions); U.S. Department of the Treasury, Press Release, “Treasury Sanctions Russia with Sweeping New Sanctions Authority,” April 15, 2021. (https://home.treasury.gov/news/press-releases/jy0127)
  21. Matthew Kahn, “NSA General Counsel Glenn Gerstell Remarks to Georgetown Cybersecurity Law Institute,” Lawfare, May 24, 2018. (https://www.lawfareblog.com/nsa-general-counsel-glenn-gerstell-remarks-georgetown-cybersecurity-law-institute)
  22. General Paul Nakasone, Testimony Before the Senate Armed Services Committee, March 25, 2021. (https://www.armed-services.senate.gov/imo/media/doc/21-17_03-25-20212.pdf)
  23. Tim Starks, “Latest Russian espionage activity is broader then SolarWinds-style hacking effort, Microsoft’s Tom Burt says,” CyberScoop, October 25, 2021. (https://www.cyberscoop.com/tom-burt-q-and-a-russian-nobelium-resellers)
  24. “A ‘Worst Nightmare’ Cyberattack: The Untold Story of the SolarWinds Hack,” NPR, April 16, 2021. (https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack); U.S. Federal Bureau of Investigation, Cybersecurity and Infrastructure Agency, Office of the Director of National Intelligence, and National Security Agency, Press Statement, “Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA),” January 5, 2021. (https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure)
  25. Aaron Holmes, “5 takeaways from the Senate hearing on SolarWinds attacks,” Business Insider, February 23, 2021. (https://www.businessinsider.com/5-takeaways-from-the-senate-hearing-on-solarwinds-attacks-2021-2)
  26. U.S. Federal Bureau of Investigation, Cybersecurity and Infrastructure Agency, Office of the Director of National Intelligence, and National Security Agency, Press Statement, “Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA),” January 5, 2021. (https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure)
  27. Maria Korolov, “The List of Known SolarWinds Victims Grows, as Do Attack Vectors,” Data Center Knowledge, December 23, 2020. (https://www.datacenterknowledge.com/security/list-known-solarwinds-breach-victims-grows-do-attack-vectors)
  28. Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, The White House, “Press Briefing by Press Secretary Jen Psaki and Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, February 17, 2021,” Remarks to the Press, February 17, 2021. (https://www.whitehouse.gov/briefing-room/press-briefings/2021/02/17/press-briefing-by-press-secretary-jen-psaki-and-deputy-national-security-advisor-for-cyber-and-emerging-technology-anne-neuberger-february-17-2021)
  29. “A ‘Worst Nightmare’ Cyberattack: The Untold Story of the SolarWinds Hack,” NPR, April 16, 2021. (https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack)
  30. Joseph Menn and Christopher Bing, “Hackers of SolarWinds stole data on U.S. sanctions policy, intelligence probes,” Reuters, October 8, 2021. (https://www.reuters.com/world/us/hackers-solarwinds-breach-stole-data-us-sanctions-policy-intelligence-probes-2021-10-07); “Microsoft Digital Defense Report,” Microsoft, October 2021, page 59. (https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi)
  31. Boris Zilberman, “Kaspersky and Beyond: Understanding Russia’s Approach to Cyber-Enabled Economic Warfare,” Foundation for Defense of Democracies, June 19, 2018, page 15.(https://www.fdd.org/analysis/2018/06/24/kaspersky-and-beyond-understanding-russias-approach-to-cyber-enabled-economic-warfare)
  32. Executive Order 14017, “America’s Supply Chains,” February 24, 2021. (https://www.whitehouse.gov/briefing-room/presidential-actions/2021/02/24/executive-order-on-americas-supply-chains); Executive Order 14028, “Improving the Nation’s Cybersecurity,” May 12, 2021. (https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity)
  33. Charlie Osborne, “LockBit ransomware operator: ‘For a cybercriminal the best country is Russia,” ZeroDay Net, February 4, 2021. (https://www.zdnet.com/article/lockbit-ransomware-operator-for-a-cybercriminal-the-best-country-is-russia)
  34. “Russian Cybercriminals Drive Significant Ransomware and Cryptocurrency-based Money Laundering Activity,” Chainalysis, February 14, 2022. (https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-russia-ransomware-money-laundering)
  35. Jeff Seldin, “US Accuses Russia of Stonewalling on Cybercrime,” Voice of America, September 14, 2021. (https://www.voanews.com/a/6227401.html). See also: @ericgeller, “Harrington: ‘We remain concerned that Russian cyber criminals will target U.S. critical infrastructure with ransomware attacks, either in support of Russian government or to take advantage of [the] more permissive operating environment in Russia,’” Twitter, May 24, 2022. (https://twitter.com/ericgeller/status/1529158808819355654)
