Threat Intelligence Report
Russian Information-Confrontation Doctrine and Observed APT OperationsReport date: 16 July 2 2026-7-17 18:57:18 Author: krypt3ia.wordpress.com(查看原文) 阅读量:2 收藏

Russian Information-Confrontation Doctrine and Observed APT Operations

Report date: 16 July 2026
Intelligence confidence: Moderate to high
Scope: Russian state-directed cyber operations, electronic warfare, information operations, and their relationship to Sergey Makarenko’s 2017 monograph
Primary document: Sergey I. Makarenko, Information Confrontation and Electronic Warfare in the Network-Centric Wars of the Early Twenty-First Century

Executive summary

Sergey Makarenko’s monograph is not an official Russian General Staff cyber doctrine, and it should not be cited as proof of a formal operational directive. It is better understood as an influential military-technical synthesis that describes how Russian defense thinkers conceptualize information confrontation, electronic warfare, network-centric command systems, cyber operations, psychological effects, and kinetic action as components of a single military problem.

The central premise is that a network-centric force derives combat power from the rapid and reliable exchange of information among sensors, commanders, communications systems, and weapons. The same integration creates a systemic vulnerability. An adversary that corrupts, delays, blocks, or manipulates those information flows may neutralize a more technologically advanced force without destroying every platform.

Observed Russian state cyber operations strongly conform to this model. The clearest examples are GRU operations attributed to Unit 74455, commonly tracked as Sandworm or Seashell Blizzard. These operations have disrupted electrical distribution, telecommunications, satellite communications, government services, logistics, and major public events. They have also deployed destructive malware in close temporal proximity to Russian military operations.

GRU Unit 26165, commonly associated with APT28 or Fancy Bear, demonstrates another element of the doctrine. It combines intelligence collection, credential theft, malware deployment, false personas, manipulated disclosures, hack-and-leak campaigns, and media amplification. The objective is frequently not limited to stealing information. The stolen information becomes material for influence, deception, retaliation, and disruption.

FSB-linked actors such as Turla and Gamaredon demonstrate persistent access, technical intelligence collection, exploitation of trusted communications, and surveillance of military, government, diplomatic, and security targets. SVR-linked APT29 operations are generally quieter and more strategic. They emphasize long-term access to government, policy, technology, cloud, and supply-chain environments. These operations align with Makarenko’s intelligence-preparation and information-superiority concepts, even when they do not produce immediate destructive effects.

The assessment is that Makarenko’s framework remains relevant to Russian cyber operations today, but it does not function as a single centralized playbook used identically by all Russian services. Instead, its logic is reflected across a distributed state ecosystem:

  • the GRU applies cyber effects in support of military disruption, coercion, retaliation, and influence;
  • the FSB emphasizes persistent regional access, counterintelligence, surveillance, and operational support;
  • the SVR emphasizes strategic espionage and long-term access;
  • state media, intelligence-linked personas, proxy groups, and influence infrastructure convert technical access into psychological and political effects.

Key judgments

High confidence: Russian cyber operations are commonly designed around state and military objectives rather than independent technical objectives. Access, malware, and stolen information are instruments used to alter an adversary’s ability to command, communicate, govern, mobilize, or maintain public confidence.

High confidence: GRU Unit 74455 most closely reflects Makarenko’s integrated model of technical disruption, electronic or communications effects, operational timing, destructive malware, and support to conventional military activity.

High confidence: GRU Unit 26165 reflects the integration of cyber intrusion with information-psychological effects. Its hack-and-leak operations demonstrate that data theft, selective modification, false attribution, persona construction, and media amplification can form one continuous operation.

Moderate confidence: The operational division among Russian intelligence services is functional rather than absolute. GRU, FSB, and SVR actors show overlapping capabilities, but their target selection, risk tolerance, and typical mission effects remain distinguishable.

Moderate confidence: Makarenko’s concept of transferring electronic-warfare principles into cyberspace is visible in Russian operations that target communications, routing devices, satellite systems, network infrastructure, and operational technology rather than restricting activity to conventional endpoint espionage.

Moderate confidence: Russian cyber doctrine should be understood as an ecosystem of related concepts rather than a single public document. Makarenko’s monograph is an important doctrinal indicator, but observed operations, official policy, military-academic literature, unit missions, and intelligence-service behavior provide stronger evidence of doctrine in practice.

This report examines four questions:

  1. Does Makarenko’s monograph plausibly represent Russian cyber doctrine in current practice?
  2. Which Russian state actors most closely implement the described model?
  3. Which documented operations correspond to its principal doctrinal concepts?
  4. What defensive implications follow from the comparison?

Source Assessment

Makarenko’s 546-page monograph was published in 2017 as a military-technical study of network-centric warfare, electronic warfare, cyber operations, information-technical weapons, psychological operations, military command systems, and conflicts in Yugoslavia, Iraq, Afghanistan, South Ossetia, and Libya. Its listed reviewers include individuals associated with Russian military, aviation, government communications, and electronic-warfare institutions.

