The Direction of the Russian Cyber Threat

Nixu Threat Intelligence Team

Threat Intelligence Team

Heinäkuu 12, 2022 at 16:56

This blog post is an extract from our quarterly Nixu Threat Intelligence report, which will be released on July 21, 2022. Contact us and find out how you can get your copy. 

Russia’s renewed invasion of Ukraine has already lasted for more than four months – notably longer than the Finnish Winter War. Time is therefore ripe for preliminary reasoning about the nature and direction of Russia’s cyber operations. To that end, we aim to briefly study the logic behind Russia’s cyber operations, examine both the immediate and medium-long term constraints on Russia’s capability to conduct offensive cyber operations, and, finally look at the potential direction of future Russian cyber activities.

According to Microsoft, Russia’s invasion of Ukraine in the cyber domain relies on a strategy founded on at least two pillars which are relevant here. The first concerns destructive cyberattacks within Ukraine, consisting of wiper attacks and other forms of destructive malware, but also of missile attacks against Ukrainian data centers. It is important to note that despite their aggressive tactics, Russia has not deployed wormable malware that could cross international lines, but instead have purposely designed their attacks to stay confined within Ukrainian borders. The second relevant pillar consists of network penetration and espionage outside Ukraine – mostly against governments that play a critical role in supporting Ukraine. According to Microsoft the global share of Russian cyberattacks appears thus: 

  • Denmark, Norway, Finland, and Sweden: 16%
  • Latvia and Lithuania: 14%.
    • Note: Estonia, which is an early adopter of cloud services, has, according to Microsoft, experienced no detected Russian cyber intrusions.
  • United States: 12%
  • Poland: 8%

In Ukraine, the impact of Russian cyberattacks has been surprisingly limited. Reasons for this include the move of state-owned digital assets to the cloud along with advances in threat intelligence and the overall capability of emerging cybersecurity products, to detect Russian cyberattacks more effectively. Endpoint protection has also played a role, enabling the speedy distribution of protective software to connected devices to block intrusions. Another factor in Ukraine’s favour has been Russia’s inability to decisively coordinate its cyber activities with attacks by its conventional forces. In addition, Russia is itself experiencing a high number of cyberattacks which are likely drawing its best specialists away from offensive operations in order to focus on defence. When all of these external and internal factors are taken together, it can be reasonably deduced that Russia may lack the necessary resources to conduct meaningful cyberattacks outside of Ukraine.

Russia is also beginning to face constraints in the medium-long term as a result of foreign economic pressure. One significant issue concerns the withdrawal of foreign IT and cybersecurity companies from the Russian market and the suspension of their services for domestic clients. By April 2022, an estimated 70,000 IT workers had fled the country. This figure is expected to double by the end of the summer and, if correct, would represent a 10% decrease in Russia’s entire IT workforce. The impact of this is further amplified by Russia’s inability to replace foreign soft- and hardware solutions with homegrown technologies. A step not yet taken to tackle this deficiency could be the official authorization of software piracy.

Turning to potential future scenarios, contrary to expectations, no country in the Western hemisphere has yet faced a major cyberattack. This might be due to Russia’s conclusion, compounded by resource constraints, that such an action would only broaden the conflict. This determination could yet change given the high probability of an increasingly frustrated Russian leadership and the ever-deepening economic decoupling from the West. Wars, however, are not won by merely punitive actions - regardless of their cost on the adversary. The key question for future Russian cyber measures will be whether they will help the country advance their goals in Ukraine. To this end, an attack like NotPetya could be counterproductive as it may create an opening for a more forceful Western response.

Since its February invasion, Russia’s trajectory on the world stage is increasingly headed towards impoverishment and international exclusion. Facing these circumstances, it is to be expected that Russia will increasingly direct its offensive cyber operations towards financial gains and intellectual property theft. This may manifest itself in the form of ransomware and business email compromise (BEC) attacks, as well as insider threats. We expect to see the continued employment of DDoS attacks due to their low cost and relatively low level of technical sophistication. The recent DDoS attacks against Lithuania and Norway are a good example of this. Regardless of its constraints, the considerable damage experienced by Russia’s armed forces in Ukraine will mean that it will take, according to some estimates, from 5-10 years to rebuild what it has lost so far. This will put additional emphasis on other tools of power, thus over-accentuating the expectations placed upon Russia’s cyber forces.


  1. Defending Ukraine: Early Lessons from the Cyber War. Microsoft. 22 Jun 2022.
  2. Lewis, James. A. Cyber war and Ukraine. CSIS. 16 Jun 2022.
  3. Lapienyté, Jurgita. Five challenges hindering Russia’s success in cyber warfare. Cybernews. 01 Jun 2022.
  4. O’Connor, Tom. Russia Warns Growing Cyber Conflict with U.S. Could Spark War in Real World. Newsweek. 10 Jun 2022.
  5. Temple-Raston, Dina & Powers, Sean. ‘Cream of the cream’: Russia’s high-tech brain drain. The Record. 10 May 2022.
  6. De Chant, Tim. Russia mulls legalizing software piracy as it’s cut off from Western tech. 03 Jul 2022.
  7. Greig, Jonathan. Norway accuses pro-Russian hackers of launching wave of DDoS attacks. 29 Jun 2022.
  8. Killnet, Kaliningrad, and Lithuania’s Transport Standoff With Russia. Flashpoint. 27 Jun 2022.
  9. Smalley, Suzanne. Cybersecurity experts question Microsoft’s Ukraine report. Cyberscoop. 2022.
  10. В Кремле заявили, что Россия мобилизовала силы для защиты от хакерских атак… Tass. 1 Jul 2022.
  11. Kaminska, Monica & Shires, James & Smeets, Max. Cyber Operations during the 2022 Russian invasion of Ukraine: Lessons Learned (so far). ECCRI. 2022.

Related blogs