Executive Summary
Between 2021 and 2026, Russia's cyber apparatus executed the most operationally diverse state-sponsored campaign of the period — spanning espionage, critical infrastructure sabotage, cloud identity exploitation, and destructive operations simultaneously across multiple theaters.
The defining shift: Russia's cyber operations shifted from SolarWinds‑style supply‑chain compromises to a permanent multi‑front offensive against US government, cloud providers, defense contractors, critical infrastructure, and major tech firms, repurposing Ukraine‑era wipers, ICS sabotage, and satellite disruption for global pre‑positioning, with Sandworm active across at least a dozen Western countries by 2025.
However, effective defense in 2026 requires understanding how Russian cyber tradecraft evolved from 2021 onward, not just reacting to current headlines.
The most important defensive insight:
Russia operates three distinct cyber doctrines simultaneously: GRU (Russia’s military intelligence service) units conduct destruction and critical infrastructure pre-positioning, SVR (Russia’s external/civilian intelligence agency) conducts patient strategic espionage through cloud and identity exploitation, and FSB (Russia’s main internal security and counterintelligence service) conducts targeted credential theft and influence operations. Each requires a fundamentally different detection approach. The techniques battle-tested during regional conflicts have been operationalized for use against US and Western enterprise targets.
This article analyzes that progression and translates it into concrete detection and defensive strategy guidance.
Detection & Strategy DisclaimerThe thresholds and detection logic in this document are illustrative, not prescriptive. Values such as replay windows, exfil size limits, burst timing, or file modification rates must be tuned to your environment. Network design, workforce geography, cloud setup, logging depth, and normal user behavior all affect what is "anomalous." There is no universal threshold — only environment-calibrated detection.
Strategic Context: Why It Matters to Defenders
Russia's cyber operations are not opportunistic — they are doctrinally integrated with intelligence objectives, executed by organizationally distinct units with different mandates, risk tolerances, and tradecraft profiles.
Understanding which Russian organization is operating against you fundamentally changes your detection strategy: GRU operations are faster, louder, and destructive; SVR operations are patient, cloud-native, and designed for long-duration collection; FSB operations are targeted, credential-focused, and paired with influence objectives.
Strategic Shift
Russian cyber operations transitioned from the SolarWinds-era supply chain model (patient, singular, high-value) to a permanent multi-front operational tempo — conducting strategic espionage against US cloud infrastructure, pre-positioning in Western critical infrastructure, targeting US defense and technology sectors, and conducting credential theft campaigns against policy influencers and research institutions.
The trajectory is clear: Russia's cyber units are now permanently operating at elevated tempo against US and Western targets, with tradecraft refined through years of high-intensity operations now applied globally.
Part I — Strategic Pattern (2021 → 2026)
Russian cyber operations from 2021–2026 show four consistent characteristics:
Organizational specialization — GRU (destruction/pre-positioning), SVR (strategic espionage), FSB (targeted collection/influence) operate with distinct mandates and tradecraft
Global pre-positioning — destructive capabilities developed and refined during regional conflicts are now being pre-positioned across US and Western critical infrastructure
Cloud identity pivot — SVR shifted from on-premises supply chain attacks to cloud-native identity exploitation (OAuth abuse, token theft, password spray)
Destructive capability industrialization — GRU demonstrated the ability to produce 9+ distinct wiper families in 12 months, an industrial-scale destructive malware development pipeline now available for future use against any target
The tactical stack evolved dramatically, but the doctrine remained consistent:
Gain access through identity exploitation, edge device compromise, or supply chain
Persist through cloud infrastructure embedding, legitimate tooling, or firmware-level access
Collect intelligence at scale (SVR) or pre-position for disruption (GRU)
Execute destruction when geopolitically or militarily useful
What Changed in Russian Cyber Operations (2021–2026)
Destructive Operations Became Industrialized
Between January and December 2022, GRU units deployed at minimum 9 distinct wiper malware families: WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, DoubleZero, AcidRain, Industroyer2, SwiftSlicer, and ZEROLOT. This was not a single weapon fired once — it was an industrial malware production line. AcidRain alone disrupted satellite internet across Europe, demonstrating that these capabilities are not regionally contained. By 2025, Sandworm attacked Poland's energy grid — the largest cyber attack on Polish infrastructure in years.
Defensive takeaway: Russia has demonstrated the capability to produce and deploy novel destructive malware at a pace that exceeds signature-based detection cycles. This industrial capacity can be redirected to US targets. Behavioral detection of pre-destruction staging (VSS deletion, backup destruction, mass file access) is the only reliable defense against novel wipers.
Cloud Identity Became the Primary Espionage Vector
Midnight Blizzard (APT29/SVR) compromised Microsoft's own corporate environment in January 2024 using a password spray attack against a legacy test tenant lacking MFA. The SVR didn't break encryption or exploit a zero-day — they guessed the password to a forgotten test account. From that foothold, they pivoted via a legacy OAuth application to access senior leadership email, source code repositories, and internal systems.
Defensive takeaway: Legacy OAuth applications, dormant service accounts, and test tenants without MFA are the SVR's preferred initial access vector. Your cloud identity hygiene is your Russia defense posture. Audit all OAuth app registrations, enforce MFA on every account including service principals, and eliminate legacy test environments.
Critical Infrastructure Pre-Positioning Became Global
Russia's ICS and OT capabilities — demonstrated through Industroyer2 (power grid targeting), AcidRain (satellite communications disruption across Europe), and coordinated wiper deployments against energy facilities — represent a proven playbook that has since expanded beyond its original theater. Sandworm's BadPilot campaign (disclosed February 2025) confirmed active targeting of energy, telecommunications, and government organizations in the US, UK, Canada, and Australia.
Defensive takeaway: Organizations in energy, telecommunications, and critical infrastructure should treat US-Russia geopolitical tensions as a direct trigger for elevated monitoring of OT/ICS systems, satellite communications infrastructure, and network edge devices. The capabilities are proven; the targeting is now global.
Infrastructure Parasitism as Operational Model
Turla (Secret Blizzard/FSB) didn't just build its own C2 infrastructure — it hijacked C2 belonging to other threat actors. In 2024, Microsoft documented Turla compromising Storm-0156 (a Pakistan-based espionage group), deploying its own implants (TinyTurla, TwoDash) through the compromised group's existing access and confiscating their tools (CrimsonRAT, Wainscot) for its own use.
Defensive takeaway: Finding a known APT's implant does not mean you have fully scoped the intrusion. If Turla is riding on another group's access, your IOC-based detection will identify the wrong actor, and your remediation will miss the deeper compromise.
