US should rethink current views of Russia’s cyber might, new report says

U.S. policymakers should reassess their assumptions about Russia’s cyber capabilities to include its murky cybercrime ecosystem that doesn’t always have clear ties to Kremlin intelligence agencies, a new paper argues.

The Atlantic Council report released Tuesday stresses that Russia still poses a major threat to the U.S. in cyberspace, but its cyber operations are less centralized and coordinated than previously assumed. A fragmented mix of government agencies, criminal groups and loosely affiliated hackers may undermine the idea that Russian cyber operations are centrally directed or strategically cohesive, argues Justin Sherman, the report’s author.

In the days leading up to Russia’s invasion of Ukraine, Western security officials and analysts were bracing for an all-out Russian cyber onslaught that would have delivered a “kill strike” like a country-wide power outage targeting Ukraine, Sherman writes, noting that “Ukrainian and NATO defenses … were sufficient to (mainly) withstand the most disruptive Russian cyber operations, compared at least to pre-February 2022 expectations.”

In the early hours of Russia’s incursion, Kremlin-tied hackers disabled some 40,000 KA-SAT Viasat modems used in Kyiv and other cities across Europe. They transmitted a wiper malware — dubbed later as Acid Rain — that triggered mass communications disruptions at the start of the war, both Viasat and the National Security Agency later concluded. But the cyberattack didn’t do much to kneecap Ukrainian forces in the long-term.

“Russia’s continued cyber activity and major gaps between wartime cyber expectations and reality demand a Western rethink of years-old assumptions about Russia and cyber power — and of outdated ways of confronting the threats ahead,” writes Sherman, a nonresident senior fellow at the Atlantic Council and CEO of Global Cyber Strategies.

The report recommends that U.S. policymakers distinguish between Russia’s cyber capabilities and how effectively it uses them, but it also advises against viewing Moscow’s cyber actions in isolation from its broader hostility toward the U.S. and Western allies. It also argues for maintaining robust intelligence-sharing with allies and investing in both defensive and offensive cyber operations, where appropriate.

Russia’s three main intelligence services — the FSB, GRU and SVR — all run assertive cyber campaigns, but often without coordination, says the report, which highlights how these agencies overlap, compete and sometimes even duplicate efforts, undercutting the idea that Russia’s cyber activity is centrally directed.

Both GRU and SVR hackers, for instance, infiltrated the Democratic National Committee in 2016, possibly unaware the other was doing the same, Sherman writes. The GRU tends to favor destructive attacks, like wiper malware, while the SVR focuses more on espionage. The FSB, meanwhile, straddles both domestic and foreign operations and maintains ties to cybercriminal groups.

Rather than a streamlined Russian cyber command structure, the report describes a fragmented system driven by bureaucratic turf wars, shifting alliances with criminals and inconsistent oversight — making Russia’s cyber operations messier than U.S. officials once assumed.

“For all the threats these actors pose to Ukraine and the West, assuming that the Putin regime controls all cyber activity emanating from within Russia’s borders is not just inaccurate (e.g., the country’s too big; there are too many players; it’s not all top down), but is the kind of assumption that serves as a “useful fiction” for the Kremlin,” the paper says.

In his second term, President Donald Trump has aimed to rework American relations with Russia as a means of bringing the Kremlin to negotiations that could end the war in Ukraine. 

U.S. efforts to coordinate a response to Russian sabotage and cyber activity have been put on hold across several national security agencies, aligning with the administration’s push for a negotiated war resolution, Reuters reported in March. In late February, U.S. Cyber Command was also ordered to stand down on cyber and information operations planning against Russia, though a top House lawmaker recently said that pause only lasted one day.

Since the downgrade of Russia as a cyber threat, the U.S. is not collecting the same level of intelligence on the country as it normally would, and threat intelligence feeds about Kremlin-aligned actors have been reduced, according to a person familiar with the matter.

That means there’s less propensity to track cyber gangs and proxies loosely affiliated with Russia’s central government who have still launched devastating cyberattacks on critical infrastructure and other sensitive systems, said the person, who was granted anonymity to speak freely about current U.S. views of Russian cyber operations.

Moscow maintains indirect but strategic ties to many cybercrime gangs operating within Russia’s borders. While these groups are not formally part of the state, the Kremlin often tolerates or quietly encourages their activities, especially when they target foreign governments or companies. Russia’s state-centered economy also allows the Kremlin to compel firms to act on behalf of the nation’s interest, including the use of disinformation campaigns.

“Focusing Western intelligence priorities, academic studies, and industry analysis mainly on Russian government agencies as the primary vector of Russian cyber power loses the importance of the overall Russian cyber web,” the think tank report says.

It later adds: “Rather than dismissing Russia’s cyber prowess because of unmet expectations since February 2022, American and Western policymakers must size up the threat, unpack the complexity of Russia’s cyber web, and invest in the right proactive measures to enhance their security and resilience into the future.”