The document is significant, but its evidentiary limits are clear. It is not classified, does not direct Russian cyber units, and relies heavily on analysis of US, NATO, Chinese, and other foreign military concepts. Makarenko often derives broader principles from foreign systems and campaigns rather than documenting Russian operational procedures.

The monograph should therefore be treated as evidence of a Russian military-technical conceptual framework, an indicator of how network-centric systems are assessed for vulnerability, a bridge between electronic warfare and cyber operations, and a theoretical model against which observed Russian activity can be compared.

It should not be treated as proof of a uniform doctrine across Russian services, confirmation that every described capability was operational in 2017, a tasking document for the GRU, FSB, or SVR, or a complete account of Russian doctrine as it exists in 2026.

Information Dependence as a Vulnerability

Makarenko argues that network-centric military power emerges from linking reconnaissance, communications, command posts, decision-makers, and weapons within a shared information environment. This integration improves speed, precision, and coordination, but also creates systemic dependencies that an adversary can exploit.

An attacker does not need to destroy every sensor, platform, or weapon. It may be more effective to disrupt the relationships that allow those systems to function as a coordinated whole. The most valuable targets therefore include communications links, command networks, data-processing systems, operational databases, navigation and synchronization services, identity and trust relationships, decision-support systems, human operators, and the common operational picture.

This is not a narrowly defined cyber doctrine. It is an integrated theory of information effects directed against the technical, organizational, and human structures that sustain military power.

Functional Defeat

Makarenko applies the broader Russian concept of functional defeat, or функциональное поражение. A system is functionally defeated when it can no longer perform its assigned mission, even if it remains physically intact.

Functional defeat may result from false or delayed information, corrupted processing, blocked communications, disrupted navigation, excessive operator workload, repeated reconfiguration, loss of confidence in system output, or an inability to restore services before an operational deadline.

The doctrinal measure of success is therefore not the number of compromised systems, but the resulting effect on mission performance.

Integration of Technical and Psychological Effects

Makarenko separates information confrontation into technical and psychological spheres, but treats them as mutually reinforcing components of warfare. Technical effects include network attacks, malware, software or hardware implants, electronic warfare, communications disruption, technical reconnaissance, deceptive digital objects, and denial of service. Psychological effects include propaganda, social-media manipulation, targeted messaging, false narratives, demoralization, cognitive pressure, and influence against leaders or decision-makers.

Russian operations frequently convert effects from one sphere into the other. A technical intrusion produces stolen information, which is then selectively released through a false persona and amplified by state media, social platforms, sympathetic outlets, or direct engagement with journalists. The intrusion therefore becomes more than an intelligence operation. It becomes an information-psychological campaign designed to shape perception, behavior, and political outcomes.

Intelligence Preparation

Makarenko places substantial emphasis on reconnaissance and operational modeling. Effective action requires an understanding of system architecture, node hierarchy, information flows, command relationships, communication dependencies, critical processes, likely defensive responses, restoration procedures, and political or psychological vulnerabilities.

This closely matches Russian operations that maintain access for extended periods before using it for espionage, disruption, influence, or destructive effects. Persistent access provides the technical and contextual knowledge needed to select the right target, timing, and method.

Asymmetric Action

Makarenko’s model is explicitly asymmetric. A less technologically advanced actor can offset conventional disadvantages by attacking the information dependencies of a more sophisticated network-centric force.

The underlying principle is simple: greater integration improves performance, but also creates critical dependencies that can be selectively attacked. Russian actors have repeatedly exploited these dependencies through routers, satellite communications, software supply chains, trusted identities, cloud services, operational technology, and administrative infrastructure.

GRU Unit 74455: Destructive and Operational Cyber Effects

Common tracking names: Sandworm, Seashell Blizzard, APT44, Voodoo Bear, TeleBots, IRIDIUM
Primary assessed role: Military disruption, sabotage, destructive effects, coercion, and support to Russian military or geopolitical objectives

GRU Unit 74455 provides the clearest operational expression of the doctrine described by Makarenko. Its campaigns move beyond espionage to produce functional defeat by disrupting the systems that support government, military operations, critical infrastructure, commerce, and public confidence.

The US Department of Justice attributed KillDisk, Industroyer, NotPetya, and Olympic Destroyer operations to GRU officers associated with the unit. These campaigns caused electrical outages in Ukraine, disrupted the 2018 Winter Olympics, and produced extensive global damage. Together, they demonstrate the targeting of national functions, synchronization with political and military events, acceptance of collateral effects, and the use of deception to obscure responsibility or intent.

Ukraine Power-Grid Attacks

The attacks against Ukrainian electrical-distribution systems demonstrate direct action against operational technology. Their purpose was not simply to obtain unauthorized access, but to interrupt electricity delivery and weaken control over a critical national service.