Credential Phishing Became AI-Enhanced and Platform-Diverse
Star Blizzard (FSB/COLDRIVER) conducted sustained credential phishing campaigns against academia, defense, NGOs, and think tanks — evolving from email-based spear-phishing to WhatsApp-based social engineering by late 2024. The campaigns use extensive pre-attack research, establish rapport over weeks before delivering credential harvesting links, and deploy EvilGinx2 to defeat MFA.
Defensive takeaway: Star Blizzard's social engineering is slow, personalized, and increasingly platform-diverse (email → Teams → WhatsApp). Detection must extend beyond email gateway to cover collaboration platforms. Phishing-resistant MFA (FIDO2) is the definitive control.
AI-Enabled Malware and Rapid Exploit Weaponization Arrived
In 2026, LAMEHUG — the first confirmed Russian APT malware leveraging a large language model (Qwen2.5-Coder via Hugging Face API) for dynamic command generation. Separately, APT28's Operation Neusploit weaponized CVE-2026-21509 (Microsoft Office/MSHTML) within 24 hours of public disclosure. CrowdStrike's 2026 Global Threat Report documented an 89% increase in AI-enabled attacks and noted 82% of intrusions in 2025 were malware-free.
Defensive takeaway: The combination of AI-assisted malware and near-zero-day weaponization timelines compresses the defender's response window dramatically. Patch SLAs for internet-facing Microsoft products must be measured in hours, not days. Behavioral detection for anomalous LLM API calls (Hugging Face, OpenAI, etc.) from endpoint processes should be investigated as potential AI-enabled C2.
Current Target Prioritization
Priority Tier | Target Category | Rationale |
Tier 1 | US government agencies, diplomatic communications, defense contractors | Strategic intelligence collection (SVR); demonstrated via Microsoft breach, TeamViewer breach |
Tier 1 | US/Western cloud service providers (Microsoft, Google, AWS infrastructure) | Upstream access to government and enterprise tenants |
Tier 1 | US/Western energy and critical infrastructure | Pre-positioning for crisis-time disruption (Sandworm BadPilot expansion) |
Tier 2 | NATO member governments and military organizations | Military intelligence, alliance monitoring |
Tier 2 | US technology companies, MSPs, IT service providers | Supply chain and downstream access to high-value targets |
Tier 2 | Telecommunications and satellite infrastructure | Communications intelligence and disruption capability |
Tier 3 | Think tanks, NGOs, academia, journalists | Policy intelligence, influence operations (FSB/Star Blizzard) |
Tier 3 | Defense-adjacent industries (aerospace, advanced manufacturing) | Technology and military intelligence |
Detection Posture Adjustment
The following priorities should be elevated for any organization in Tier 1 or Tier 2:
Cloud identity hygiene audit — Enumerate all OAuth application registrations, service principals, and legacy test tenants. Any account without MFA is an SVR target. Midnight Blizzard's Microsoft breach began with a password spray against a single unprotected test account.
Edge device vulnerability management — Sandworm's BadPilot campaign exploits known vulnerabilities in Exchange, Fortinet, ConnectWise, and Outlook. Any unpatched internet-facing application is an active target for initial access.
OT/ICS network segmentation verification — If you operate energy, water, or telecommunications infrastructure, verify OT/IT segmentation and monitor for any IT-to-OT lateral movement. Sandworm has confirmed targeting of US energy and telecom sectors; Industroyer2 demonstrated ICS-specific attack capability.
Destructive malware pre-staging detection — Monitor for VSS deletion (vssadmin delete shadows), backup destruction (wbadmin delete), and mass file access patterns. Russia's wiper deployments are preceded by hours-to-days of pre-staging activity.
Residential proxy awareness — SVR operations route through residential proxy infrastructure to blend with legitimate traffic. Long-duration HTTPS connections to residential ISP IP ranges warrant investigation.
Collaboration platform credential theft — Star Blizzard now operates across email, Teams, and WhatsApp. Extend phishing detection beyond email to all collaboration platforms used by high-value targets.
Threat Actor Landscape
CrowdStrike Name | Microsoft Name | Common Name | Linked To | Primary Mission | Primary Targets |
COZY BEAR | Midnight Blizzard | APT29 / NOBELIUM | SVR (Foreign Intelligence Service) | Strategic espionage, cloud exploitation | Government, cloud providers, tech, diplomatic |
FANCY BEAR | Forest Blizzard | APT28 / Sofacy | GRU Unit 26165 (85th GTsSS) | Military intelligence, NATO espionage | Government, military, defense, energy, media |
VOODOO BEAR | Seashell Blizzard | Sandworm / APT44 | GRU Unit 74455 | Destruction, ICS sabotage, pre-positioning | Energy, telecom, critical infrastructure (US, EU, global) |
— | Cadet Blizzard | DEV-0586 | GRU Unit 29155 (161st SpTsN) | Sabotage, espionage, reputational harm | Government, NATO, critical infrastructure |
VENOMOUS BEAR | Secret Blizzard | Turla / Snake | FSB (Center 16) | Deep persistent espionage | Government, military, diplomatic (global) |
PRIMITIVE BEAR | Aqua Blizzard | Gamaredon / Armageddon | FSB (Crimea-based, 5th Service) | High-volume espionage | Government and military (regionally focused) |
GOSSAMER BEAR | Star Blizzard | COLDRIVER / Callisto | FSB (Center 18) | Credential theft, influence operations | Think tanks, academia, defense, NGOs, journalists |
Key distinction: Russia operates cyber units across three intelligence agencies with fundamentally different mandates:
GRU units (APT28, Sandworm, Cadet Blizzard): Military intelligence — willing to conduct destructive operations, ICS sabotage, and high-tempo offensive campaigns against Western targets. Multiple distinct units (26165, 74455, 29155) with different specializations, now operating at sustained elevated tempo.
SVR (APT29/Midnight Blizzard): Foreign intelligence collection — patient, technically sophisticated, focused on cloud infrastructure and identity exploitation for long-duration access to government and technology targets.
FSB units (Turla, Gamaredon, Star Blizzard): Security service operations — ranging from sophisticated persistent espionage (Turla) to high-volume targeted collection (Gamaredon) to credential theft and influence targeting US/Western policy circles (Star Blizzard).
Attribution note: GRU Unit 29155 (Cadet Blizzard) was only formally attributed in 2023, despite being active since at least 2020. This unit operates with less technical sophistication than Sandworm or APT28 but compensates with high operational aggression — it deployed WhisperGate with no attempt at stealth. The US Department of State has offered a $10 million reward for information on Unit 29155 operatives.