  36. Matt Burgess, “Leaked Ransomware Docs Show Conti Helping Putin from the Shadows,” Wired, March 18, 2022. (https://www.wired.com/story/conti-ransomware-russia)
  37. “How the Kremlin provides a safe harbor for Ransomware,” NBC News, April 16, 2021. (https://www.nbcnews.com/tech/security/kremlin-provides-safe-harbor-ransomware-rcna699)
  38. U.S. Federal Bureau of Investigation, Press Statement, “FBI Statement on Compromise of Colonial Pipeline Networks,” May 10, 2021. (https://www.fbi.gov/news/pressrel/press-releases/fbi-statement-on-compromise-of-colonial-pipeline-networks)
  39. Mike Jeffers and William Turton, “Ransomware attack shuts down biggest U.S. gasoline pipeline,” World Oil, May 9, 2021. (https://www.worldoil.com/news/2021/5/9/ransomware-attack-shuts-down-biggest-us-gasoline-pipeline)
  40. U.S. Cybersecurity and Infrastructure Security Agency, “Critical Infrastructure Sectors,” accessed June 24, 2022. (https://www.cisa.gov/critical-infrastructure-sectors)
  41. Christina Wilkie, “Colonial Pipeline paid $5 million ransom one day after cyberattack, CEO tells Senate,” CNBC, June 9, 2021. (https://www.cnbc.com/2021/06/08/colonial-pipeline-ceo-testifies-on-first-hours-of-ransomware-attack.html)
  42. Joseph Blount, “Cyber Threats in the Pipeline: Using Lessons from the Colonial Ransomware Attack to Defend Critical Infrastructure,” Testimony Before the House Committee on Homeland Security, June 9, 2021. (https://homeland.house.gov/imo/media/doc/2021-06-09-HRG-Testimony-Blount.p)
  43. “What We Know About the DarkSide Ransomware and the US Pipeline Attack,” Trend Micro, May 12, 2021. (https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html)
  44. “REvil, A Notorious Ransomware Gang, Was Behind JBS Cyberattack, The FBI Says,” NPR, June 3, 2021. (https://www.npr.org/2021/06/03/1002819883/revil-a-notorious-ransomware-gang-was-behind-jbs-cyberattack-the-fbi-says)
  45. Jacob Bunge, “JBS Paid $11 Million to Resolve Ransomware Attack,” The Wall Street Journal, June 9, 2021. (https://www.wsj.com/articles/jbs-paid-11-million-to-resolve-ransomware-attack-11623280781)
  46. “Biden Tells Putin Russia Must Crack Down on Cybercriminals,” PBS, July 9, 2021. (https://news.wttw.com/2021/07/09/biden-tells-putin-russia-must-crack-down-cybercriminals)
  47. The White House, “Readout of Presidents Biden’s Video Call with President Vladimir Putin of Russia,” December 7, 2021. (https://www.whitehouse.gov/briefing-room/statements-releases/2021/12/07/readout-of-president-bidens-video-call-with-president-vladimir-putin-of-russia)
  48. Joseph Marks, “It’s unclear whether Russia is cracking down on cyber attacks,” The Washington Post, December 16, 2021. (https://www.washingtonpost.com/politics/2021/12/16/it-unclear-whether-russia-is-cracking-down-cyber-attacks). Data from private cybersecurity and cyber threat analysts reveals no decrease in the number of ransomware attacks. See: Adam Janofsky, “After a brief decline, organizations once again are bombarded with ransomware,” The Record, April 13, 2022. (https://therecord.media/after-a-brief-decline-organizations-once-again-are-bombarded-with-ransomware)
  49. Joseph Marks, “It’s unclear whether Russia is cracking down on cyber attacks,” The Washington Post, December 16, 2021. (https://www.washingtonpost.com/politics/2021/12/16/it-unclear-whether-russia-is-cracking-down-cyber-attacks)
  50. Joseph Menn and Christopher Bing, “Exclusive: Governments turn tables on ransomware gang REvil by pushing it offline,” Reuters, October 21, 2021. (https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21); U.S. Department of Justice, Press Release, “Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside,” June 7, 2021. (https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside); “FBI, US agencies look beyond indictments in cybercrime fight,” Associated Press, January 18, 2022. (https://www.courthousenews.com/fbi-us-agencies-look-beyond-indictments-in-cybercrime-fight)
  51. Joe Uchill, “Russia nixes US charges against REvil defendants as cooperation fizzles,” SC Media, May 31, 2022. (https://www.scmagazine.com/analysis/ransomware/russia-nixes-us-charges-against-revil-defendants-as-cooperation-fizzles)
  52. Jake Rudnitsky and William Turton, “Russia Detains REvil Ransomware Hackers at the Request of U.S.,” Bloomberg, January 14, 2022. (https://www.bloomberg.com/news/articles/2022-01-14/russia-detains-revil-ransomware-hackers-at-u-s-s-request)