This closely matches Makarenko’s emphasis on attacking critical information infrastructure, disrupting control systems, and severing the relationship between information, command, and physical effect. Industroyer strengthened this doctrinal alignment because it was designed to interact directly with industrial control protocols rather than operate as generic enterprise malware.

NotPetya

NotPetya represents one of the strongest examples of functional defeat. Although presented as ransomware, the malware was designed to render systems inoperable. Its effects spread through logistics, shipping, finance, manufacturing, government services, and commercial administration.

The operation demonstrated how compromise of a trusted software ecosystem could create systemic disruption across countries and sectors. Rather than attacking isolated machines, it disabled the interconnected processes on which organizations depended to operate and recover.

Viasat KA-SAT

The attack against Viasat’s KA-SAT network on 24 February 2022 occurred as Russia began its full-scale invasion of Ukraine. It disrupted communications in Ukraine and affected civilian users and wind-energy infrastructure elsewhere in Europe.

The target was not merely a collection of satellite modems. It was a communications dependency supporting government connectivity, military coordination, distributed users, and broader European services. Its timing at the opening of conventional hostilities demonstrates direct synchronization between cyber effects and military maneuver.

WhisperGate and Pre-Invasion Disruption

The January 2022 defacements of Ukrainian government websites and deployment of WhisperGate combined psychological messaging with destructive technical effects. The defacements projected political intimidation, while the malware sought to degrade systems during a period of escalating military coercion.

This combination reflects Makarenko’s integration of technical and psychological action. The operation attacked both the functioning of government systems and public confidence in the state’s ability to defend them.

Wiper Campaigns During the Invasion

Following the invasion, Russian operators repeatedly deployed new wipers and ransomware variants against Ukrainian government and private-sector organizations. These campaigns targeted communications, finance, energy, government services, and other systems essential to wartime resilience.

The repeated use of destructive tools shows an adaptive campaign rather than reliance on a single decisive strike. When defenders restored systems or blocked one attack chain, Russian operators adjusted their methods and attempted to impose new effects.

BadPilot and Strategic Access Development

The Sandworm activity tracked as BadPilot demonstrates that destructive operations depend on a broader preparatory access layer. By compromising internet-facing infrastructure across multiple countries, the group established persistent access that could support tailored espionage, disruption, or destructive action against selected targets.

This reflects the intelligence-preparation component of Makarenko’s model. Access is developed in advance, retained across distributed environments, and activated when political or military conditions make a particular effect valuable.

Assessment

Doctrinal match: Very high

Unit 74455 most clearly operationalizes functional defeat, disruption of command and critical services, attacks against communications infrastructure, destructive information-technical effects, interference with recovery and continuity, synchronization with military or political events, and the use of pre-positioned access to support future operations.

GRU Unit 26165: Intelligence, Compromise, and Information Effects

Common tracking names: APT28, Fancy Bear, Forest Blizzard, Sofacy, Sednit, STRONTIUM
Primary assessed role: Military intelligence collection, credential theft, espionage, hack-and-leak operations, and influence support

GRU Unit 26165 occupies a distinct but complementary role within the Russian operational model. Where Unit 74455 is more closely associated with disruption and destruction, Unit 26165 frequently acquires information and converts it into political, psychological, or reputational effect. Its operations combine technical intrusion with deception, selective disclosure, and manipulation of the wider information environment.

2016 US Election Operation

The 2016 operation against US political organizations illustrates this model clearly. According to the US Department of Justice, Unit 26165 personnel conducted spearphishing and network intrusions, stole credentials, emails, and documents, and deployed malware to maintain access. Personnel associated with Unit 74455 then helped stage and promote the material through DCLeaks, the Guccifer 2.0 persona, social media, and external intermediaries.

The operation followed a deliberate sequence: identify politically significant targets, obtain access, collect internal information, create false information-space entities, release selected material, conceal state sponsorship, and shape media and public interpretation. The stolen documents were not the final objective. They became material for an influence operation designed to deepen political division and uncertainty.

Anti-Doping and OPCW Operations

Operations against anti-doping organizations, sporting bodies, the Organisation for the Prohibition of Chemical Weapons, and a Swiss chemical laboratory followed a similar pattern. GRU personnel used spearphishing, spoofed domains, malware infrastructure, close-access Wi-Fi compromise, stolen credentials, false personas, selective disclosures, and direct engagement with journalists.

Some of the stolen material was altered or presented misleadingly through the “Fancy Bears’ Hack Team” persona. This false hacktivist identity concealed state direction, provided the disclosures with an apparently independent source, created a persistent distribution channel, enabled direct media outreach, and converted espionage data into political retaliation and reputational damage. It provides a particularly clear example of Makarenko’s concept of deceptive objects within the information space.