Part II — Campaign Evolution Analysis (2021–2026)
2021: SolarWinds Aftermath and Federated Auth Targeting
Characteristic: SVR continued exploitation of SolarWinds-era access against US government and technology targets; development of AD FS persistence techniques
Tooling: NOBELIUM custom tooling, FoggyWeb (AD FS backdoor), MagicWeb (authentication bypass)
Detection profile: LOW for SVR (cloud-native, legitimate API abuse); MEDIUM for GRU (traditional tooling)
Defining campaign: APT29 FoggyWeb — backdoor targeting AD FS servers to extract token-signing certificates and deploy additional payloads; enabled persistent access to US federated authentication infrastructure
2022: Industrial-Scale Destructive Capability Demonstrated
Characteristic: Unprecedented deployment of destructive malware; 9+ wiper families in 12 months; ICS targeting; satellite communications disruption extending across Europe
Tooling: WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, AcidRain, Industroyer2, SwiftSlicer, DoubleZero, ZEROLOT
Detection profile: VARIED — wipers are detectable in pre-staging phase but novel at deployment; ICS malware requires specialized OT monitoring
Defining campaigns: AcidRain (Viasat satellite modem wiper affecting internet service across Europe — not regionally contained); Industroyer2 (ICS-specific malware targeting power grid IEC-104 protocol); HermeticWiper and WhisperGate (destructive operations attributed to distinct GRU units 74455 and 29155 respectively)
2023: Cloud Identity Exploitation and Zero-Day Campaigns
Characteristic: SVR pivoted to cloud-native attacks targeting US organizations; APT28 exploited Outlook zero-day for 20+ months across 14 NATO nations; attribution clarity improved
Tooling: OAuth application abuse, password spray infrastructure, CVE-2023-23397 (Outlook NTLM relay), CVE-2023-42793 (JetBrains TeamCity)
Detection profile: LOW for SVR cloud operations (legitimate API usage); MEDIUM for APT28 (NTLM relay detectable)
Defining campaigns: Midnight Blizzard Teams social engineering against US targets (August 2023); APT28 Outlook NTLM relay exploitation against 30+ organizations in 14 nations (April 2022–October 2023, disclosed March 2023); Cadet Blizzard formally attributed to GRU Unit 29155
2024: US Corporate Breach Escalation and Global Expansion
Characteristic: SVR breached Microsoft and TeamViewer corporate environments — demonstrating direct targeting of US technology providers; Sandworm expanded to 15+ countries; Turla hijacked rival APT infrastructure
Tooling: Password spray + OAuth pivot (Midnight Blizzard); CVE-2024-1709 (ConnectWise), CVE-2023-48788 (Fortinet); TinyTurla, TwoDash (Turla via hijacked C2)
Detection profile: LOW for SVR (legitimate credential use from residential proxies); MEDIUM for Sandworm BadPilot (known CVE exploitation)
Defining campaigns: Midnight Blizzard Microsoft breach (January 2024 — accessing senior leadership email, source code, and internal systems; 10x escalation in February); TeamViewer corporate breach (June 2024); Midnight Blizzard large-scale RDP file spear-phishing (October 2024); Turla hijacking Storm-0156 C2 infrastructure; Star Blizzard WhatsApp pivot (November 2024)
2025–2026: Persistent Access at Scale, AI-Enabled Operations, and Rapid Exploit Weaponization
Characteristic: Sandworm BadPilot campaign confirmed targeting US, UK, Canada, and Australia; SVR watering-hole campaigns exploiting device code authentication against US organizations; APT28 weaponizing CVEs within 24 hours of disclosure; Star Blizzard adopted iOS exploit kits; LLM-enabled malware appeared; pro-Russia hacktivist groups coordinated OT attacks on US critical infrastructure
Tooling: ZeroLot wiper, device code authentication abuse, EvilGinx2, residential proxy networks, LAMEHUG (LLM-enabled malware using Hugging Face API), DarkSword iOS exploit kit, BadPaw/MeowMeow malware families, CVE-2026-21509 (MSHTML zero-day)
Detection profile: LOW for SVR (cloud-native, device code auth abuse); MEDIUM for Sandworm (known CVE exploitation at scale); HIGH velocity for APT28 (zero-day weaponized within 24 hours)
Defining campaigns:
APT28 Operation Neusploit (February 2026): Exploited CVE-2026-21509 (Microsoft Office/MSHTML zero-day) within 24 hours of public disclosure, targeting Central/Eastern European government and defense entities — demonstrating near-zero delay between vulnerability disclosure and weaponization
APT28 LAMEHUG malware (CrowdStrike 2026 GTR): Deployed LLM-enabled malware leveraging Qwen2.5-Coder-32B-Instruct via Hugging Face API for dynamic command generation — first confirmed Russian APT use of generative AI in operational malware
Star Blizzard DarkSword iOS exploit kit (March 2026): Adopted commercial iOS exploit kit targeting government, academia, financial, and legal entities — marking a shift from credential theft to full endpoint compromise including mobile devices
Sandworm Poland energy grid attack (January 2026): Data-wiping malware deployed against Polish energy systems — the largest cyber attack on Polish infrastructure in years, confirming continued willingness to target NATO member critical infrastructure
APT29 device code authentication abuse (2025–2026): Watering-hole campaigns tricking US government and enterprise users into authorizing attacker-controlled devices via Microsoft device code authentication flow
Pro-Russia hacktivist OT attacks (CISA advisory December 2025): CARR, Z-Pentest, NoName057(16), and Sector16 conducting coordinated attacks on US water/wastewater, food & agriculture, and energy OT systems via exposed VNC connections
Mandiant M-Trends 2026: 500,000+ hours of incident investigations in 2025 confirm resurgence of Russian cyber operations and information operations supporting Russian strategic interests
Part III — Full Kill Chain: Phase-by-Phase TTPs with Detection Logic
Phase 1 – Reconnaissance
Phase | TTP | MITRE ID | Derived From | Detection Logic | Tooling Category |
Recon | Social Media Profiling and Rapport Building | T1591 | Star Blizzard extended impersonation campaigns | Detection limited for OSINT. Compensating control: Brief high-value targets (researchers, policy staff, executives) on slow-burn social engineering. Star Blizzard establishes rapport over weeks before delivering payload. | Security Awareness Training / DRP |
