Cyber Actors Defy Simple Labels
By TorchStone VP, Scott Stewart
In the past, I’ve written about the need for protective intelligence practitioners to develop a nuanced understanding of threat actors such as the jihadist and Antifa movements. As humans, our brains naturally like to sort things into easily identifiable categories, a tendency evidenced by the development of things such as taxonomy and the Dewey Decimal System.
Such systems work well for classifying things that remain static, such as the nature of a plant or a chemical element, but anyone who tries to categorize humans and human behavior soon learns how incredibly complex—and indeed downright messy—humanity is.
There is inherent danger in oversimplifying threat actors in order to quickly classify them. When we disregard the sometimes subtle differences in the character, motive, and capabilities between threat actors, we can either over- or under-estimate their capabilities.
This is why, when assessing a threat from “the Islamic State,” for example, it is important to ask “which Islamic State?” as the different facets of the Islamic State movement possess very different capabilities. A self-initiated grassroots supporter will quite simply lack the training and tradecraft of the professional terrorist cadre from the Islamic State core organization, and even different franchises or “provinces” have different levels of capability in terms of both reach and operations.
This same principle applies to cyber actors. I recently attended a very good briefing by a cybersecurity expert who was discussing the latest trends in cyber threats. However, one quibble I had with his presentation was that he divided cyber threat actors into three distinct buckets: state actors, criminal actors, and hacktivists.
Such distinctions may work for a slide deck presentation, but in the real world, they are often very difficult to make. For example, if one closely examines the cyber efforts of a state actor such as the People’s Republic of China, it is very difficult to disentangle the efforts of government employees from those of criminal hackers and hacktivists.
In the case of the Democratic People’s Republic of Korea, which blatantly uses cybercrime (along with drug sales and other criminal activity) as an important means of raising hard currency, most observers consider the government itself to be one large criminal enterprise.
The amorphous cyber threat actor ecosystem in Russia provides a fantastic example of how difficult it is to place such actors in clean categories.
State Actors
In terms of state cyber threat actors, Russia’s foreign intelligence service (SVR), the domestic security service (FSB,) and the Russian military’s Main Directorate (GU – formerly known as the GRU) all conduct cyber operations directed against targets abroad.
The SVR’s cyber unit is referred to by Western cyber researchers as Advanced Persistent Threat (APT) 29, Cozy Bear, the Dukes, and Yttrium, among other names.
The FSB has three cyber units. One is known as Venomous Bear, Turla, and Krypton, among other names. The Second is known as Berserk Bear, Energetic Bear, and Crouching Yeti among other names. The third is known as Star Blizzard, Seaborgium, and the Calisto Group, among other names.
The GRU has two cyber units. Unit 26165 is referred to by a number of names, including APT 28, Fancy Bear, and PawnStorm, among others; Unit 74455 is referred to as Voodoo Bear, Sandworm, and Iridium, among other names.
As seen by the number of names cyber security researchers give to the units belonging to these agencies, it can be difficult to attribute any particular attack to a specific actor. It gets even more confusing when the cyber arms of more than one agency attack the same target in seemingly uncoordinated efforts, as the SVR’s Cozy Bear and GU’s Fancy Bear did in 2016, when both agencies hacked the Democratic National Committee.
Criminal Actors
It is no secret that Russia is the world’s foremost cybercrime hotspot, and that a vast array of cyber criminals operate from within the country. However, many recent cases have shed light on the relationship between the government and cyber criminals.
Perhaps one of the cases that best illustrates the interrelationship between Russian intelligence and criminal hackers was a 2017 indictment out of the Northern District of California that charged two FSB officers for “protecting, directing and facilitating” the actions of criminal hackers they paid to access Yahoo’s user database and account management tool, to retrieve information on targets of interest to the FSB.
The indictment alleges that during the conspiracy, the FSB officers facilitated the hacker’s criminal activities by providing them with sensitive FSB law enforcement and intelligence information that would have helped him avoid detection by U.S. and other law enforcement agencies outside Russia.
More recently, the close connection between Russian cyber criminals and the government was illustrated in February 2025, when a hacker who had been arrested in Greece and extradited to the U.S. in 2017 and later pled guilty to money laundering charges, was released in a swap orchestrated by the Kremlin for American teacher Marc Fogel, who had been arrested by Russian authorities for possession of medical cannabis.
Criminal hackers can be outright paid by the government, recruited by being arrested and coerced to cooperate, or even be allowed free rein to commit crimes as long as they don’t conduct attacks in Russia and conduct an occasional mission at the request of the government. Some criminals and criminal groups have closer ties to the government than others. They can also have varying degrees of capability; some may lend expertise or hacking tools to the government, while others may require assistance or tools from the government.
Hacktivists
In the world of hacktivism, there is arguably no one more prominent than Julian Assange, and no hacktivist website better known than WikiLeaks. In the state actor section above, we noted that both the SVR’s Cozy Bear and GU’s Fancy Bear hacked the Democratic National Committee in 2016. Some 20,000 emails obtained during those hacks were later posted on WikiLeaks.
Coincidentally, at the same time Assange and WikiLeaks were publishing those emails, they refused to post a large tranche of purloined documents related to the Russian government. When viewed in light of Assange’s willingness to host documents critical or damaging to the U.S. government, especially those stolen by Russian government hackers, it was not hard to draw a connection between Assange and the Russian government.
This link was further evidenced when state-run Russia Today (RT) paid Assange to host a series that was critical of the U.S. and the West.
Another category of Russian hacktivists worth including in this milieu is the so-called “patriotic hackers,” or hackers who are motivated to hack targets that are critical of Russia or are denounced by Russian leadership or ultra-nationalist social media influencers.
Russian President Vladimir Putin has attempted to paint such hackers as people who read something in the news about state-to-state relations and then independently decide to take action “to fight against those who say bad things about Russia,” but many cyber researchers are not convinced by these claims. Indeed, these skeptics argue that while the government may not be expressly directing the activities of these hackers, they are at the very least sanctioning them—passively allowing them to operate. They also point to statements made by Putin indicating that he is supportive of their efforts.
Private Corporations
Speaking of the 2016 U.S. presidential elections, Russia’s efforts to interfere in those elections brought to light the activities of a private company, the Internet Research Agency, widely known as the “Troll Farm,” that was created and operated by Kremlin-linked businessman Yevgeny Prigozhin. The Internet Research Agency was sanctioned by the U.S. in 2018 for its efforts to interfere in the 2016 U.S. elections, and Prigozhin was later sanctioned personally for his efforts to exert Russia’s malign influence.
In 2021, the U.S. government sanctioned a group of five other private companies that it alleges support the Russian intelligence services.
The Wilderness of Mirrors
One big reason for the ambiguity and overlap between classes of cyber threat actors is that it is an intentional effort to create a degree of plausible deniability. Paying or coercing a criminal hacker to conduct an attack that furthers national interests allows the government to avoid being directly implicated. The same goes for paying or encouraging a patriotic hacker to conduct an attack.
A second reason is unintentional and stems from the rampant corruption present in Russia. Officials at all levels of government in Russia are on the payroll of cyber criminals in order to provide the criminals with shelter from prosecution.