Abstract: So-called “hacktivist groups” have become an important part of Russia’s cyberspace strategy against the West. In reality, however, this phenomenon is not clear-cut, and hacktivist groups demonstrate many differences when it comes to their constitution, techniques, and especially their level of state control. Many “hacktivist” groups are entities that have been purposefully set up by Russian intelligence services to serve as tools for their cyber- and information operations, while others only loosely align with the Kremlin’s goals.

Problem statement: How do Russian hacktivist groups fit into the greater Russian strategy in cyberspace?

So what?: Policymakers, analysts, and cybersecurity practitioners should embrace and adopt a more nuanced taxonomy when attributing cyber operations involving hacktivist groups. Rather than treating hacktivism as a monolith, actors should be assessed based on their varying levels of state influence to better calibrate diplomatic, legal, and technical responses.

A Mere Catch-All Term?

Hacktivism, especially in the context of Russian intelligence services, has served as a catch-all term to describe various activities in cyberspace originating from Russia that target the Russian state’s geopolitical adversaries. Hacktivist groups often consist of self-proclaimed patriots who support broader Russian geopolitical goals with their activities in cyberspace, ranging from website defacements and Distributed Denial of Service (DDoS) attacks to network compromises of critical infrastructure providers. The hacktivism landscape, especially in Russia, is quite varied; however, it features groups of vastly different shapes, sizes, and, most importantly, degrees of government control. Some groups act based on recent events in the news and attack targets located in countries whose heads of state have recently publicly voiced their support for Ukraine or their disdain for Russian President Vladimir Putin. Others are suspected to have direct links to, or to be under the control of, Russian intelligence services.

Hacktivism, especially in the context of Russian intelligence services, has served as a catch-all term to describe various activities in cyberspace originating from Russia that target the Russian state’s geopolitical adversaries.

However, hacktivist groups can be categorised into three distinct categories, which lie on a spectrum of state control. The categories employed are based on the spectrum of State Responsibility first laid out by Jason Healey for the Atlantic Council’s Cyber Statecraft Initiative in 2012, which ranges from “State-integrated” to “State-prohibited.”[1]

It is essential for policymakers to gain a clear understanding of these differences, as many news reports and industry papers tend to lump all hacktivist incidents into a broad, nondescript category of “hacktivism,” even though the perpetrators or operations can differ significantly. This could lead to misconceptions and inadequate responses by governments, as being attacked by a group of volunteers without ties to a government is a matter of criminal investigation, whereas being attacked by an intelligence service pretending to be a group of volunteers is an issue of counterintelligence, diplomacy and international law.[2]

This taxonomy is built on a case study of selected Russian hacktivist groups that can be regarded as examples for their respective category. As hacktivist groups often disband and reconstitute, the list of instance hacktivist groups is non-exhaustive and will need to be amended regularly.

Category I: Intelligence Services in Disguise

The first category of Russian hacktivist groups comprises groups assessed to be state-sponsored or under some degree of direct government control. While the extent of state-sponsorship is not entirely clear and is likely to differ between groups, the groups in this first category are known to be actively used as fronts for Russian intelligence services, to leak data gathered in espionage operations and as a tool for information operations. This category corresponds to category seven (state-ordered) to category ten (state-integrated) on Jason Healey’s spectrum of state responsibility.[3]

Russian intelligence services have used hacktivist groups as fronts for at least a decade, going back to personas like CyberBerkut and Guccifer2.0 between 2014 and 2018 and as a vehicle to leak the data stolen during the compromise of the Democratic National Committee.

Russian intelligence services often employ these groups to generate “second-order” psychological effects as part of their information warfare strategy. The strategic goal here is to “telegraph success,” in the words of Black and Roncone.[4] Simply put, cyber operations will not become public if the targeted organisation decides not to disclose the attacks, diminishing the perceived impact of Russian cyber operations.[5] To showcase the prowess and success of Russian cyber operations, it is necessary to inform the public that such attacks have occurred and, more importantly, have been successful. This is where so-called “Hack-and-Leak Operations” come into play, in which hacktivist groups publicise leaked material from a cyber operation to lend credibility and to project power.

Russian intelligence services often employ these groups to generate “second-order” psychological effects as part of their information warfare strategy.