Recon | Scanning for Unpatched Edge Services | T1595.002 | Sandworm BadPilot campaign | >10 probes against Exchange, Fortinet, ConnectWise management interfaces in 60 sec from single IP. Whitelist known vulnerability scanners. | NGFW / WAF / IDS / SIEM |
Recon | Cloud Tenant Enumeration | T1589.001 | Midnight Blizzard pre-breach recon | Enumeration of Azure AD tenant configurations, OAuth app registrations, and service principal discovery from external IPs. | Cloud SIEM / ITDR |
Phase 2 – Initial Access
Phase | TTP | MITRE ID | Derived From | Detection Logic | Tooling |
Initial Access | Password Spray via Residential Proxies | T1110.003 | Midnight Blizzard Microsoft breach | Low-volume, distributed password spray against cloud accounts. Key indicator: auth failures from residential ISP IP ranges distributed across many IPs with <5 attempts per IP. Correlation across the full tenant required. | Cloud SIEM / ITDR / IAM Auditing |
Initial Access | Forged/Stolen OAuth Tokens | T1078.004 | Midnight Blizzard (post-initial-access pivot) | OAuth application with elevated permissions accessing mailboxes/repos without corresponding interactive sign-in. Audit: legacy OAuth apps with Mail.Read, Mail.ReadWrite, or full_access_as_app permissions. | Cloud SIEM / CASB |
Initial Access | Outlook NTLM Relay (CVE-2023-23397) | T1187 | APT28 20-month campaign | Exchange: Calendar/task items with UNC path in extended properties (\\attacker-IP\share). Network: SMB (445) or WebDAV outbound to external IP triggered by Outlook rendering. | EDR / NDR / Email Gateway |
Initial Access | Exploitation of Edge Applications | T1190 | Sandworm BadPilot (Exchange, Fortinet, ConnectWise) | VPN/Edge logs: Auth bypass from external IP. Management interface accessed externally. POST to authenticated endpoint without valid session. Known CVE exploitation indicators for ConnectWise (CVE-2024-1709), Fortinet (CVE-2023-48788), Exchange (CVE-2021-34473). | Network Syslog / WAF / SIEM |
Initial Access | Spear-Phishing with RDP Configuration Files | T1566.001 | Midnight Blizzard October 2024 campaign | Email gateway: .rdp attachment from external sender. Endpoint: mstsc.exe launched from Outlook/browser context with remote resource redirection enabled. | Email Security Gateway / EDR |
Initial Access | Device Code Authentication Phishing | T1078.004 | APT29 2025 watering-hole | Entra ID: Device code flow auth ( | Cloud SIEM / ITDR |
Key CVEs Exploited (2021–2026):
CVE-2021-34473 / CVE-2021-34523 / CVE-2021-31207 (ProxyShell — Exchange)
CVE-2022-41352 (Zimbra)
CVE-2022-26318 (WatchGuard Firebox)
CVE-2023-23397 (Outlook NTLM relay — APT28)
CVE-2023-42793 (JetBrains TeamCity — APT29)
CVE-2023-38831 (WinRAR — APT28)
CVE-2023-48788 (Fortinet FortiClient EMS — Sandworm)
CVE-2024-1709 (ConnectWise ScreenConnect — Sandworm)
CVE-2022-38028 (Windows Print Spooler — APT28, GooseEgg tool)
CVE-2026-21509 (Microsoft Office/MSHTML — APT28, Operation Neusploit, weaponized within 24h of disclosure)
Phase 3 – Execution & Persistence
Phase | TTP | MITRE ID | Derived From | Detection Logic | Tooling |
Persistence | OAuth Application Registration/Abuse | T1098.003 | Midnight Blizzard | Entra ID Audit: New OAuth app registration with Mail.Read/Mail.ReadWrite/full_access_as_app. App consent granted by non-admin. Legacy app with delegated permissions accessing resources outside expected scope. | Cloud SIEM / ITDR |
Persistence | AD FS Backdoor (FoggyWeb/MagicWeb) | T1556.001 | APT29 post-SolarWinds | AD FS: Unexpected DLL loaded by AD FS service. Token-signing certificate access from non-AD FS process. Modified configuration in AD FS database. | EDR / FIM / SIEM |
Persistence | Scheduled Task / Registry Run Key | T1053.005 / T1547.001 | APT28, Gamaredon | Sysmon 1: schtasks.exe creating task with encoded PowerShell or external URL callback. Sysmon 13: Run/RunOnce key modified by non-installer process. WinSec 4698: Scheduled task created. | EDR / SIEM |
Persistence | Web Shell Deployment | T1505.003 | Sandworm (post-Exchange exploitation) | Sysmon 11: w3wp.exe creates .aspx/.php in web root. Sysmon 1: w3wp.exe spawns cmd/powershell. IIS logs: POST to non-standard path with no Referer header. | EDR / FIM / WAF |
Persistence | Group Policy Modification | T1484.001 | Sandworm (ZEROLOT wiper distribution) | WinSec 5136: GPO modification outside change window. New GPO linking to OU containing servers/DCs. SYSVOL file creation (scripts, executables) by non-admin. | SIEM / AD Monitoring |
Phase 4 – Privilege Escalation & Defense Evasion
Phase | TTP | MITRE ID | Derived From | Detection Logic | Tooling |
Priv Esc | GooseEgg Print Spooler Exploit (CVE-2022-38028) | T1068 | APT28 custom tool | Sysmon 1: Execute process with suspicious command line modifying Windows Print Spooler components. DLL load from user-writable path by spoolsv.exe. | EDR / SIEM |
Defense Evasion | DLL Side-Loading | T1574.002 | APT29, APT28 | Sysmon 7: Legitimate signed application loads DLL from AppData/Downloads/Temp. Hash mismatch between expected and loaded DLL. | EDR (Behavioral Engine) |
Defense Evasion | Timestomping and Log Clearing | T1070.001 / T1070.006 | All Russian operators | WinSec 1102: Audit log cleared. WinSec 4719: Audit policy changed. Sysmon 2: File creation time modified. | SIEM |
Defense Evasion | Use of Legitimate Cloud APIs | T1550.001 | APT29 cloud operations | OAuth token used from IP/device inconsistent with registration. Graph API calls at unusual hours or volumes. Mail access via EWS/Graph without corresponding interactive login. | Cloud SIEM / CASB |
Defense Evasion | Living-off-the-Land (LOLBins) | T1218 | APT28, Sandworm | Sysmon 1: Unusual parent-child process chains involving mshta.exe, certutil.exe, rundll32.exe, regsvr32.exe from non-admin context or with external URL parameters. | EDR / SIEM |
Phase 5 – Credential Access
Phase | TTP | MITRE ID | Derived From | Detection Logic | Tooling |
Cred Access | LSASS Dumping | T1003.001 | APT28, Sandworm | Sysmon 10: TargetImage=lsass.exe, GrantedAccess 0x1fffff, SourceImage not in AV/EDR whitelist. | EDR / Credential Guard |
Cred Access | DCSync | T1003.006 | Sandworm, APT28 | WinSec 4662: DS-Replication-Get-Changes-All by non-DC account. ANY non-DC machine or user account = CRITICAL. | ITDR / SIEM |
Cred Access | Kerberoasting | T1558.003 | APT28 | WinSec 4769: TGS request with RC4 encryption (0x17) for service account from workstation. High volume of TGS requests from single source. | ITDR / SIEM |
