Russian hybrid warfare is an intricate field where elements of cyber and physical operations intertwine seamlessly. According to the 2024 report by Cyber Diia Team, there is a consistent, nearly month-long time gap between Russian cyberattacks and subsequent missile strikes, observed between 2022 and 2024. This calculated sequential approach  highlights a strategy aimed at undermining infrastructure resilience prior to physical strikes, which, over the last two years of hot war, has evolved into a hallmark of Russian cyberwarfare.

This article builds upon Cyber Diia’s research and expands its Russian cyberwarfare ecosystem tree as shown below, namely the red-framed branch. More specifically, we examine how peripheral and core cyber-operations merge under the Kremlin’s hybrid military doctrine, exploring the Kremlin-backed entities, as well as the independent key groups like Qilin and Killnet.

© Cyber Diia Team (Evil Corp and LockBit were Kremlin-independant hacker groups, now disseminated and replaced by Qilin, Killnet and the others)

Core Kremlin Entities

The 2022 report on the Russian use of offensive cyber-capabilities by the Regional Cyber Defence Centre, a subsidiary of the National Cyber Security Centre under the Ministry of National Defence of the Republic of Lithuania, identified six key entities within Russia’s cyber-intelligence apparatus:

Dragonfly: A cyber-espionage group operating under FSB Centre 16, also known as Military Unit 713305. Dragonfly targets critical infrastructure sectors worldwide, including energy, water systems, and defense.

Gamaredon: Linked to FSB Centre 18, Gamaredon specializes in intelligence collection against Ukrainian state institutions, focusing on defense, law enforcement, and security agencies.

APT29 (Cozy Bear): Associated with the Russian Foreign Intelligence Service (SVR), APT29 conducts global cyber-espionage operations, targeting governments, technology firms, and private sector organizations.

APT28 (Fancy Bear): Tied to the GRU Unit 26165, APT28 is infamous for its involvement in election interference, including the hacking of the Democratic National Committee in 2016. Its targets include governments, militaries, and political organizations.

Sandworm: Operated by GRU Unit 74455, Sandworm is responsible for high-profile cyberattacks such as the 2018 Olympic Destroyer malware and the NotPetya ransomware attack of 2017, which caused over $10 billion in global damages.

TEMP.Veles (TsNIIKhM): Linked to the Russian Ministry of Defense’s Central Scientific Institute of Chemistry and Mechanics, TEMP.Veles developed Triton malware, designed to manipulate and compromise safety systems in industrial control environments.

These entities form the backbone of Russia’s state-backed cyber operations, employing advanced tools and techniques to disrupt critical infrastructure, compromise sensitive data, and destabilize adversaries globally. Their operations demonstrate the Kremlin’s reliance on cyber-intelligence as a critical component of hybrid warfare.

Peripheral Cyberwarfare Operations

We are idealists who love our country. […] Our activities influence the governments of th[e] countries who promise freedom and democracy, help and support to other countries, but do not fulfill their promises. […] Before the terrible events around us began, we worked in the IT field and simply earned money. Now many of us are employed in various professions that involve protecting our home. There are people who are in many European countries, but nevertheless all their activities are aimed at supporting those who [are] suffering today. We have united for a common cause. We want peace. […] We hack only those business structures that are directly or indirectly related to politicians, who make important decisions in the international arena. […] Some of our comrades have already died on the battlefield. We will definitely take revenge for them. We will also take revenge on our pseudo-allies who do not keep their word.

This statement comes from Qilin’s sole interview, published on June 19, 2024 via WikiLeaksV2, an encrypted dark web portal. Seventeen days earlier, Qilin had gained notoriety across Europe for a ransomware attack on London’s NHS medical services provider, Synnovis. This assault disrupted critical healthcare operations: halting blood transfusions and test results, canceling surgeries, and redirecting emergency patients.

The Guardian’s Alex Hern identified Qilin as a Russian-speaking ransomware group whose activity began in October 2022, seven months after Russia’s full-scale invasion of Ukraine.

Their rhetoric, evident in the interview, combines themes of national pride, desire for peace, and grievances against untrustworthy politicians.

This language aligns closely with Russian peace propaganda, as analyzed by the Polish Institute of International Affairs. On a micro-level, it also mirrors the linguistic patterns of Vladimir Putin’s messaging, such as in his February 2024 interview with Tucker Carlson.

Putin’s word cloud with synonyms of ‘peace’ scattered in red (data computed from the transcript)

Our investigation of Qilin’s onion-encrypted portal reveals databases dating back to November 6, 2022, containing breached information from Dialog Information Technology, an Australian cyber-services company operating across Brisbane, Sydney, Canberra, Melbourne, Adelaide, Perth and Darwin. As of December 2024, this database has been accessed 257,568 times.

The portal also hosts stolen data from Qilin’s London hospital attack—613 gigabytes of personal information—which has been publicly accessible since July 2, 2024, and viewed 8,469 times as of December 2024.

