Russia has a complex system of cybersecurity agencies and laws which help to explain Russia’s actions as a cyber actor. Russia’s Constitution states that Russians have the right to privacy and that governments cannot access citizens’ private information (Supreme Court of Russian Federation, N.D). However, these laws often allow for government officials to search through private information (Soldatov, and Borogan, 2022). Furthermore, many of these laws are enforced by Roskomnadzor and the Federal Security Service (FSB – federal security service/ Russia’s counterintelligence agency), which have been known to work together to punish dissenters and censor the media (Soldatov and Borogan, 2022). The FSB is also a part of Russia’s set of offensive cyber actors–which includes the FSB, Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU – main intelligence directorate/ Russia’s military intelligence agency), and Federal Protective Services (FSO – federal protective service/ Russia’s government protection agency) (Bowen, 2022). Russia also has defensive cyber operations such as a CIRT (Computer Incident Response, N.D) and a financial CERT (Bank of Russia, 2023), although they receive less attention as opposed to its offensive cyber operations. Although most of the prominent cyber actors are state actors, Russia’s government also works with cybercrime groups (Bowen, 2022).
Human Rights and Data Privacy
Russia has very limited privacy and freedoms, with Freedom House giving Russia a 20/100 and a ranking of “not free” in 2024 (Freedom House, 2024). Russia’s constitution has numerous articles which relate to freedom and privacy. Article 23 states that Russians have the right to privacy (Supreme Court of Russian Federation, N.D), and article 24 states that “the collection, keeping, use and dissemination of information about the private life of a person shall not be allowed without his or her consent” (Supreme Court of Russian Federation N.D). Despite these laws, there is constant surveillance and persecution of Russian citizens, both on the internet and out. One example is Roskomnadzor, or the Federal Service for Supervision of Communications, Information Technology, and Mass Media. Roskomnadzor is known as the enforcement agency on data privacy and media censorship, with the Kremlin stating its function is to “…control and supervision in telecommunications, information technology, and mass communications,” (Federal Service of Communication, 2023) and that Roskomanadzor has the authority to protect the personal data of the people (Federal Service of Communication, 2023). However, Roskomnadzor has also been known to censor mass media and report dissenters to the FSB to be punished (Soldatov & Borogan, 2022). Another role of Roskomnadzor is to enforce data privacy and localization (Federal Service of Communication, 2023).
Russia also has a data localization law – the 2006 Data Localization law. Article 18(5) of the Data Localization Law (Andreeva, et. al, 2021) specifically requires data operators who want to collect the personal data of Russian citizens to “…initially record, store, arrange, update, and extract that data using Russian databases” (Andreeva, et. al 2021). Forcing the personal data of Russian citizens to be stored in Russia makes it easier for the information to be accessed by the Russian government. This lack of data privacy is only emphasized by the FSB’s statements in 2019 that intelligence agencies should have control over the personal data of Russian citizens (Sherman, 2022); showcasing the continuing blur between enforcement and oppression in Russia.
Offensive and Defensive Cyber Forces
Russia’s primary cyber forces come from state groups, such as the FSB, GRU, and the Foreign Intelligence Service (SVR – Foreign intelligence service/ Russia’s foreign intelligence agency) (Bowen, 2022). The FSB and SVR fall under the executive branch, but the GRU is under the ministry of defense (Bowen, 2022). The FSB’s 16th Center is for intercepting and phishing for information (Foreign CommonWealth and Development, 2023) and 18th Center is for information collection and espionage (Foreign CommonWealth and Development, 2023). Both the 16th and 18th Centers are for espionage and information collection, but the 16th Center is more aggressive in its operations than the 18th Center.
Russia’s famous state-sponsored actors APT 29 has been attributed to the SVR (MITRE ATT&CK, 2024a) and APT 28 has been attributed to the GRU (MITRE ATT&CK, 2024b). The GRU has a large number of offensive cyber actors under the term “units” (Bowen, 2022). However, this could be due to the GRU’s military goals and capabilities opposed to an agency such as the SVR, which mainly engages in espionage and information collection (Bowen, 2022).