Georgia

The October 2019 attacks against Georgian organizations extended this logic into direct disruption. The operation affected government websites and broadcasting infrastructure, combining technical effects with interference in public communications. The result was not only service denial, but also psychological pressure, coercive signaling, and interruption of normal government and media functions.

Current Role

Unit 26165 continues to conduct military intelligence collection and hack-and-leak activity against Ukraine, NATO members, European partners, and the United Kingdom in support of Russian military and foreign-policy objectives. Its campaigns target trusted identities, political institutions, military networks, and information environments where stolen data can provide both intelligence value and influence opportunities.

Assessment

Doctrinal match: Very high

Unit 26165 most clearly operationalizes technical reconnaissance, compromise of trusted identities, collection of decision-relevant information, false personas, deceptive information-space objects, hack-and-leak activity, and the conversion of intelligence into psychological or reputational effects. Its defining function is the integration of espionage with strategic influence.

GRU Unit 29155: Disruptive Operations and Wartime Support

Common tracking names: Cadet Blizzard, Ember Bear, UNC2589, UAC-0056, Ruinous Ursa
Primary assessed role: Sabotage support, destructive activity, espionage, and operations connected to Ukraine and regional military objectives

GRU Unit 29155 is increasingly associated with destructive and disruptive cyber operations supporting Russian military and hybrid objectives, particularly against Ukraine. Its activity combines technical compromise with intelligence collection, sabotage preparation, and pressure against government and critical infrastructure.

The unit’s operational logic closely reflects Makarenko’s treatment of cyber activity as one component of a broader state campaign rather than an isolated technical function. Its operations have included destructive or pseudo-ransomware payloads, access established before periods of escalation, exploitation of compromised networks for military intelligence, and attacks against administrative systems that support mobilization, governance, and national resilience.

Assessment

Doctrinal match: High

Unit 29155 most clearly reflects the doctrinal objective of degrading an adversary’s ability to organize, mobilize, coordinate, and recover. Its cyber activity supports wider military and sabotage operations by weakening the institutional systems required to sustain national defense and wartime administration.Doctrinal match: High, although the public record is less complete than for Units 74455 and 26165.

FSB Center 16 and Turla: Strategic Technical Intelligence

Common tracking names: Turla, Venomous Bear, Secret Blizzard, Snake
Primary assessed role: Strategic cyberespionage, covert access, communications exploitation, and long-term surveillance

FSB Center 16 and Turla represent the strategic technical-intelligence component of Russian cyber operations. Their campaigns prioritize sustained access to government, diplomatic, military, research, media, and other high-value environments where long-term collection can reveal adversary plans, capabilities, intentions, and responses.

Snake, described by CISA and allied agencies as the most sophisticated cyberespionage implant attributed to FSB Center 16, remained active against selected targets for years. Its design reflects several elements of Makarenko’s model, including long-term intelligence preparation, covert access to information flows, collection from strategically important systems, specialized software implants, and persistence intended to survive routine defensive action.

Unlike Sandworm, Turla generally emphasizes information superiority rather than immediate destruction. Its operations seek diplomatic communications, government planning, military information, technical intelligence, policy intentions, and insight into adversary capabilities. This collection can support later military, diplomatic, intelligence, or influence activity.

Exploitation of Communications Infrastructure

FSB exploitation of routers, gateways, and other network devices is particularly significant because these systems form the connective tissue of network-centric environments. Access can enable traffic collection, network mapping, credential interception, redirection, persistent access, and selective disruption.

A July 2026 NCSC warning associated FSB Center 16 with opportunistic exploitation of inadequately configured routers and network devices and linked the service to a reckless attack affecting Poland’s energy grid. This activity demonstrates how strategic reconnaissance and communications exploitation can create options for both intelligence collection and later operational effects.

Assessment

Doctrinal match: High

Center 16 and Turla most clearly implement technical intelligence preparation, persistent access, communications-system exploitation, covert software implants, and detailed mapping of government and military information environments. Their principal function is to establish enduring visibility into adversary systems and decision-making before operational effects are required.

FSB Center 18 and Regional Influence Operations

Common tracking names associated with portions of this activity: Callisto Group, Coldriver, Star Blizzard
Primary assessed role: Credential theft, intelligence collection, political targeting, and influence support

FSB-linked actors have conducted sustained campaigns against political figures, civil-society organizations, journalists, academic institutions, and democratic organizations. These operations commonly rely on impersonation, tailored social engineering, credential theft, abuse of trusted relationships, targeting of personal email accounts, and the collection of correspondence that may later support influence, intimidation, or coercion.

The doctrinal alignment is strongest in the treatment of people, identities, and relationships as components of the information system. Makarenko’s target model extends beyond hardware and networks to include decision-makers, operators, administrators, and information consumers whose actions sustain political and institutional command.