There are at least three hacktivist groups in this category that describe themselves as a group of patriotic Russian volunteers aiding the Russian war effort in Ukraine. These front groups are the primary category of hacktivists in the Russian cyber strategy and play a significant role in the playbook of Russian intelligence services. The three main hacktivist groups in this category are XakNet Team, CyberArmyofRussia_Reborn, and Solntsepek. Writing Google’s Mandiant, Roncone et al,  attributes all three to Sandworm, also known as APT44, a Russian Advanced Persistent Threat (APT) associated with Unit 74455 of the Russian Military Intelligence Service (GRU).[6]

These groups primarily use their Telegram channels—which mainly consist of claims of responsibility for various cyber operations— for public communication. Linguistic analysis of the hacktivist groups’ communication conducted by Checkpoint has further uncovered stylistic links between the groups in this category, pointing to a likely coordination or influence by intelligence agencies.[7]

CyberArmyofRussia_Reborn

CyberArmyofRussia_Reborn (CARR), otherwise known as the People’s Cyber Army (Народная Cyberармия), is a Russian self-proclaimed hacktivist group that has been active since at least early 2022.[8] The group specialises in DDoS attacks but has also served as a vehicle to leak data that had been previously stolen in government-attributed espionage campaigns.[9] Additionally, they are allegedly responsible for more sophisticated attacks against critical infrastructure entities. While the group’s DDoS endeavours have been described as “low-impact and unsophisticated,”[10] two alleged primary members of the group have been sanctioned by the U.S. Treasury for conducting cyberattacks against US water storage facilities in Texas.[11] This attack on critical infrastructure showed an apparent ability to compromise operational technology (OT) systems and to potentially cause significant harm. CARR is assumed by the majority of the cybersecurity community to be a front for the GRU-affiliated Sandworm; it has published information on—and claimed responsibility for—multiple Sandworm-attributed attacks. In one case, the claim that an attack had been successful preceded the conclusion of the attack, suggesting that CyberArmyofRussia_Reborn knew about the attack in advance, indicating at least a high level of cooperation between Sandworm and CARR. Researchers observed further links, such as the creation of CARR’s YouTube channel from infrastructure attributed to Sandworm, and technical artefacts of Sandworm tooling included in data leaked by the group.[12]

CARR is assumed by the majority of the cybersecurity community to be a front for the GRU-affiliated Sandworm.

XakNet Team

XakNet is a self-proclaimed Russian hacktivist group that runs a Telegram channel of the same name and claims its members consist of “Russian patriotic volunteers.”[13] The group specialises in DDoS attacks, network intrusions, data leaks and defacements. In one case, they claimed to be involved in a defacement campaign that targeted the news ticker of a Ukrainian live TV broadcast, displaying a fake message of Ukraine’s capitulation on live TV. XakNet have been assessed as having a strong connection to Sandworm, based on a technical artefact contained in a leak that XakNet posted.[14] This technical artefact is unique and attributed to a specific Sandworm operation, which led researchers at Google to assess that XakNet members are “either GRU intelligence officers or work directly with the GRU [Sandworm] operators conducting on-net operations.”[15]

Solntsepek

Solntsepek (translated roughly as: Scorching Sun) is a self-proclaimed hacktivist group that shares its name with a thermobaric missile launcher used by the Russian Army. As in the cases of XakNet and CyberArmyofRussia_Reborn, Solntsepek has been linked to Sandworm by Googleand claimed responsibility for several attacks, including the December 2023 attack on the Ukrainian telecommunications provider Kyivstar.[16] The basis for attribution is not public, but Mandiant stated that the group claimed responsibility for attacks that are proven to be Sandworm operations.[17]

Category II: Groups with government connections

The second category of actors includes those who receive directives or are otherwise involved with the Russian intelligence services but are not themselves a part of the Russian government. This can take on a variety of forms, from having known Russian intelligence service officers in a group’s leadership structure to being advised on potential or future targets for cyberattacks by those in the Russian government through back channels. While there is scant evidence to identify the exact relationship between these groups and intelligence services, there is enough to suggest that they are connected beyond the level of the groups in the third category. This category corresponds to categories three (State-ignored) and six (State-coordinated) on Jason Healey’s spectrum of state responsibility.[18]

The second category of actors includes those who receive directives or are otherwise involved with the Russian intelligence services but are not themselves a part of the Russian government.