Russia also has a defensive cyber division which is under the FSO (Federal Protective Service) which maintains Russian information security from outside hackers (Bowen, 2022). Russia also has a CSIRT (Computer Incident Response, N.D), as well a financial CERT which is tied to the bank of Russia for any financial cybercrimes (Bank of Russia, 2023).
Brain Drain
A major cyber issue within Russia is the current brain drain that started in 2022 (Husch and Jarneki, 2023). This has slowed down Russia’s cyber security operations significantly (Bowen, 2022), and is a reason why Russia has worked with cybercrime organizations such as Ember Bear (MITRE ATT&CK, 2023). Domestically, there have also been issues with banking and financial institutions being attacked recently (Russian News Agency, 2023). These attacks have increased since the war in Ukraine, with several Russian and Ukrainian cybercriminals being attributed (Vijain, 2024). There has also been an increase in malware attacks since the war, as a retaliation from Ukrainian hackers (Vijain, 2024).
Sources
Andreeva, K., Kiseleva, A., & Neskoromyuk, A. (2021). Data localization laws: Russian federation. Morgan Lewis Moscow. https://www.morganlewis.com/-/media/files/publication/outside-publication/article/2021/data-localization-laws-russian-federation.pdf
Bank of Russia. (2023, December 12). Financial cert. Informational Security. https://www.cbr.ru/eng/information_security/fincert/
Bowen, A. (2022, February 2). Russian cyber units – CRS reports. Congressional Research Service. https://crsreports.congress.gov/product/pdf/IF/IF11718
Hüsch, P., & Jarnecki, J. (2023, June 1). All quiet on the cyber front? Explaining Russia’s limited cyber effects. Royal United Services Institute. https://www.rusi.org/explore-our-research/publications/commentary/all-quiet-cyber-front-explaining-russias-limited-cyber-effects
Foreign Commonwealth and Development Office. (2023, December 7). Russia’s FSB malign activity: Factsheet. GOV.UK. https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet#fsb-centre-16
Freedom House. (2024). Russia: Freedom on the net 2024 country report. Freedom House. https://freedomhouse.org/country/russia/freedom-net/2024
The Federal Service for Supervision of Communications, Information Technology, and Mass Media. (2023, November 20). Powers of Roskomnadzor. Roskomnadzor. https://rkn.gov.ru/en/about/powers-of-roskomnadzor/
MITRE ATT&CK. (2023, March 22). Ember bear. MITRE ATT&CK. https://attack.mitre.org/versions/v15/groups/G1003/
MITRE ATT&CK. (2024a, April 4). APT28. MITRE ATT&CK. https://attack.mitre.org/versions/v15/groups/G0007/
MITRE ATT&CK. (2024b, April 12). APT29. MITRE ATT&CK. https://attack.mitre.org/versions/v15/groups/G0016/
National Computer Incident Response & Coordination Center. (n.d.). CERT.GOV.RU- Incidents. https://www.cert.gov.ru/en/incident.html
Supreme Court of the Russian Federation. (n.d.). Constitution of the Russian Federation (as amended on 21 July 2014). Supreme Court of the Russian Federation. http://www.vsrf.ru/en/documents/constitution/
Russian News Agency. (2023, February, 13). Cybersecurity incidents involving Russian banks rise by one-quarter in 2023. TASS. https://tass.com/economy/1745493
Sherman, J. (2022, September 27). Russia is weaponizing its data laws against foreign organizations . Brookings. https://www.brookings.edu/articles/russia-is-weaponizing-its-data-laws-against-foreign-organizations/
Soldatov, A., & Borogan, I. (2023, April 15). Russia’s Surveillance State. CEPA. https://cepa.org/article/russias-surveillance-state/
Vijayan, J. (2024, April 18). Dangerous new ICS malware targets orgs in Russia and Ukraine. Dangerous New ICS Malware Targets Orgs in Russia and Ukraine. https://www.darkreading.com/ics-ot-security/dangerous-new-ics-malware-targets-orgs-in-russia-and-ukraine