Assessment

Doctrinal match: High

FSB political-targeting operations implement trusted-subject substitution, focused intelligence collection, exploitation of human relationships, access to political decision-making environments, and support for influence or coercive objectives. Their value lies not only in acquiring information, but in compromising the social and institutional relationships through which political authority is exercised.

Gamaredon: Persistent Operational Intelligence Against Ukraine

Common tracking names: Gamaredon, UAC-0010, Primitive Bear, Armageddon, Shuckworm
Primary assessed role: High-volume regional espionage against Ukrainian government, military, security, and critical organizations

Gamaredon is widely assessed as linked to the FSB and has conducted sustained operations against Ukrainian government, military, security, and critical-sector organizations. Its campaigns rely on spearphishing, malicious documents and archives, removable-media propagation, credential theft, rapidly replaced infrastructure, repeated re-entry after remediation, and persistent collection from government and military environments.

Gamaredon’s tooling is generally less sophisticated than that associated with Turla or the SVR. Its strength lies instead in operational persistence, scale, local knowledge, rapid infrastructure turnover, and a willingness to continue operating despite repeated exposure. This makes the group effective at maintaining pressure and recovering access after defenders disrupt individual campaigns.

The doctrinal alignment is strongest in the group’s continuous collection from the systems and personnel required for wartime administration and military command. Its access can support order-of-battle intelligence, personnel identification, operational planning, logistics awareness, targeting support, and assessment of Ukrainian government responses.

Assessment

Doctrinal match: High

Gamaredon primarily implements the reconnaissance and intelligence-preparation layer of the doctrine. It is less associated with technically sophisticated destructive effects, but its persistent collection provides the operational knowledge needed to support military planning, targeting, disruption, and later state action.

SVR and APT29: Strategic Access and Information Superiority

Common tracking names: APT29, Midnight Blizzard, Cozy Bear, Nobelium
Primary assessed role: Strategic espionage, policy intelligence, supply-chain compromise, cloud access, and long-term collection

The SVR’s operational profile differs substantially from the GRU’s. APT29 generally prioritizes government ministries, diplomatic organizations, technology companies, research institutions, policy organizations, cloud environments, identity infrastructure, and software supply chains. Its operations emphasize sustained access to systems that support strategic decision-making rather than immediate disruption.

The SolarWinds compromise demonstrated this approach at scale. By compromising a trusted software build process, the SVR obtained broad access and then selected a smaller number of high-value victims for further exploitation. This model closely aligns with Makarenko’s emphasis on software implants, trusted objects, lifecycle access, technical reconnaissance, strategic collection, and the exploitation of dependencies within information systems.

Cloud Operations

As government and military systems have migrated to cloud platforms, APT29 has adapted its access methods accordingly. The group has targeted service accounts, dormant identities, authentication tokens, and cloud-management processes to gain persistent access while minimizing visibility.

The significance is doctrinal, not merely technical. Cloud identity and management systems now form part of the command infrastructure on which modern governments depend. Compromising these layers can expose email, policy documents, operational planning, collaboration platforms, security telemetry, identity systems, and relationships with trusted partners.

Covert Command and Control

APT29 has also used legitimate cloud services, including Microsoft OneDrive and Dropbox, as covert command-and-control channels. This allows malicious communications to blend into normal cloud traffic and complicates detection.

The technique reflects the broader doctrinal use of trusted communications infrastructure to conceal information-technical activity inside routine network operations.

Assessment

Doctrinal match: High, primarily at the strategic-intelligence level

APT29 operationalizes strategic information superiority through supply-chain compromise, software implants, trusted infrastructure, long-term access, collection from decision-making systems, and concealment within legitimate information flows. It is less closely associated with immediate functional defeat than GRU Unit 74455, but the access it establishes can prepare intelligence, influence, disruption, or other state action at a later stage.

Makarenko conceptObserved Russian operationAssessment
Attack the information links joining sensors, command, and effectsViasat KA-SAT attack during the opening of the 2022 invasionDirect attack on a communications dependency at an operationally decisive time
Functional defeat without complete physical destructionUkrainian grid attacks, Industroyer, KillDiskSystems were rendered unable to perform their assigned control function
Destruction or disruption of military and state communicationsViasat, Georgian government and media disruption, router exploitationConsistent with isolating command and public-information nodes
Information-technical effects synchronized with kinetic operationsWipers and communications attacks surrounding the invasion of UkraineStrong evidence of integrated wartime employment
Software implants and supply-chain accessSolarWinds and other SVR campaignsLong-term strategic access through trusted software infrastructure
Hardware or close-access compromiseGRU Wi-Fi operations against WADA and OPCW-related targetsPhysical proximity used when remote access was insufficient
Substitution of trusted objects or subjectsSpoofed domains, stolen credentials, cloud identities, phishing personasRepeated use of impersonation to enter trusted relationships
Creation of false objects in the information spaceGuccifer 2.0, DCLeaks, Fancy Bears’ Hack TeamFalse personas converted stolen data into influence material
Technical and psychological integrationElection interference, anti-doping leaks, defacements paired with destructive malwareIntrusion, disclosure, deception, and amplification formed one campaign
Strategic intelligence preparationTurla, APT29, Gamaredon, BadPilotPersistent access used to understand networks and retain future operational options
Disruption of critical infrastructureNotPetya, Ukrainian grid attacks, destructive Ukrainian wipersRepeated emphasis on government, energy, logistics, finance, and communications
Denial of recovery and continuityDestructive wipers and pseudo-ransomwareIntended to increase restoration time and reduce organizational resilience
Asymmetric defeat of a superior networked adversaryBroad Russian targeting of NATO, Ukraine, government, technology, and communications systemsSelective attacks seek effects disproportionate to technical cost
Information superiority as prerequisite to actionSVR and FSB strategic espionagePersistent collection supports foreign-policy, military, and counterintelligence decisions