Cred Access | Token-Signing Certificate Theft | T1552.004 | APT29 (AD FS targeting) | AD FS: Export of token-signing certificate. Access to AD FS configuration database from unexpected process. DKM container access in AD. | FIM / ITDR / SIEM |
Cred Access | AiTM Session Cookie Theft | T1557 | Star Blizzard EvilGinx2 | Entra ID: MFA-complete sign-in followed by same session token from geo-distinct IP within short window. Session ID + changed user-agent/device fingerprint. | Cloud SIEM / ITDR |
Phase 6 – Lateral Movement
Phase | TTP | MITRE ID | Derived From | Detection Logic | Tooling |
Lateral Movement | Pass-the-Hash / Pass-the-Ticket | T1550.002 | APT28, Sandworm | WinSec 4624 (LogonType 3, NtLmSsp) with Key_Length=0, absent corresponding TGT request (4768). Alert on workstation-to-Tier-0 access patterns. | EDR / ITDR / SIEM |
Lateral Movement | RDP with Stolen Credentials | T1021.001 | Multiple Russian groups | WinSec 4624 (LogonType 10) from unexpected source. RDP from workstation to server segment. RDP outside business hours from non-admin account. | SIEM / NDR |
Lateral Movement | SMB/WMI Remote Execution | T1021.002 / T1021.006 | Sandworm, APT28 | WinSec 4624 + 4648: Logon Type 3 NTLM from workstation → server. Sysmon 1: WmiPrvSE.exe/services.exe spawns unexpected child process. | EDR / SIEM |
Lateral Movement | OAuth Lateral Pivot (Cloud) | T1550.001 | Midnight Blizzard | OAuth app accessing resources in tenant B after initial compromise in tenant A. Cross-tenant app consent. Service principal activity from unexpected IP. | Cloud SIEM / CASB |
Phase 7 – Collection & Exfiltration
Phase | TTP | MITRE ID | Derived From | Detection Logic | Tooling |
Collection | Email Collection via Graph/EWS API | T1114.002 | Midnight Blizzard | M365 UAL: MailItemsAccessed via Graph API with OAuth app. Volume >100 messages/hour from single app. App accessing mailboxes of senior leadership/security team. | Cloud SIEM / CASB |
Collection | Source Code Repository Access | T1213 | Midnight Blizzard Microsoft breach | GitHub/ADO: Clone/download events from service principal or unusual IP. Access to repos containing secrets, keys, or authentication code. | SCM Audit Logs / SIEM |
Exfiltration | C2 via Legitimate Cloud Services | T1567 | APT29 (OneDrive, Notion, Google Drive abuse), Turla | DLP/Proxy: Unusual upload volume to cloud storage services. Data exfil to cloud services not sanctioned by organization. | DLP / CASB / Proxy |
Exfiltration | DNS Tunneling | T1071.004 | APT28 | DNS: High volume of TXT/NULL queries to single domain. Unusually long subdomain labels (>30 chars). Entropy analysis on DNS query names. | NDR / DNS Monitoring / SIEM |
Phase 8 – OT/ICS Targeting
Layer | Focus | Detection Logic |
Layer 1 | Network Visibility | Passive OT monitoring (Claroty/Dragos/Nozomi). Any ICS protocol (IEC-104, IEC-61850, Modbus, DNP3) from IT network to OT = immediate alert. |
Layer 2 | ICS Command Monitoring | IEC-104 commands outside baseline operating parameters. Breaker open/close commands from non-HMI workstation. Unauthorized setpoint changes. |
Layer 3 | Satellite/Telecom Integrity | Firmware integrity checks on satellite modems and telecom equipment. Unexpected management interface access. Mass device reboot/reset events. |
Why Industroyer2/AcidRain are uniquely dangerous:
Industroyer2 targets IEC-104 protocol directly — purpose-built for electric grid disruption
AcidRain is a generic wiper that targets embedded Linux devices — easily redeployable against any modem, router, or IoT device
Both demonstrate Russia's capability to attack infrastructure layers below endpoint visibility
Phase 9 – Impact (Destructive Operations)
Phase | TTP | MITRE ID | Derived From | Detection Logic | Tooling |
Impact | Disk Wiper Deployment | T1561.002 | HermeticWiper, WhisperGate, CaddyWiper, SwiftSlicer | Pre-wiper indicators: vssadmin delete shadows, wbadmin delete backup, bcdedit recovery disable. Active wiper: Write to \.\PhysicalDrive0 or mass file overwrite (>500 files in burst). Alert: ANY vssadmin delete shadows = HIGH severity. | EDR / FIM / SIEM |
Impact | ICS Disruption (Industroyer2) | T0855 | Sandworm Industroyer2 (April 2022) | OT passive monitoring: IEC-104 commands from non-SCADA source. Breaker state changes outside maintenance window. Simultaneous commands to multiple substations. | OT NDR (Claroty/Dragos/Nozomi) |
Impact | Satellite/Modem Wiper (AcidRain) | T1561.002 | Sandworm AcidRain (Viasat) | Mass device offline events across satellite/modem fleet. Firmware integrity check failures. Management platform showing bulk device disconnection. | NOC Monitoring / Device Management |
Impact | Ransomware (as Cover for Destruction) | T1486 | Sandworm (NotPetya precedent), Cadet Blizzard (WhisperGate) | WhisperGate displayed fake ransom note with no recovery mechanism. Detect: Ransom note file creation + absence of actual C2/payment infrastructure = destructive operation masquerading as ransomware. | EDR / SIEM |
Impact | GPO-Deployed Wiper | T1484.001 + T1561 | Sandworm ZEROLOT | GPO modification + SYSVOL script deployment + mass endpoint execution within minutes. Alert: Any new GPO with script deployment outside change management = CRITICAL. | AD Monitoring / SIEM |
Detection Engineering Master Matrix
Phase | TTP | MITRE ID | Log Source | Key Event ID / Indicator | Actor |
Initial Access | Password spray (residential proxy) | T1110.003 | Entra ID Sign-in | Distributed auth failures from residential ASN IPs | Midnight Blizzard |
Initial Access | OAuth token abuse | T1078.004 | M365 UAL | MailItemsAccessed via OAuth app without interactive sign-in | Midnight Blizzard |
Initial Access | Outlook NTLM relay | T1187 | Exchange / Sysmon | Calendar item with UNC path + outbound SMB to external IP | APT28 |
Initial Access | Edge device exploitation | T1190 | VPN/Edge syslog | Auth bypass or management access from external IP | Sandworm BadPilot |
Initial Access | RDP file spear-phishing | T1566.001 | Email GW / EDR | .rdp attachment + mstsc.exe from Outlook context | Midnight Blizzard |
Initial Access | Device code auth phishing | T1078.004 | Entra ID | Device code flow from unassociated IP/device | APT29 (2025) |
Persistence | OAuth app registration | T1098.003 | Entra ID Audit | New app with Mail.Read/full_access_as_app permissions | Midnight Blizzard |
Persistence | AD FS backdoor | T1556.001 | EDR / FIM | Unexpected DLL in AD FS process | APT29 |
Persistence | Web shell — ASPX drop | T1505.003 | Sysmon 11 | w3wp.exe creates .aspx in web root | Sandworm |