NoName057(16)

NoName057(16) is currently the most prolific pro-Russia DDoS hacktivist group. The group, formed in 2022, has been known to go after a myriad of targets in various industries, allegedly for what they perceive to be Russophobia or any anti-Russia sentiment. NoName057(16)’s approach involves a custom tool called DDoSia, which, when installed and set up by users, enables automated, collective DDoS attacks on specified targets. Due to its collectivist approach, anyone can join the project and become a member of DDoSia, with the group even allowing users to suggest potential targets.

The NoName057(16) leadership includes the user “MotherOfBears,” who was identified as Yuliya Vladimirovna Pankratova, a former CARR administrator and a US Treasury-sanctioned individual.[19], [20] Researchers discovered a photo she had posted of herself on Telegram with a person who is assumed to be an administrator of NoName057(16). The group is also known to have collaborated with Killnet and XakNet in the past, with Killnet being another group in this category and XakNet being a known front for state-sponsored cyber activity.[21]

NoName057(16) has also engaged in a hacktivist alliance with CARR, as well as Z-Pentest, a pro-Russia hacktivist group that emerged in 2024. While there is no evidence that Z-Pentest is another front group for the GRU and the group claims to be based in Serbia, it is notable that the alliance established between CARR, NoName057(16) and Z-Pentest was publicised soon after the group’s creation in October 2024 and before any published attacks by the group. Z-Pentest appears to work closely with CARR, and despite its short lifespan, has claimed to have conducted ten attacks on operational technology controls in its first two months of existence.[22]

With such close ties to CARR, a known Sandworm front, as well as collaboration with XakNet and Z-Pentest, a working relationship exists between NoName057(16) and both known and likely front groups involved in state-sponsored activity. While there is scant evidence of collaboration or communication between NoName057(16) and the Russian intelligence services, the joint efforts between front groups and NoName057(16) suggest that the group is likely linked to these intelligence services.

Killnet

Killnet is a pro-Russia hacktivist group initially run by an administrator who went by the moniker “Killmilk.” Similar to NoName057(16), the group used denial-of-service attacks to target the public and private company websites in countries that expressed or provided support to Ukraine after Russia’s invasion in 2022.[23] Killnet claimed responsibility for attacks on the US Federal Tax Service, the SWIFT and IBAN banking systems of the European Union, and Lockheed Martin.[24] While at one point the most prominent pro-Russia hacker group,[25] the group slowly faded into the background in 2022, with the group’s leader seemingly wanting to take the group in various directions: at first departing from the group’s initial purpose of DDoS attacks to pursue more destructive methods, then going back to DDoSing, before repurposing the group to benefit his own economic interests.[26]

Similar to NoName057(16), the group used denial-of-service attacks to target the public and private company websites in countries that expressed or provided support to Ukraine after Russia’s invasion in 2022.

Following a scathing exposé by Gazeta.ru, the Russian cybercrime community turned against Killmilk, claiming that he had falsely attributed cyberattacks to other groups or lied about the success of attacks that never occurred. The group was eventually sold to another administrator, known as “BTC.”[27] However, similar to the previous Killnet administration, BTC took credit for an attack that Killnet was unlikely responsible for, namely the December 2023 attack on Kyivstar. The attack disrupted essential services for the Ukrainian telecommunications company and was also claimed by Solntsepek. Ukraine’s State Security Service later revealed that Russian military intelligence was responsible for the attack.[28] Despite this, BTC insisted that the attack was the result of a collaboration between multiple groups and that Killnet played “one of the leading roles.”[29] The group endures, albeit with minimal impact or press coverage.

Assuming that the new administrator of BTC was telling the truth, then Killnet was in direct contact and collaboration with Solntsepek, and likely one of the front groups for the GRU’s Sandworm team, and/or Russian military intelligence directly.

Category III: Ideologues, Accidental Government Contractors and Local Criminals

The third category is groups that align themselves with Russian government objectives, although they are not explicitly linked to the government in any way. Their alignment with Russian state goals may be intentional or purely coincidental. Still, they do not seem to be in communication with or receive directives from those involved in the Russian intelligence services. There are two subcategories included: national actors and international actors. Many groups in this category can be considered cybercriminals; however, due to their alignment with Russia’s strategic goals, they can also be viewed as “hacktivist” groups, as they focus their attacks on Western targets. This category corresponds to categories two (State-prohibited-but-inadequate) and three (State-ignored) on Jason Healey’s spectrum of state responsibility.[30]

The third category is groups that align themselves with Russian government objectives, although they are not explicitly linked to the government in any way.