Cyber Operations Are Rarely Isolated

Russian state cyber activity is best understood as one component of a broader state campaign. Cyber operations may be coordinated with diplomatic pressure, covert intelligence collection, military mobilization, electronic warfare, physical sabotage, criminal proxies, hacktivist claims, disinformation, media amplification, and kinetic attack.

Microsoft described Russia’s campaign against Ukraine as a hybrid war combining destructive cyberattacks, intelligence collection, conventional military operations, and foreign influence activity. This integration allows technical effects to reinforce military objectives, shape public perception, and increase political pressure beyond the immediate impact of the intrusion. Cyber operations should therefore be assessed within the wider strategic campaign rather than as isolated technical events.

Russian Services Apply Different Levels of Force

Russian intelligence services exhibit distinct operational risk tolerances and mission priorities. The SVR generally favors stealth, long-term access, selective exploitation following broad compromise, and operations against cloud platforms, software supply chains, and other sources of strategic intelligence. The FSB more often maintains persistent regional access for counterintelligence, government and military surveillance, communications exploitation, political targeting, and operations against dissidents and civil society.

Within the GRU, Unit 26165 typically emphasizes military intelligence collection, credential theft, rapid exploitation, hack-and-leak activity, influence support, and both tactical and strategic targeting. Unit 74455 operates at the most destructive end of the spectrum, using sabotage, infrastructure attacks, operational disruption, coercive signaling, and wartime synchronization to impose direct effects.

These distinctions describe recurring tendencies rather than fixed institutional boundaries. Russian services can overlap, cooperate, or adopt methods more commonly associated with another organization when operational requirements demand it.

Destruction and Espionage Reinforce Each Other

Destructive operations depend on prior intelligence about network topology, security controls, operational processes, recovery systems, privileged accounts, and the timing required to maximize impact. Espionage provides the access and situational awareness needed to prepare these effects.

The relationship also works in reverse. Destructive malware can conceal collection activity, eliminate evidence, and complicate attribution. Russian operations therefore treat espionage and disruption as connected capabilities within the same operational cycle, not as separate or mutually exclusive mission types.

False Attribution Is Operationally Useful

Russian operations have repeatedly adopted criminal aesthetics, ransomware themes, hacktivist personas, false national identities, proxy infrastructure, altered stolen documents, and deceptive public claims to obscure state involvement and shape perception.

These measures can delay attribution, intensify psychological effects, create plausible alternative explanations, frame the victim, mobilize sympathetic audiences, and separate the public narrative from the underlying state operation. False attribution is therefore not merely a defensive technique. It is an operational instrument used to manipulate how an attack is understood, discussed, and politically exploited.

Operational Timing Is a Core Variable

The strongest doctrinal alignment appears when cyber effects are synchronized with invasions, elections, international investigations, military crises, diplomatic confrontations, major public events, or periods of peak energy demand. In these contexts, timing amplifies the technical effect by increasing political pressure, operational disruption, or public uncertainty.

The necessary access and capability may exist long before activation. The decisive variable is not simply whether an effect can be produced, but when it is released to achieve maximum military, political, or psychological advantage.

What Remains Valid

Makarenko’s core concepts remain highly relevant. Network integration continues to create systemic dependencies, making communications, identity, and information integrity strategic targets. Cyber effects can generate direct military and political consequences, particularly when technical access supports disruption, deception, psychological operations, or false digital entities designed to manipulate attribution and perception.

Persistent reconnaissance remains essential to identifying critical dependencies and preparing targeted effects. Success is best measured not by the number of systems compromised, but by the resulting impact on mission performance. Cyber operations therefore achieve their greatest value when integrated with electronic warfare, intelligence, influence activity, military action, and other instruments of state power.