Persistence | GPO modification | T1484.001 | WinSec 5136 | GPO change outside change window with script deployment | Sandworm |
Credential Access | LSASS dump | T1003.001 | Sysmon 10 | lsass.exe GrantedAccess 0x1fffff from non-AV | APT28, Sandworm |
Credential Access | DCSync | T1003.006 | WinSec 4662 | DS-Replication-Get-Changes-All by non-DC account | Sandworm, APT28 |
Credential Access | AiTM session theft | T1557 | Entra ID | Post-MFA session replay from geo-distinct IP | Star Blizzard |
Credential Access | Token-signing cert theft | T1552.004 | FIM / AD FS logs | Export of token-signing cert or DKM access | APT29 |
Defense Evasion | DLL side-loading | T1574.002 | Sysmon 7 | Legitimate app loads DLL from user-writable path | APT29, APT28 |
Defense Evasion | Log clearing | T1070.001 | WinSec 1102 | Audit log cleared on server | All |
Defense Evasion | LOLBin abuse | T1218 | Sysmon 1 | mshta/certutil/rundll32 with external URL | APT28, Sandworm |
Lateral Movement | Pass-the-Hash | T1550.002 | WinSec 4624 | LogonType 3 + NTLM + Key_Length=0 | APT28, Sandworm |
Lateral Movement | RDP lateral movement | T1021.001 | WinSec 4624 | LogonType 10 from workstation to server | Multiple |
Lateral Movement | OAuth lateral pivot | T1550.001 | Cloud SIEM | Cross-tenant app consent or service principal pivot | Midnight Blizzard |
Collection | API mail access | T1114.002 | M365 UAL | MailItemsAccessed via Graph/EWS OAuth app | Midnight Blizzard |
Collection | Source code access | T1213 | SCM audit logs | Repo clone from service principal or unusual IP | Midnight Blizzard |
Exfiltration | Cloud service upload | T1567 | DLP/Proxy | Large upload to unsanctioned cloud storage | APT29, Turla |
Exfiltration | DNS tunneling | T1071.004 | DNS logs | High-entropy subdomain queries to single domain | APT28 |
Impact | Disk wiper | T1561.002 | EDR / Sysmon | Raw disk write by unexpected process OR mass file overwrite | Sandworm, Cadet Blizzard |
Impact | ICS command injection | T0855 | OT NDR | IEC-104 command from non-SCADA source | Sandworm |
Impact | GPO-deployed wiper | T1484.001 | WinSec 5136 | GPO + SYSVOL script + mass execution | Sandworm |
Pre-Impact | VSS/backup destruction | T1490 | Sysmon 1 | vssadmin delete shadows /all | All (pre-wiper) |
Part IV — Threat Hunt Hypotheses
Disclaimer:These hunts complement EDR/ITDR and other security tool alerting. Mature platforms may detect portions or most of this activity, but correlation, tuning, and escalation logic determine whether intrusion is caught pre-impact or post-destruction.
Hunt 1: Midnight Blizzard — Orphaned OAuth Applications
Hypothesis: Legacy OAuth applications with elevated permissions are being abused for mailbox access without interactive sign-in.
Note: Mature ITDR platforms may alert on anomalous OAuth activity — validate coverage before building custom logic.
Core Detection Logic:
Enumerate all OAuth app registrations in Entra ID with Mail.Read, Mail.ReadWrite, Mail.Send, or full_access_as_app permissions
Cross-reference against approved application inventory
Flag: Any app not in approved inventory with mail permissions = immediate review
Secondary: OAuth app accessing >10 distinct mailboxes OR mailboxes of executives/security team
High Confidence: Any legacy OAuth app (created >1 year ago) with mail permissions that was not recently re-consented by an admin = HIGH risk. Midnight Blizzard specifically targets dormant, forgotten applications.
Hunt 2: APT28 — Outlook NTLM Relay Artifacts
Hypothesis: Crafted calendar/task items with UNC paths triggering automatic NTLM authentication to attacker-controlled servers.
Core Detection Logic:
Search Exchange mailbox items (calendar entries, tasks, notes) for properties containing UNC paths (\\IP\share or \\hostname\share)
Correlate with outbound SMB (TCP 445) or WebDAV traffic to external IPs
Check for Impacket ntlmrelayx signatures on network perimeter
Alert Threshold: Any Exchange item containing UNC path to external IP = CRITICAL. No legitimate business reason for calendar items to reference external file shares via UNC.
Hunt 3: Sandworm — Pre-Wiper Staging Activity
Hypothesis: GRU operator is preparing environment for destructive wiper deployment.
Core Detection Stack (correlate within 48h window, tune per environment):
vssadmin delete shadows /allwbadmin delete catalog -quietorwbadmin delete systemstatebackupbcdedit /set {default} recoveryenabled NoGPO modification with script deployment to server OUs
SYSVOL write of executable/script files
Escalation Logic:
1 indicator → HIGH
2+ indicators on same host or within same AD site → CRITICAL (assume imminent wiper deployment)
GPO modification + SYSVOL script + VSS deletion = CRITICAL — initiate containment immediately
CRITICAL: Russia's historical wiper deployments were preceded by hours (not weeks) of pre-staging. If these capabilities are turned against US targets, detection-to-containment SLA must be measured in minutes, not days.
Hunt 4: Residential Proxy Password Spray
Hypothesis: SVR is conducting low-volume password spray through distributed residential proxy infrastructure to avoid lockout thresholds.
Core Detection Logic:
Aggregate all Entra ID sign-in failures over 24h rolling window
Filter for source IPs mapping to residential ISP ASNs (not commercial/VPN/enterprise)
Correlate: >20 distinct residential IPs attempting auth against same tenant with <5 attempts per IP
Secondary: Successful auth from residential IP immediately following distributed failure pattern
Alert Threshold: Distributed residential-IP auth failures across >10 IPs targeting same tenant within 24h = HIGH. Successful login from residential IP after failure pattern = CRITICAL.
Hunt 5: AD FS / Federated Authentication Backdoor
Hypothesis: APT29 has backdoored AD FS to forge authentication tokens (FoggyWeb / MagicWeb pattern).
Core Detection Logic:
Audit all DLLs loaded by AD FS service process against known-good baseline
Check AD FS configuration database for unauthorized modifications
Monitor access to DKM (Distributed Key Management) container in Active Directory
Verify token-signing certificate has not been exported or duplicated
Alert Threshold: Any unexpected DLL in AD FS process = CRITICAL. Any DKM container access from non-AD-FS server = CRITICAL. Token-signing certificate export event = CRITICAL. These are definitive indicators of authentication infrastructure compromise.
