Recent reports from Google Cloud Security and other sources including Radware have revealed alarming trends in state-sponsored cybercrime, underscoring Russia’s increasing reliance on cybercriminal networks for espionage and warfare. The findings raise fresh concerns about the Trump administration’s directive to the CIA to halt offensive cyber operations against Russian targets.
With officials in the White House ordering the CIA to stand down on certain cyber activities targeting Russia, this decision, which some intelligence officials viewed as a rollback of U.S. cyber deterrence efforts, coincided with Moscow’s escalating cyber activities against Ukraine, NATO allies, and Western institutions.
While Australia ramps up its defences against state-based hacktivism, there is real concern that the actions of the Trump administration will only empower Russian activists (and other states such as the DPRK and Pro-PRC forces for example) to cast their nets further.
The Google Cloud Security report, which focuses on state-sponsored cybercrime, highlights how Russia’s intelligence agencies—particularly the GRU (military intelligence), FSB (security services), and SVR (foreign intelligence)—increasingly rely on cybercriminal tools and networks to conduct cyberwarfare. By leveraging ransomware, stolen credentials, and malware sourced from the dark web, these agencies have effectively blurred the line between cybercrime and state-sponsored espionage.
Key findings from the report indicate:
- The GRU-backed group APT44 (Sandworm) has deployed ransomware-based disruptive malware against Ukrainian and NATO systems, utilising tools sourced from cybercriminal marketplaces.
- Russian intelligence groups have employed off-the-shelf cybercrime tools like DARKCRYSTALRAT and RADTHIEF to facilitate attacks while maintaining plausible deniability.
- The GRU-affiliated UNC2589 group used wiper malware such as SHADYLOOK and PAYWIPE to target Ukrainian government infrastructure in the lead-up to the 2022 invasion.
Pundits are already suggesting that Trump’s directive to the CIA to curb cyber operations against Russia will leave the U.S. vulnerable to cyber threats. The decision comes amid broader scrutiny of Trump’s relationship with Russian President Vladimir Putin and accusations of reluctance to confront Moscow over its cyber aggression.
Scaling back cyber operations will allow Russian cybercriminals and intelligence agencies to operate with greater impunity. Critics argue that the lack of an aggressive U.S. cyber posture will only embolden Moscow to intensify its cyber activities, including interference in Western elections and cyberattacks against critical infrastructure.
The latest Global Threat Analysis Report rom cybersecurity firm Radware adds further context to these concerns, highlighting the dramatic rise in hacktivist cyber activity, particularly Distributed Denial-of-Service (DDoS) attacks linked to geopolitical conflicts. According to Radware:
- Web DDoS attacks surged 550% in 2024, with 78% of global incidents targeting EMEA (Europe, Middle East, and Africa).
- Network-layer DDoS attacks more than doubled since 2022, with telecommunications and finance sectors being the primary victims.
- The total number of claimed hacktivist DDoS attacks increased by 20% over 2023, with Ukraine, Israel, and the U.S. among the top targets.
- Pro-Russian hacker NoName057(16) was the most active threat actor, claiming responsibility for 4,767 DDoS attacks in 2024.
The report underscores the evolving cyber threat landscape, where politically motivated cyberattacks are increasingly tied to global conflicts. Hacktivist groups, often aligned with state interests, have leveraged AI-powered tools to expand their reach and impact.
State-Sponsored Cybercrime Extends Beyond Russia
While Russia remains the most prolific adopter of cybercriminal infrastructure, the Google Cloud Security report also identifies similar tactics used by China, Iran, and North Korea:
- Iran’s UNC5203 group has deployed Russian-developed RADTHIEF malware against Israeli nuclear research targets.
- China’s UNC2286 has merged espionage with ransomware tactics, masking state-backed hacking activities.
- North Korea’s APT38 and APT43 continue to fund espionage and weapons development through cybercrime, particularly cryptocurrency theft.
Implications for U.S. Cyber Policy
The findings from the Google and Radware reports, coupled with Trump’s decision to curb CIA cyber activities, highlight the growing challenges in countering state-sponsored cybercrime. Experts warn that adversaries like Russia are increasingly integrating cybercriminal operations into national security strategies, making it imperative for the U.S. and other countries to bolster cyber defence and deterrence capabilities.