National Groups

National actors are those who are physically located within the Russian Federation. Due to their location, they are subject to the laws and doctrines of the state regarding cyberactivity. Unlike in many Western countries, where all illegal cyberactivity and cybercrime are prosecuted to the full extent of the law, the Russian government often ignores cybercrime originating from within its borders as long as the actors comply with the guidelines set by the state.[31] Those guidelines stipulate that cyberactivity targets cannot be located within Russia or the Commonwealth of Independent States (CIS), which consists of former Soviet republics. Activity should ideally target organisations based in countries toward which Russia has strategic goal,s such as Ukraine or NATO member states.

Due to the leniency regarding illegal cyberactivity, this essentially means that almost all cybercriminals and actors who commit illegal cyberactivity in Russia belong to this category. Some organisations, such as the ransomware group Conti, have pledged allegiance to the Russian government.[32] In contrast, others simply work in tandem with the government’s objectives, either coincidentally or due to their own security interests. Therefore, Russian cybercriminal groups can be subsumed under this category, as they actively choose their targets in alignment with the Kremlin’s strategic goals.

International Groups

International actors who fall into this category are mostly comprised of hacktivist groups that have allied themselves with Russian hacktivist groups. These international groups are not necessarily aligned with the Russian government out of obligation; instead, their positioning is often due to their desire to ally themselves with larger groups in the hacktivist space.

Anonymous Sudan, a hacktivist group specialising in DDoS attacks, claimed to have aided Russian objectives as a way to “give back” to Russia for helping them previously.[33] Other groups seemingly not associated with Russia, such as Alixsec and Aligator Black Hat, placed themselves into this category when they joined pro-Russia hacktivist alliances. In these alliances, the groups’ targeting of specific organisations and infrastructure benefits the Russian state’s goals and objectives. In this case, although they are not connected to the Russian state and lack a pro-Russia stance independent of the alliance, they actively work toward attacking targets in alignment with Russian geopolitical goals. In one pro-Russia hacktivist alliance campaign, non-Russia-based groups began targeting South Korean airlines, irrigation systems and power grids as part of their coordinated attack on South Korea, after the announcement that the country would consider sending weapons to Ukraine.[34], [35]

Anonymous Sudan, a hacktivist group specialising in DDoS attacks, claimed to have aided Russian objectives as a way to “give back” to Russia for helping them previously.

There have also been instances of Russian state-sponsored groups hijacking cybercriminal infrastructure for their own purposes. A prime example of this was the takeover of the Moobot botnet by APT28 in 2024. The United States Department of Justice (DoJ) confirmed in its press release that a non-GRU-associated actor set up the botnet before the APT’s takeover of the infrastructure, which they then used to turn the botnet into their own cyber espionage platform.[36]

Russian intelligence services have made use of cybercriminal infrastructure as well as the tools and data used by other APT groups to bolster their own arsenal and potentially contribute to future false-flag operations. This tactic seems to be used more frequently as more examples of state-crime tooling overlap or collaborations are observed. In these cases, the tools and infrastructure of frequently non-Russian, non-state groups are used in pursuit of Russian state objectives, regardless of whether the groups themselves are aware of it.

Hacktivist Alliances

Hacktivist alliances are difficult to categorise as they often include members of all three groups. These alliances tend to be headed by those in the first two categories, while most members fall into the third category. As the nature of these alliances is to create a bigger impact on targets by increasing the number and frequency of attacks while also expanding the variety of attackers, pro-Russian groups can harness groups with various motivations to target organisations that benefit Russian government objectives.

One of the most prominent of the Russian hacktivist alliances is the High Society Alliance (HSA). The HSA is a hacktivist alliance initially formed by UserSec, another pro-Russia hacktivist group. The alliance comprises about 20 cybercriminal and hacktivist groups, focusing on attacking NATO countries and frequently targeting critical infrastructure and defence systems. HSA comprises four prominent pro-Russia hacktivist groups: NoName057 (16), UserSec, CyberArmyofRussia_Reborn, and Z-Pentest. Other members of the group include two smaller hacktivist groups mentioned in the previous section, Alixsec and Alligator Black Hat. These smaller groups that are unaffiliated with Russia outside of their membership in HSA are likely looking to gain more exposure and hoping to place themselves in the good graces of some of the most famous hacktivist groups. They have been observed attacking targets specified by larger groups, such as NoName057(16) and CARR.[37]

Alliances like the HSA regularly transcend different categories of hacktivist groups and state control or responsibility, further muddying the waters of pro-Russian hacktivism. Many of the groups themselves do not have clear ties to the government, and when they join forces, this link becomes even less clear.