Hunt 6: Turla — Multi-Actor Infrastructure Overlap
Hypothesis: Turla is operating through C2 infrastructure belonging to another threat actor, making attribution and scoping incomplete.
Core Detection Logic:
For any confirmed intrusion attributed to a non-Russian APT: check for secondary implants not matching the attributed actor's known tooling
Look for TinyTurla, TwoDash, Statuezy, MiniPocket indicators alongside non-Russian APT tools
Monitor for unexplained lateral movement or data access that exceeds the attributed actor's known objectives
Alert Threshold: Finding implants from two distinct threat actors in the same environment = immediate re-scoping of incident. Turla's infrastructure parasitism means single-actor attribution may miss the more dangerous operator.
Hunt 7: Sandworm BadPilot — Edge Device Compromise
Hypothesis: Sandworm subgroup has exploited known vulnerabilities in internet-facing applications for persistent access.
Core Detection Logic:
Audit all internet-facing Exchange, Fortinet, ConnectWise ScreenConnect, and WatchGuard appliances for patch status
Check for web shells in Exchange web paths (aspnet_client, OWA/auth)
Review ConnectWise ScreenConnect for unauthorized admin accounts (CVE-2024-1709 auth bypass)
Fortinet: Check for unauthorized admin accounts or configuration changes post-CVE-2023-48788
Alert Threshold: Any unpatched internet-facing application in the BadPilot target set = assume compromised until verified. Any web shell or unauthorized admin account = CRITICAL.
Part V — Leadership Briefing: Strategic Threat Posture
The Strategic Reality
Russia's cyber threat is fundamentally different from China (patient, infrastructure-focused espionage), Iran (reactive, escalation-driven), and DPRK (financially motivated theft). Russia operates as a multi-doctrine adversary: its GRU units conduct destruction and critical infrastructure pre-positioning against Western targets, its SVR conducts patient strategic espionage through US cloud infrastructure, and its FSB conducts targeted credential theft and influence operations — all simultaneously, against overlapping target sets, with different risk tolerances and detection profiles.
The key insight: you are not facing one Russian cyber threat — you are facing three organizationally distinct threats that happen to share a flag. Each requires a different detection investment. The SVR has already breached Microsoft. Sandworm is already targeting US energy and telecom. Star Blizzard is already phishing US think tanks and defense researchers.
Three Things Leadership Must Understand
Cloud identity is the SVR's primary attack surface — and they have already compromised the providers.
Midnight Blizzard breached Microsoft's own corporate environment through a password spray against a test account without MFA. They then pivoted via a legacy OAuth application to access senior leadership email and source code. If the SVR can compromise Microsoft, your cloud tenant's security posture matters enormously. The most impactful defensive investment against SVR espionage is cloud identity hygiene: eliminate legacy OAuth apps, enforce MFA on all accounts (including test/dev/service), implement conditional access policies, and monitor the M365 Unified Audit Log continuously.
Investment priority: Complete OAuth application audit, legacy tenant cleanup, MFA enforcement on all accounts including service principals, and E5-level UAL monitoring.
Russia has demonstrated industrial-scale destructive capability — and it is now targeting the US.
GRU units proved they can produce 9+ distinct wiper families in a single year. AcidRain disrupted internet across Europe via Viasat satellite modems. By 2025, Sandworm's BadPilot campaign confirmed active targeting of US, UK, Canadian, and Australian organizations in energy, telecom, and government sectors. The destructive capability has been proven, the targeting has gone global, and the pre-positioning is underway.
Investment priority: Destructive malware pre-staging detection (VSS deletion, backup destruction, GPO-deployed scripts), OT/ICS network segmentation, and incident response playbooks that account for wiper scenarios (where "restore from backup" IS the recovery, not "patch and reimage").
The APT28 Outlook vulnerability was exploited for 20 months before disclosure — zero-click, zero-interaction.
CVE-2023-23397 required no user interaction — receiving the crafted email was sufficient to trigger NTLM authentication to the attacker's server. APT28 exploited it against 30+ organizations across 14 NATO nations for 20 months before it was patched. This is not a theoretical risk — it is a demonstrated capability where receiving an email compromises your credentials.
Investment priority: Aggressive patch management for email infrastructure (Exchange on-premises and Exchange Online), NTLM relay protections (EPA for Exchange, SMB signing, restrict outbound SMB), and credential hygiene that limits the blast radius of a stolen NTLM hash.
Risk Prioritization by Actor
Actor | Likelihood | Impact | Your Asset at Risk |
Midnight Blizzard (APT29/SVR) | HIGH (demonstrated breach of Microsoft, TeamViewer; active targeting of US gov/tech) | CRITICAL | Executive communications, source code, authentication infrastructure |
APT28 (GRU 26165) | HIGH (broad US/NATO gov/defense targeting; Outlook zero-day precedent) | HIGH | Credentials (NTLM), email, military/defense intelligence |
Sandworm (GRU 74455) | HIGH (confirmed US energy/telecom targeting via BadPilot) | CRITICAL | OT/ICS systems, power grid, satellite communications, data destruction |
Cadet Blizzard (GRU 29155) | MEDIUM (NATO-focused, expanding scope) | HIGH | Data destruction, reputational damage |
Turla (FSB Center 16) | MEDIUM (highly targeted but sophisticated) | HIGH | Long-duration espionage, diplomatic/military intelligence |
Gamaredon (FSB 5th Service) | LOW (historically regionally focused) | MEDIUM | Government communications, regional intelligence |
Star Blizzard (FSB Center 18) | MEDIUM–HIGH (active campaigns against US think tanks, academia, defense) | HIGH | Credentials, email access, influence operations |
This document reflects threat intelligence through March 2026, including the 2026 Annual threat reports published by reputed vendors, and campaign reporting through Q1 2026. Russia's operational tempo against US and Western targets has increased steadily since 2022 and shows no signs of abatement. When reviewing this document's currency, always check current US-Russia geopolitical status.
