Russia’s documented cyber operations against the United States and its allies span three distinct intelligence and military organizations — the FSB, the GRU, and the SVR — each with a different operational mandate and target profile. The Congressional Research Service’s updated inventory covers Russian campaigns from 2003 through 2025, a record that encompasses election interference, critical infrastructure targeting, long-duration espionage, supply chain attacks, and, most recently, campaigns specifically designed to disrupt Western support for Ukraine.
GRU: Disruption and Disinformation
The GRU’s Sandworm unit ran the most operationally aggressive documented campaign: from 2015 through 2018, it attacked Ukrainian government and critical infrastructure with BlackEnergy malware, sought to interfere in the French national elections, deployed NotPetya against U.S. hospitals, shipping companies, and pharmaceutical firms, attempted to undermine the PyeongChang Winter Olympics, targeted investigators of the Novichok poisoning, and sought access to Georgian government entities. Six GRU officers were charged by DOJ in October 2020 in connection with those operations. NotPetya alone caused billions of dollars in collateral damage to companies that were not its primary targets.
A separate GRU operation, running from 2014 through 2018, focused on disinformation and hack-and-leak. The unit compromised the World Anti-Doping Agency, the U.S. Anti-Doping Agency, the Rio Olympics, FIFA, Westinghouse Electric, and the OPCW, then published stolen and altered information to retaliate for doping charges against Russian athletes and to undermine international institutions perceived as hostile to Russian interests. The 2016 DCLeaks and Guccifer 2.0 operations — GRU campaigns targeting political campaigns, state election boards, and election technology companies — resulted in the indictment of twelve GRU intelligence officers in July 2018. APT-28 has continued operating into 2025, with a CISA advisory in May 2025 documenting GRU targeting of Western logistics companies and technology firms supporting aid delivery to Ukraine.
FSB: Long-Duration Espionage
The FSB’s cyber operations are characterized by patience and breadth. The Snake malware campaign, attributed to the FSB and running from 2003 through 2023, conducted long-term surveillance of NATO countries for two decades before CISA published a hunting guide for the malware in May 2023. A separate FSB campaign from 2012 through 2018 targeted the operational technology of energy sector companies in 135 countries. The Yahoo breach, attributed to FSB officers from 2014 through 2016, compromised 500 million accounts and targeted journalists, government officials, cybersecurity professionals, and financial services firms. Star Blizzard, an FSB-linked actor, ran continuous spear-phishing operations against individuals and organizations from 2019 through 2023.
SVR: Supply Chain Access
The SVR’s most consequential documented operation is SolarWinds, a 2020 through 2021 supply-chain attack against the Orion software platform that gave APT-29 access to government and private-sector networks globally. The attack was not detected until December 2020 and had been active for months before discovery. A subsequent SVR operation in 2023 exploited a vulnerability in JetBrains TeamCity to compromise IT companies through their build infrastructure — the same supply-chain trust model applied to a different category of software vendor.
The cumulative picture across GRU, FSB, and SVR operations is of a state that treats cyberspace as an integrated domain for military disruption, intelligence collection, and political warfare simultaneously. The 2025 CISA advisory on logistics targeting makes explicit what the prior record implied: Russian cyber operations adapt to geopolitical conditions in near real time, and any entity touching Western supply chains for Ukraine-related aid has moved into the active target set.