What Has Evolved Since Publication

Makarenko’s monograph predates the operational maturity of technologies that now shape Russian cyber activity, including cloud identity, software-as-a-service platforms, token theft, cloud-based command and control, managed-service-provider compromise, endpoint detection and response, zero-trust architectures, containerized infrastructure, commercial satellite communications, modern social-media ecosystems, criminal proxy integration, and artificial intelligence-assisted reconnaissance and influence.

The underlying doctrine remains relevant because the target relationships have not changed. What has changed is the implementation layer. Modern military and governmental command now depends increasingly on federated identity, commercial telecommunications, software suppliers, collaboration platforms, managed services, data analytics, and civilian infrastructure. These systems have become integral components of the network-centric environment and therefore legitimate targets for espionage, disruption, manipulation, and functional defeat.

Most likely activity

Russian state actors will continue to prioritize:

  • government and defense organizations;
  • telecommunications;
  • satellite communications;
  • energy;
  • transportation and logistics;
  • defense industrial bases;
  • software and cloud providers;
  • political institutions;
  • media;
  • research organizations;
  • Ukraine-support networks;
  • NATO member infrastructure.

Likely methods include:

  • credential theft;
  • exploitation of internet-facing systems;
  • cloud-account compromise;
  • router and network-device exploitation;
  • supply-chain compromise;
  • persistent phishing;
  • information theft;
  • destructive malware against selected targets;
  • hack-and-leak operations;
  • false hacktivist branding;
  • influence amplification.

Most dangerous activity

The most dangerous scenario is a coordinated campaign combining:

  1. persistent pre-positioned access;
  2. compromise of identity and communications systems;
  3. espionage against operational planning;
  4. disruption of satellite, telecommunications, or energy services;
  5. destructive malware against government or logistics networks;
  6. false public claims and manipulated disclosures;
  7. simultaneous kinetic or physical action;
  8. interference with recovery and external assistance.

This scenario most closely reflects Makarenko’s integrated doctrine.

Indicators of escalation

Defenders should treat the following combinations as possible indicators of campaign preparation:

  • increased scanning of edge devices and routers;
  • targeting of cloud administrators or dormant accounts;
  • compromise of telecommunications providers;
  • access to satellite or radio-support systems;
  • phishing against emergency-management personnel;
  • collection from logistics and transportation systems;
  • intrusion into backup or identity-recovery environments;
  • creation of new hacktivist personas;
  • coordinated narratives about an impending crisis;
  • repeated low-impact disruptions that may test response procedures;
  • malware deployment against organizations associated with military mobilization or foreign assistance.

Defensive Implications

Organizations must protect mission processes, not just individual assets. Traditional inventories rarely capture the dependencies that sustain operations, including critical services, information flows, decision points, communications links, external providers, identity systems, recovery sequencing, manual fallback procedures, and maximum tolerable interruption.

The central question is no longer simply which server is critical. It is which systems, identities, data, and communication paths must remain available and trustworthy for the mission to continue.

Assume Communications Infrastructure Is Targeted

Organizations should treat communications and identity infrastructure as priority targets. Routers, VPN concentrators, satellite terminals, firewalls, DNS, network-management platforms, identity providers, messaging systems, and cloud administrative accounts all form part of the operational backbone on which command and continuity depend.

Repeated warnings from CISA, NCSC, and allied agencies show that Russian actors actively exploit internet-facing infrastructure, routers, cloud platforms, and identity systems. Defenders should therefore secure these systems as mission-critical infrastructure rather than routine technical assets.

Separate Integrity from Availability

Russian doctrine places substantial value on corrupting information and undermining trust, not merely denying access. Systems may remain available while presenting altered data, forged messages, manipulated logs, false health indicators, compromised synchronization, or unauthorized routing and configuration changes.

Defensive monitoring must therefore treat integrity as a separate mission requirement. The objective is not only to keep systems online, but to ensure that identities, data, communications, and operational pictures remain authentic and trustworthy.A system that remains online but provides false information may be more dangerous than a system that is visibly offline.

Protect Recovery Infrastructure

Organizations should assume that destructive operations will target the systems needed to restore service, including backups, golden images, identity-recovery mechanisms, virtualization management, configuration repositories, incident-response tooling, and privileged administrator accounts.

Recovery plans must be tested under degraded conditions in which identity services are unavailable, primary communications are disrupted, cloud access is lost, backups are partially compromised, and some operational data cannot be trusted. The objective is not simply to restore systems, but to recover the mission without relying on the same infrastructure the attacker has already disrupted.

Integrate Cyber and Influence Response

Organizations should assume that a Russian intrusion may be followed by selective leaks, manipulated documents, false claims, hacktivist branding, direct outreach to journalists, and coordinated social-media amplification. The technical compromise may therefore become the opening stage of a broader influence operation.

I

ncident response must extend beyond containment and recovery. It should include document-authenticity analysis, leak monitoring, executive communications, legal review, media coordination, assessment of altered or selectively edited material, and rapid attribution of false personas and supporting infrastructure. The objective is to contain both the intrusion and the narrative effects built around it.