Master References Index
Annual Threat Intelligence Reports
Report | Publisher | Year |
Global Threat Report | CrowdStrike | 2022 - 2026 |
Threat Hunting Report | CrowdStrike | 2021 - 2025 |
M-Trends Report | Mandiant / Google Cloud | 2021 - 2026 |
Microsoft Digital Defense Report | Microsoft | 2021 - 2025 |
Global Incident Response Report | Unit 42 (Palo Alto Networks) | 2025 - 2026 |
IBM X-Force Threat Intelligence Index | IBM X-Force | 2025 |
Cybersecurity Report | Check Point Research | 2022 - 2026 |
ODNI Annual Threat Assessment | Office of the Director of National Intelligence | 2022–2025 |
FBI Internet Crime Report | FBI IC3 | 2021–2024 |
Additional Vendor Reports
Report | Publisher | Year |
OT/ICS Cybersecurity Year in Review 2025 | Dragos | 2026 |
Red Canary Threat Detection Report | Red Canary | 2025 |
Sophos Threat Report | Sophos | 2025 |
Trellix Advanced Threat Research Report | Trellix | 2024 |
Government & Regulatory Advisories
Identifier | Title | Publisher | Year |
Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure | CISA / FBI / NSA / Five Eyes | April 2022 | |
Understanding and Mitigating Russian State-Sponsored Cyber Threats to US Critical Infrastructure | CISA / FBI / NSA | January 2022 | |
Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks | CISA / FBI / NSA | February 2022 | |
Destructive Malware Targeting Organizations in Ukraine (WhisperGate) | CISA | February 2022 | |
Russia's FSB Malicious Cyber Activity — Star Blizzard | CISA / NCSC-UK / FBI / NSA | December 2023 | |
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally | CISA / FBI / NSA / Five Eyes | December 2023 | |
SVR Cyber Actors Adapt Tactics for Initial Cloud Access | CISA / NCSC-UK / NSA / FBI | February 2024 | |
Shields Up — Guidance for Organizations in Response to Russian Cyber Threats | CISA | February 2022 (ongoing) | |
Russia Cyber Threat Overview and Advisories | CISA | Ongoing | |
Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware (Sandworm) | US Department of Justice | October 2020 | |
Rewards for Justice — Russian Military Intelligence Officers (WhisperGate / Unit 29155) | US Department of State | September 2024 |
Campaign-Specific Vendor Reporting (2021–2026)
Campaign / Actor | Report Title | Publisher | Year |
WhisperGate / Cadet Blizzard | Microsoft MSTIC | January 2022 | |
Cadet Blizzard | Cadet Blizzard Emerges as a Novel and Distinct Russian Threat Actor | Microsoft MSTIC | June 2023 |
HermeticWiper | ESET (WeLiveSecurity) | February 2022 | |
HermeticWiper | SentinelLabs | February 2022 | |
Industroyer2 / Sandworm | ESET (WeLiveSecurity) | April 2022 | |
AcidRain / Sandworm | SentinelLabs | March 2022 | |
AcidPour / Sandworm | AcidPour: New Embedded Wiper Variant of AcidRain Appears in Ukraine | SentinelLabs | 2024 |
Ukraine Wiper Campaign | ESET (WeLiveSecurity) | February 2023 | |
Sandworm / APT44 | Unearthing APT44: Russia's Notorious Cyber Sabotage Unit Sandworm | Mandiant / Google Cloud | April 2024 |
Sandworm / Industroyer2 | Mandiant / Google Cloud | November 2022 | |
Sandworm / BadPilot | The BadPilot Campaign: Seashell Blizzard Subgroup Conducts Multiyear Global Access Operation | Microsoft Threat Intelligence | February 2025 |
Sandworm / Poland | ESET Research | 2025 | |
Sandworm / SwiftSlicer | ESET (WeLiveSecurity) | March 2022 | |
Midnight Blizzard / Microsoft Breach | Midnight Blizzard: Guidance for Responders on Nation-State Attack | Microsoft Security Blog | January 2024 |
Midnight Blizzard / Microsoft Breach | Microsoft Actions Following Attack by Nation-State Actor Midnight Blizzard | Microsoft MSRC | January 2024 |
Midnight Blizzard / Microsoft Breach | Update on Microsoft Actions Following Attack by Midnight Blizzard | Microsoft MSRC | March 2024 |
Midnight Blizzard / RDP Phishing | Midnight Blizzard Conducts Large-Scale Spear-Phishing Campaign Using RDP Files | Microsoft Security Blog | October 2024 |
Midnight Blizzard / Teams | Midnight Blizzard Conducts Targeted Social Engineering Over Microsoft Teams | Microsoft Security Blog | August 2023 |
Midnight Blizzard / Cloud Tactics | CISA / NCSC-UK / NSA / FBI | February 2024 | |
APT29 / Diplomatic Phishing | Mandiant / Google Cloud | 2022 | |
APT29 / Watering Hole 2025 | AWS Security Blog | 2025 | |
APT28 / CVE-2023-23397 | Unit 42 (Palo Alto Networks) | 2023 | |
APT28 / GooseEgg (CVE-2022-38028) | Analyzing Forest Blizzard's Custom Post-Compromise Tool for Exploiting CVE-2022-38028 | Microsoft Security Blog | April 2024 |
APT28 / CVE-2023-23397 | Microsoft Security Blog | March 2023 | |
Turla / Secret Blizzard | Frequent Freeloader Part I: Secret Blizzard Compromising Storm-0156 Infrastructure | Microsoft Security Blog | December 2024 |
Star Blizzard | NCSC-UK | December 2023 | |
Star Blizzard / WhatsApp | New Star Blizzard Spear-Phishing Campaign Targets WhatsApp Accounts | Microsoft Security Blog | January 2025 |
TeamViewer / Midnight Blizzard | BleepingComputer | June 2024 | |
APT28 / Operation Neusploit | APT28 Stealthy Campaign Leveraging CVE-2026-21509 and Cloud C2 | Trellix | February 2026 |
APT28 / BadPaw & MeowMeow | SecurityAffairs | 2026 | |
Star Blizzard / DarkSword | Star Blizzard Targets Reporters with DarkSword iOS Exploit Kit | Infosecurity Magazine | March 2026 |
Sandworm / Global Infrastructure | Barracuda Networks | March 2026 | |
Pro-Russia Hacktivists / OT | Opportunistic Pro-Russia Hacktivists Attack US and Global Critical Infrastructure | CISA / FBI / NSA / EPA / DoD | December 2025 |
Russia Cyber Overview | Dark Covenant 2.0: Cybercrime, Russian State, and War in Ukraine | Recorded Future Insikt Group | 2024 |
Russia Cyber Overview | Mandiant / Google Cloud | 2022 | |
Russian State-Actor Overview | Recorded Future Insikt Group | 2024 | |
APT29 / BlueBravo | BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton | Recorded Future Insikt Group | 2023 |
MITRE ATT&CK Group Profiles
Group ID | Name | Profile Link |
Group ID | Name | Profile Link |
G0016 | APT29 (Midnight Blizzard / Cozy Bear) | |
G0007 | APT28 (Forest Blizzard / Fancy Bear) | |
G0034 | Sandworm (Seashell Blizzard / APT44) | |
G0010 | Turla (Secret Blizzard / Venomous Bear) | |
G0047 | Gamaredon (Aqua Blizzard / Primitive Bear) | |
G1013 | Cadet Blizzard (DEV-0586) | |
G1003 | Star Blizzard (COLDRIVER / Callisto) |