Alliances like the HSA regularly transcend different categories of hacktivist groups and state control or responsibility, further muddying the waters of pro-Russian hacktivism.

Motives and Motivation

An integral part of Russia’s strategy concerning its activities against Ukraine and Western states in the last decade has been to use plausible deniability. Probably best exemplified by the “little green men,” soldiers without official insignias that occupied Crimea in 2014, plausible deniability has always transcended the realm of conventional operations and extended into Russian cyber operations.[38] Here, plausible deniability obscures a potential clear connection to the Russian state, helps to escape legal regimes and complicates potential responses to cyber operations. Although individual operations are often attributed promptly, remnants of doubt remain, as state control is often difficult to prove. Different groups with varying levels of state responsibility complicate attribution to the state, therefore offering higher levels of plausible deniability for the Russian government.

Furthermore, using hacktivist groups is a way for intelligence services to leak the information they acquire. Intelligence services act covertly and therefore only rarely admit to having conducted operations against adversaries. Using hacktivist groups is a way to publicise successful operations, showcase their impact and project power. Selectively leaking specific information and construing stories around it can also serve Russia’s goals in its ongoing information war against the West.

Using hacktivist groups as front personas to spread news about espionage operations via alleged independent supporters of the Russian government’s geopolitical goals is a vehicle to create second-order psychological effects for both Russian and foreign audiences of Russian cyber operations, backed by a popular movement that is not related to or controlled by government entities.[39] This kind of astroturfing (fabricating grassroots support) helps justify the Russian war effort against Ukraine and alleges the support of the Russian people, even though the operations were conducted or heavily influenced by intelligence services.

Condoning the activities of or cooperating with hacktivist groups of the second category, such as NoName057(16), increases the number of disruptive effects, akin to outsourcing some tasks to service providers. Even if these groups primarily engage in DDoS attacks and activities that are not regarded as highly sophisticated or particularly impactful, they are successful in taking down websites and services for limited periods, ultimately contributing to the broader goal of disrupting Western services and governments by spreading chaos.[40]

Condoning the activities of or cooperating with hacktivist groups of the second category increases the number of disruptive effects, akin to outsourcing some tasks to service providers.

Steering attacks from category-three groups does not require active effort from the Russian government. Simply turning a blind eye to activism and cybercrime if it targets countries outside the CIS is an effective way to add more noise and to direct a community of cybercriminals to targets that are conveniently located in “hostile countries,” from the Russian government’s perspective.

It is essential to emphasise the importance of analytical clarity when examining pro-Russian hacktivism. While hacktivist groups have shown to be related to or controlled by Russian intelligence services, Russian “hacktivism” as a phenomenon is not clear cut; it ranges from groups that loosely align with the geopolitical objectives of the Russian state to groups that conduct ad hoc campaigns against targets that they perceive as acting against Russian interests in the current news cycle, to alleged front personas of Russian intelligence services. Even within these categories, there is a spectrum of state control and adherence to geopolitical goals.

Low-sophistication attacks perpetrated by groups like NoName057(16), pose a threat worth acknowledging due to the potential psychological effects they can generate. They can disrupt companies’ public-facing services. Yet, they do not equate to espionage or sabotage cyber operations conducted by intelligence services, and it is not useful to view them as state-on-state cyber operations. DDoS attacks like these are mainly used for their second-order psychological effects, which increase if companies or news outlets overstate their implications: “Pro-Russia volunteers take down public website of a Ukrainian state-owned organisation for 90 minutes” sounds less critical than “Russian hacker groups attack Ukrainian government organisation.” It is essential to be aware of the nuances of Russian hacktivism and not to equate it with sophisticated intelligence operations. Using more precise language is crucial to indicate a level of state responsibility, providing more context when reporting on such attacks. This taxonomy can be one route to achieving this. Indicating the category of the perpetrating group can help call attention to the specifics of a cyber operation.

Implications

For both private and public organisations in Europe, this aspect of Russian cyber strategy has varying implications. Firstly, organisations should be aware that a hacktivist persona group may leak their data, should they become a victim of an attack by Russian intelligence services. This should not change any general security posture. Still, it might influence an organisation’s preferences when it comes to publicly disclosing incidents, as the incident may become public through a hacktivist channel, regardless.

