Russian-speaking ransomware-as-a-service operation that emerged in 2022 as a Phobos affiliate, deploying a modified Phobos encryptor with double-extortion tactics. Targeted small and medium-sized bus…
Russian military-intelligence (GRU Unit 26165) intrusion set. Long-running espionage operations against military, government, political, and media targets, including the 2016 DNC intrusion and sustai…
Russian state-sponsored intrusion set publicly attributed to the SVR. Long history of espionage operations against Western government, diplomatic, think tank, and technology targets, including the So…
Russian state-sponsored intrusion set publicly assessed by Microsoft as associated with the GRU but operationally distinct from Forest Blizzard (APT28) and Seashell Blizzard (Sandworm). Conducted the…
Russian state-sponsored intrusion set publicly assessed by the UK NCSC and Five Eyes partners as 'almost certainly subordinate to FSB Centre 18'. Conducts targeted credential-phishing operations agai…
Russian-speaking ransomware operation that ran the dominant double-extortion brand of 2020-2022. After the group publicly declared support for the Russian invasion of Ukraine in February 2022, an ins…
Russian-speaking ransomware-as-a-service operation active from August 2020 to May 2021, when an affiliate's compromise of Colonial Pipeline triggered the fuel-supply crisis on the U.S. East Coast and…
Russian state-coordinated influence operation publicly attributed by EU DisinfoLab, the European Commission, the U.S. Treasury, and the UK Foreign Office to the Social Design Agency (SDA) and Struktu…
Russian state-sponsored intrusion set publicly attributed by the U.S. DOJ and Treasury OFAC to FSB Center 16 (Military Unit 71330). Long-running targeting of the energy, nuclear, water, aviation, and…
Russian cybercrime syndicate publicly attributed by the U.S. Treasury OFAC in December 2019, which sanctioned founder Maksim Yakubets. Operators of the Dridex banking trojan, the BitPaymer and Wasted…
Russian state-sponsored intrusion set publicly attributed by the Security Service of Ukraine (SBU) to FSB officers based in Russian-occupied Crimea. The longest-running publicly-documented intrusion…
Russian-speaking ransomware-as-a-service operation active since mid-2023, notable for sustained targeting of UK NHS trusts and U.S. healthcare providers. Major UK incidents: **NHS Dumfries and Gallow…
Pro-Russia hacktivist collective; brand reorganized multiple times since its emergence around January 2022. Conducts performative DDoS against Western government, healthcare, and airport sites timed…
Russian-speaking ransomware-as-a-service operation that by mid-2023 was the most prolific ransomware brand on public leak-site tracking by victim count. Disrupted in February 2024 by Operation Cronos…
Pro-Russia hacktivist collective emerged within weeks of the February 2024 full-scale invasion of Ukraine. Operates 'DDoSia' — a paid crowdsourced DDoS platform where Russian-speaking volunteers run…
Russian exploit-acquisition firm publicly sanctioned by the U.S. Treasury OFAC in February 2026, alongside its founder Sergey Zelenyuk, for operating a market in zero-day vulnerabilities and exploit…
Russian ransomware-as-a-service operation derived from GandCrab in April 2019. Conducted the 2021 Kaseya VSA supply-chain compromise (~1,500 downstream victims via 60 MSPs), the JBS Foods $11M ransom…
Russia-aligned intrusion set conducting hybrid espionage and financially-motivated operations — ESET, Microsoft, and Unit 42 track it as a single actor straddling state-objective targeting (Ukrainian…
Russian military-intelligence (GRU Unit 74455) intrusion set responsible for some of the most destructive cyberattacks publicly attributed to a nation-state: the 2015 and 2016 Ukrainian power-grid ou…
Russian state-sponsored actor publicly attributed to FSB Center 16. One of the longest-running espionage sets on record, known for the Snake (Uroburos) implant — a sophisticated peer-to-peer covert c…
Russian state-sponsored intrusion set responsible for the December 2017 TRITON/TRISIS malware attack on the Triconex safety instrumented system (SIS) at a Saudi Arabian petrochemical facility — the f…