Monitor Service-Specific Behavior

Russian state actors produce distinct warning profiles that should inform detection, threat hunting, and incident triage. Sandworm activity is most closely associated with critical infrastructure, government services, destructive malware, exploitation of internet-facing systems, and operations synchronized with war or political crisis.

APT28 more often targets military and political organizations through phishing, credential theft, rapid exploitation, hack-and-leak infrastructure, and false personas. Turla emphasizes long-term access, bespoke implants, government and diplomatic targets, communications interception, and covert command and control.

Gamaredon is characterized by high-volume phishing, persistent targeting of Ukrainian and regional organizations, rapid infrastructure rotation, repeated re-entry after remediation, and continuous collection from government and military systems. APT29 generally favors cloud environments, software supply chains, diplomatic and policy targets, stealth, token and identity abuse, and the use of trusted commercial services.

These profiles are not rigid boundaries, but they provide useful indicators for distinguishing likely operators, anticipating follow-on activity, and prioritizing defensive action.

Priority Defensive Actions

Organizations should begin by mapping the systems and relationships that sustain communications, decision-making, operational data, logistics, emergency coordination, public messaging, and recovery. This dependency model should guide protection priorities and reveal where disruption to a single identity, provider, or communications path could impair the wider mission.

Identity infrastructure requires particular attention. Defenders should enforce phishing-resistant multifactor authentication, privileged-access workstations, conditional access, service-account review, token monitoring, removal of dormant accounts, and separation between cloud and on-premises administration.

Network infrastructure should be treated as mission-critical. Routers, firewalls, management interfaces, remote-access services, and tunneling paths require timely updates, isolation, configuration backups, authentication logging, monitoring for unauthorized routing changes, and removal of obsolete access methods.

Resilience against destructive attacks depends on offline and immutable backups, tested bare-metal recovery, independent communications, alternate identity procedures, segmented operational networks, preapproved isolation measures, and manual fallback plans. These capabilities must function even when primary systems and trusted data are unavailable.

Defenders must also detect integrity attacks by validating authoritative data, using cryptographic signing, reconciling information across independent sources, monitoring privileged database activity, detecting unexplained configuration changes, and verifying command or emergency messages.

Hack-and-leak response should include procedures to authenticate documents, identify manipulation, preserve forensic evidence, communicate uncertainty accurately, and prevent altered or selectively released material from controlling the public narrative.

Finally, exercises should combine cyber intrusion, communications loss, false public claims, manipulated data, destructive malware, media pressure, physical disruption, and impaired recovery. The objective is to test whether the organization can continue operating when technical, informational, and physical effects occur together.

Several important questions remain unresolved in the public record. The relationship between Russian military-academic theory and formal operational planning is still unclear. Available evidence shows strong conceptual alignment, but it does not establish how works such as Makarenko’s are translated into GRU, FSB, SVR, or broader armed-forces doctrine.

The level of coordination among the GRU, FSB, SVR, military commands, state media, and proxy actors also varies by campaign and is often difficult to prove. Public reporting provides greater visibility into strategic attacks against government, communications, and critical infrastructure than into the tactical use of cyber operations to disrupt battlefield command.

Further research is needed on how Russia currently integrates cyber operations with electronic warfare, unmanned systems, satellite targeting, and battlefield intelligence. The relationship with criminal and hacktivist actors remains similarly opaque, particularly whether these groups receive direct tasking, permissive guidance, or amplification after the fact.

Makarenko’s monograph should not be treated as official Russian cyber doctrine, but it provides a strong expression of the military-technical logic repeatedly visible in Russian state operations.

That logic treats information as the foundation of modern command and network integration as both an operational advantage and a source of vulnerability. The objective is not simply to compromise individual systems, but to disrupt the broader mission process by attacking communications, identity, data integrity, situational awareness, and operator confidence. Intelligence collection prepares later effects, while cyber operations, electronic warfare, psychological operations, and physical action are intended to reinforce one another. Technical access can therefore be converted into political or cognitive effect, and functional defeat may be achieved through delay, deception, isolation, disruption, or destruction. The decisive question is whether the adversary can still command, govern, communicate, and recover.

GRU Unit 74455 represents the clearest destructive application of this model, while Unit 26165 demonstrates the integration of intrusion, intelligence collection, and influence. FSB actors maintain persistent regional and strategic access, and the SVR develops long-term intelligence advantage through trusted systems, supply chains, identities, and cloud infrastructure.

Taken together, Russian state operations do more than resemble the framework described by Makarenko. They operationalize its central proposition: attack the information relationships on which an adversary’s power depends, then convert the resulting loss of awareness, coordination, trust, and resilience into military or political advantage.


文章来源: https://krypt3ia.wordpress.com/2026/07/17/threat-intelligence-report-2/
如有侵权请联系:admin#unsafe.sh