Furthermore, the risk of being deliberately targeted by DDoS attacks increases for companies generally, with a special emphasis on companies involved in any kind of support for Ukraine, such as logistics, manufacturing or potentially think tanks or conference venues, as the NoName057(16) attacks on the Munich Security Conference and the Hotel Bayerischer Hof have shown.[41] That being said, there is a qualitative difference between these attacks and sophisticated intelligence operations; organisations should be aware of this distinction and prepare adequately for each.

There is a qualitative difference between these attacks and sophisticated intelligence operations; organisations should be aware of this distinction and prepare adequately for each.

As the Russian government condones cybercrime attacks against Western states per its guidelines, European targets are of much higher attractiveness to Russian cybercriminals than targets in Russia or the CIS.

Connections to hacktivists and criminal groups enable Russian intelligence services to quickly expand their offensive capabilities by either delegating attacks or using infrastructure that already exists in the non-state actors’ arsenal. The resulting breadth of attacks is notable, and organisations should be prepared against as many kinds of cyber-attacks as possible, as they may be used in conjunction with one another. Theoretically, there may be an overlap of DDoS attacks, espionage campaigns, and ransomware attacks originating from various groups within Russia, all orchestrated by Russian intelligence services. These paint a picture of what might be possible as a worst-case scenario in the future.

Russian security services employ the entire spectrum of cyber-attacks to achieve their geopolitical aims. Therefore, stakeholders in European countries must have a comprehensive understanding of the threat landscape originating from Russia. The threat is diversified, and different strategies need to be implemented to build resilience against all of its aspects. Public and private sector organisations alike need to invest in cybersecurity measures and build up threat intelligence capabilities, or at least regularly consume threat intelligence regarding Russia to build up an image of their organisation’s threat landscape that allows them to be informed about changes pertaining to the tactics and techniques of Russian intelligence services and their non-state counterparts.

Russian security services employ the entire spectrum of cyber-attacks to achieve their geopolitical aims.

It is also important to maintain clear and precise descriptions of hacktivism to keep a current image of the threat landscape. Muddying the waters by simply describing cyber operations as “hacktivism” will not benefit organisational threat assessments nor the public’s perception of the threat of hacktivism, complicating the defence against these threats. The outlined taxonomy can be used as one way to describe hacktivism further, providing more clarity and indicating a level of state responsibility for more context.

 

---

Bennet Conrads is a Threat Intelligence Analyst at DCSO Deutsche Cyber-Sicherheitsorganisation GmbH. He focuses on strategic threat intelligence relating to nation-state sponsored activities in cyberspace.

Olivia Hayward is a Threat Intelligence Analyst at DCSO Deutsche Cyber-Sicherheitsorganisation GmbH. She focuses on strategic threat intelligence relating to nation-state sponsored activities in cyberspace.

The views contained in this article are the authors’ alone.

---

[1] Jason Healey, “Beyond Attribution: Seeking National Responsibility for Cyber Attacks,” Atlantic Council: Cyber Statecraft Initiative, February 22, 2012, https://www.atlanticcouncil.org/wp-content/uploads/2012/02/022212_ACUS_NatlResponsibilityCyber.PDF.

[2] Vitaly Shevchenko, “‘Little Green Men’ or ‘Russian Invaders’?,” BBC News, March 11, 2014, https://www.bbc.com/news/world-europe-26532154.

[3] Jason Healey, “Beyond Attribution: Seeking National Responsibility for Cyber Attacks,” Atlantic Council: Cyber Statecraft Initiative, February 22, 2012, https://www.atlanticcouncil.org/wp-content/uploads/2012/02/022212_ACUS_NatlResponsibilityCyber.PDF.

[4] Dan Black and Gabby Roncone, “The GRU’s Disruptive Playbook,” Google Cloud Blog, July 12, 2023, https://cloud.google.com/blog/topics/threat-intelligence/gru-disruptive-playbook?hl=en.

[5] Dan Black and Gabby Roncone, “The GRU’s Disruptive Playbook,” Google Cloud Blog, July 12, 2023, https://cloud.google.com/blog/topics/threat-intelligence/gru-disruptive-playbook?hl=en.

[6] Gabby Roncone et al., “APT44: Unearthing Sandworm,” Google Cloud Blog, April 17, 2024, https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf.