  53. Joseph Marks, “Hopes of Russian help on ransomware are officially dead,” The Washington Post, June 1, 2022. (https://www.washingtonpost.com/politics/2022/06/01/hopes-russian-help-ransomware-are-officially-dead)
  54. “What’s the latest fallout from the Colonial Pipeline hack?” Government Technology, August 17, 2021. (https://www.govtech.com/question-of-the-day/whats-the-latest-fallout-from-the-colonial-pipeline-hack)
  55. See: U.S. Department of Justice, U.S. Attorney’s Office for the Northern District of California, Press Release, “U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts,” March 15, 2017. (https://www.justice.gov/usao-ndca/pr/us-charges-russian-fsb-officers-and-their-criminal-conspirators-hacking-yahoo-and); Michael Schwirtz and Joseph Goldstein, “Russian Espionage Piggybacks on a Cybercriminal’s Hacking,” The New York Times, March 12, 2017. (https://www.nytimes.com/2017/03/12/world/europe/russia-hacker-evgeniy-bogachev.html)
  56. Boris Zilberman, “Kaspersky and Beyond: Understanding Russia’s Approach to Cyber-Enabled Economic Warfare,” Foundation for Defense of Democracies, June 19, 2018, pages 17–18. (https://www.fdd.org/analysis/2018/06/24/kaspersky-and-beyond-understanding-russias-approach-to-cyber-enabled-economic-warfare)
  57. Final Rule to the Export Administration Regulations (EAR) Adding Entities to the Commerce Entity List, U.S. Department of Commerce, Bureau of Industry and Security, 83 Federal Register 48532, September 26, 2018. (https://www.federalregister.gov/documents/2018/09/26/2018-20954/addition-of-certain-entities-to-the-entity-list-revision-of-an-entry-on-the-entity-list-and-removal)
  58. U.S. Department of the Treasury, Press Release, “Treasury Takes Further Action Against Russian Linked Actors,” January 11, 2021. (https://home.treasury.gov/news/press-releases/sm1232)
  59. See, for example: U.S. Department of Justice, Press Release, “Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace,” October 19, 2020.


  60. Director of National Intelligence Daniel R. Coats, Office of the Director of National Intelligence, “Worldwide Threat Assessment of the US Intelligence Community,” Statement for the Record Before the Senate Select Committee on Intelligence, January 29, 2019. (https://www.dni.gov/files/ODNI/documents/2019-ATA-SFR—SSCI.pdf)
  61. See, for example: U.S. Department of the Treasury, Press Release, “Treasury Targets Sanctions Evasion Networks and Russian Technology Companies Enabling Putin’s War,” March 31, 2022. (https://home.treasury.gov/news/press-releases/jy0692)
  62. Paul Amberg, Eunkyung Kim Shin, Brian Hengesbaugh, Michael Stoker, and Yu (Iris) Zhang, “US Government Issues Executive Order to Address the Use of US IaaS Products by Foreign Malicious Cyber Actors,” Sanctions and Export Controls Update, February 9, 2021. (https://sanctionsnews.bakermckenzie.com/us-government-issues-executive-order-to-address-the-use-of-us-iaas-products-by-foreign-malicious-cyber-actors)
  63. U.S. Department of Commerce, Press Release, “Commerce Department Seeks Input in Development of Cyber Rules to Deter Malicious Use of Cloud Services,” September 24, 2021. (https://www.commerce.gov/news/press-releases/2021/09/commerce-department-seeks-input-development-cyber-rules-deter-malicious)
  64. National Security Advisor Robert C. O’Brien, U.S. National Security Council, Press Statement, “Statement from National Security Advisor Robert C. O’Brien,” January 19, 2021. (https://trumpwhitehouse.archives.gov/briefings-statements/statement-national-security-advisor-robert-c-obrien-011921)
  65. Office of the Director of National Intelligence, National Counterintelligence and Security Center, “National Counterintelligence Strategy of the United States of America 2020-2022,” January 2020, page 10. (https://www.dni.gov/files/NCSC/documents/features/20200205-National_CI_Strategy_2020_2022.pdf)
  66. Ibid.
  67. Aaron Schaffer, “It’s a big day at the State Department for U.S. cyberdiplomacy,” The Washington Post, April 4, 2022. (https://www.washingtonpost.com/politics/2022/04/04/its-big-day-state-department-us-cyberdiplomacy)
  68. Ransomware Task Force, “Combating Ransomware,” Institute for Security and Technology, May 2021, pages 21–22. (https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force-Report.pdf)
  69. Andrew W. Marshall, “Long-Term Competition with the Soviets,” RAND Corporation, April 1972. (https://www.rand.org/pubs/reports/R862.html)


Blockchain and Digital Currencies Cyber Cyber-Enabled Economic Warfare Disinformation Russia