[7] Italy Cohen, “Modern Approach to Attributing Hacktivist Groups,” Check Point Research, February 27, 2025, https://research.checkpoint.com/2025/modern-approach-to-attributing-hacktivist-groups/.

[8] Mandiant Intelligence, “Hacktivist Collaborate with GRU-sponsored APT28,” Google Cloud Blog, September 23, 2022, https://cloud.google.com/blog/topics/threat-intelligence/gru-rise-telegram-minions/?hl=en.

[9] Billy Leonard, “Ukraine remains Russia’s biggest cyber focus in 2023,” Google Cloud Blog, April 19, 2023, https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/.

[10] U.S. Department of the Treasury, “Treasury Sanctions Leader and Primary Member of the Cyber Army of Russia Reborn,” news release, July 19, 2024, https://home.treasury.gov/news/press-releases/jy2473.

[11]  U.S. Department of the Treasury, “Treasury Sanctions Leader and Primary Member of the Cyber Army of Russia Reborn,” news release, July 19, 2024, https://home.treasury.gov/news/press-releases/jy2473.

[12] Gabby Roncone et al., “APT44: Unearthing Sandworm,” Google Cloud Blog, April 17, 2024, https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf.

[13] Mandiant Intelligence, “Hacktivist Collaborate with GRU-sponsored APT28,” Google Cloud Blog, September 23, 2022, https://cloud.google.com/blog/topics/threat-intelligence/gru-rise-telegram-minions/?hl=en.

[14] Mandiant Intelligence, “Hacktivists Collaborate with GRU-sponsored APT28,” Google Cloud Blog, September 23, 2022, https://cloud.google.com/blog/topics/threat-intelligence/gru-rise-telegram-minions.

[15] Mandiant Intelligence, “Hacktivist Collaborate with GRU-sponsored APT28,” Google Cloud Blog, September 23, 2022, https://cloud.google.com/blog/topics/threat-intelligence/gru-rise-telegram-minions/?hl=en.

[16] Andy Greenberg, “Hacker Group Linked to Russian Military Claims Credit for Cyberattack on Ukrainian Telecom,” WIRED, December 13, 2023, https://www.wired.com/story/ukraine-kyivstar-solntsepek-sandworm-gru/.

[17] Andy Greenberg, “Hacker Group Linked to Russian Military Claims Credit for Cyberattack on Ukrainian Telecom,” WIRED, December 13, 2023, https://www.wired.com/story/ukraine-kyivstar-solntsepek-sandworm-gru/.

[18] Jason Healey, “Beyond Attribution: Seeking National Responsibility for Cyber Attacks,” Atlantic Council: Cyber Statecraft Initiative, February 22, 2012, https://www.atlanticcouncil.org/wp-content/uploads/2012/02/022212_ACUS_NatlResponsibilityCyber.PDF.

[19] Ernesto Fernández Provecho, “Hacktivist Groups: The Shadowy Links to Nation-State Agendas,” Trellix, December 16, 2024, https://www.trellix.com/blogs/research/hacktivist-groups-the-shadowy-links-to-nation-state-agendas/.

[20] U.S. Department of the Treasury, “Treasury Sanctions Leader and Primary Member of the Cyber Army of Russia Reborn,” news release, July 19, 2024, https://home.treasury.gov/news/press-releases/jy2473.

[21] Ludovico Ninotti and Samuele De Tomas Colatin, “Analysis of the Russian-Speaking Threat Actor NoName 057(16),” Yarix Ylabs, October 13, 2022, https://labs.yarix.com/2022/10/analysis-of-the-russian-speaking-threat-actor-noname-05716/.

[22] “Russian Hacktivists Increasingly Tamper with Energy and Water System Controls,” Cyble, December 6, 2024, https://cyble.com/blog/russian-hacktivists-target-energy-and-water-infrastructure/.

[23] U.S. Department of Health and Human Services, “Pro-Russian Hacktivist Group ‘KillNet’ Threat to HPH Sector,” news release, January 30, 2023, https://www.hhs.gov/sites/default/files/killnet-analyst-note.pdf.

[24] “«Ot nego ustali, no boyatsya»: chto izvestno o lidere khakerskoy gruppirovki Killnet (От него устали, но боятся»: что известно о лидере хакерской группировки Killnet),” Gazeta.ru, November 21, 2023, https://www.gazeta.ru/tech/2023/11/21/17878753.shtml?updated.

[25] “Killnet: Inside the World’s Most Prominent Pro-Kremlin Hacktivist Collective,” Flashpoint, accessed March 03, 2025, https://flashpoint.io/intelligence-101/killnet/.

[26] “Killnet,” Radware, accessed March 03, 2025, https://www.radware.com/cyberpedia/ddos-attacks/killnet/.

[27] “«Ot nego ustali, no boyatsya»: chto izvestno o lidere khakerskoy gruppirovki Killnet (От него устали, но боятся»: что известно о лидере хакерской группировки Killnet),” Gazeta.ru, November 21, 2023, https://www.gazeta.ru/tech/2023/11/21/17878753.shtml?updated.

[28] Daryna Antoniuk, “Ukraine’s state registers hit with one of Russia’s largest cyberattacks, officials say,” The Record, December 20, 2024, https://therecord.media/ukraine-government-cyberattack-state-registers-russia.

[29] Roman Kildyushkin, “«Menya ishchut vladel’tsy narkokarteley», Novyy glava Killnet — o planakh, deanonakh i atake na «Kiyevstar» («Меня ищут владельцы наркокартелей», Новый глава Killnet — о планах, деанонах и атаке на «Киевстар»)”, Gazeta.ru, January 22, 2024, https://www.gazeta.ru/tech/2024/01/22/18134131.shtml.

[30] Jason Healey, “Beyond Attribution: Seeking National Responsibility for Cyber Attacks,” Atlantic Council: Cyber Statecraft Initiative, February 22, 2012, https://www.atlanticcouncil.org/wp-content/uploads/2012/02/022212_ACUS_NatlResponsibilityCyber.PDF.

[31] Insikt Group, “Dark Covenant 2.0: Cybercrime, the Russian State, and the War in Ukraine,” Recorded Future, January 31, 2023, https://go.recordedfuture.com/hubfs/reports/cta-2023-0131.pdf.

[32] Insikt Group, “Dark Covenant 2.0: Cybercrime, the Russian State, and the War in Ukraine,” Recorded Future, January 31, 2023, https://go.recordedfuture.com/hubfs/reports/cta-2023-0131.pdf.

[33] Jordan Robertson and Niclas Rolander, “Posing as Islamists, Russian hackers take aim at Sweden,” The Japan Times, May 14, 2023, https://www.japantimes.co.jp/news/2023/05/14/world/russia-hackers/.

[34] Shreyas Reddy, “How pro-Russian hackers took down South Korea websites over support for Ukraine,” KoreaPro, November 13, 2024, https://koreapro.org/2024/11/how-pro-russian-hackers-took-down-south-korea-websites-over-support-for-ukraine/-support-for-ukraine/.

[35] “South Korea minister says all scenarios under consideration for aiding Ukraine”, Reuters, November 01, 2024, https://www.reuters.com/world/south-korea-minister-says-all-scenarios-under-consideration-aiding-ukraine-2024-11-01/.

[36] U.S. Department of Justice, “Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU),” news release, February 15, 2024, https://www.justice.gov/archives/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian.

[37] hreyas Reddy, “How pro-Russian hackers took down South Korea websites over support for Ukraine,” KoreaPro, November 13, 2024, https://koreapro.org/2024/11/how-pro-russian-hackers-took-down-south-korea-websites-over-support-for-ukraine/.

[38] Vitaly Shevchenko, “‘Little Green Men’ or ‘Russian Invaders’?,” BBC News, March 11, 2014, https://www.bbc.com/news/world-europe-26532154.

[39] Gabby Roncone et al., “APT44: Unearthing Sandworm,” Google Cloud Blog, April 17, 2024, https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf.

[40] Gen Digital, “NoName057(16) Pro-Russian Hacker Group Targeting Sites in Ukraine and Supporting Countries with DDoS Attacks,” news release, September 06, 2022, https://newsroom.gendigital.com/2022-09-06-NoName057-16-Pro-Russian-Hacker-Group-Targeting-Sites-in-Ukraine-and-Supporting-Countries-with-DDoS-Attacks.

[41] Rebecca Ciesielski and Maximilian, Zierer, “Prorussische Hacker bekennen sich zu Angriffen auf Behörden,” BR24, February 21, 2025, https://www.br.de/nachrichten/bayern/prorussische-hacker-bekennen-sich-zu-angriffen-auf-behoerden,UdS7Smd.