From January to November 2024 alone, Qilin breached and published 135 databases, amassing over 32 terabytes of maliciously usable personal data. Targets have ranged from local governments, such as Upper Merion Township in Pennsylvania, USA, to multinational corporations. Yet Qilin represents just the tip of the iceberg.

Killnet, another prominent dark web actor, primarily offers DDoS-for-hire services. The group operates under a hierarchical structure with subdivisions such as Legion-Cyber Intelligence, Anonymous Russia, Phoenix, Mirai, Sakurajima, and Zarya. Legion-Cyber Intelligence specializes in intelligence gathering and country-specific targeting, other branches execute DDoS assaults, and the whole group is coordinated under Killnet’s leader, known as Killmilk.

In an interview with Lenta, Killmilk claimed his collective comprises approximately 4,500 individuals organized into subgroups that operate semi-independently but occasionally coordinate their activities. Notably, Killmilk attributed an attack on Boeing to collaboration with 280 US-based “colleagues.”

This level of international coordination—where loosely connected groups organize into a functional cluster under one leader and one philosophy—lays the groundwork for eventual collaboration with state entities.

Such symbiosis is becoming increasingly common within Russia’s hybrid warfare doctrine.

Core Cyberwarfare Operations

The People’s Cyber Army (Народная Кибер-Армия) is a hacktivist group specializing in DDoS attacks, similar to Killnet. Researchers from Google-owned cyber-defense firm Mandiant have traced this group back to Sandworm (GRU Unit 74455).

Mandiant’s investigation also linked XAKNET, a self-proclaimed hacktivist group of Russian patriotic volunteers, to Russian security services. Evidence suggests that XAKNET may have shared illegally obtained data, similar to Qilin’s dark web leaks, with state-backed entities. Such collaborations have the potential to evolve into cyber-mercenary collectives, serving as proxies to test and breach the digital defenses of Western organizations. This mirrors the model of Prigozhin’s Wagner Group, but on the digital battlefield.

People’s Cyber Army and XAKNET represent two facets of a “gray zone” within Russian cyber operations, where patriotic hackers and cyber specialists either remain loosely affiliated or fully integrated into Kremlin-backed entities. This blending of independent activism and state control exemplifies the hybrid nature of post-2022 Russian cyberwarfare, which maps more and more to Prigozhin’s model.

Moving from the Periphery

Malware development often serves as an entry point for amateur hackers seeking to join established groups, eventually leading to integration into state-backed entities.

Killnet, for instance, employs off-the-shelf open-source tools in distributed ways to achieve massive-scale 2.4 Tbps DDoS attacks. One tool commonly used by Killnet is “CC-Attack,” a script authored by an unrelated student in 2020 and made available on Killnet’s Telegram channel. This script requires minimal technical expertise, utilizing open proxy servers and other features to amplify attacks. Over time, Killnet has also employed other open-source DDoS scripts, including “Aura-DDoS,” “Blood,” “DDoS Ripper,” “Golden Eye,” “Hasoki,” and “MHDDoS.”

On the other hand, Qilin showcases more advanced tactics by developing proprietary tools. Their ransomware, “Agenda,” was rewritten from Golang to Rust in 2022 for enhanced efficiency. Unlike Killnet’s reliance on external scripts, Qilin actively develops and updates its malware, enabling features like safe mode reboots and server-specific process termination.

These distinctions illustrate the progression from peripheral groups utilizing basic tools to advanced actors developing sophisticated, custom malware. This evolution represents the first step in bridging the gap between independent hackers and state-supported cyber entities. The second step requires innovative techniques that go beyond toolkits and demand a level of creativity often absent in amateur operations.

One such technique, known as the nearest neighbor attack, was employed by APT28 (GRU Unit 26165) in November 2024. This method consists in first identifying a Wi-Fi network close to the target, in a neighboring building for example, then gaining access into it and identifying a device connected to both the compromised Wi-Fi and the target network at the same time. Through this bridge, the target network is infiltrated and its sensitive data exfiltrated from the servers. In November’s incident, attackers exploited the Wi-Fi of a US company collaborating with Ukraine, using three wireless access points in a neighboring building near the target’s conference room windows.

Such techniques highlight the divide between peripheral collaborators and the sophisticated methods employed by official Russian cyber intelligence. The ability to innovate and execute these complex strategies underscores the advanced skills of state-backed entities like APT28.

Constellations of Cyberwarfare

The Russian cyberwarfare ecosystem is a dynamic and ever-evolving network of actors, ranging from ideologically driven hackers like Qilin to organized syndicates such as Killnet. While some groups operate independently, others maintain direct or indirect links to state entities like the FSB or GRU.

One of the Russian bots whose ChatGPT response got disrupted due to expired credits

Peripheral groups often act as experimental platforms, employing off-the-shelf tools to conduct ransomware attacks or DDoS campaigns. Their success and innovation can eventually lead to collaboration with Kremlin, blurring the distinction between independent operations and government-coordinated initiatives, like it was with People’s Cyber Army and XAKNET. This fluidity allows the ecosystem to adapt and evolve rapidly, with peripheral groups serving as entry points for novice talent while core entities like Sandworm and APT28 provide advanced operational sophistication and creativity.

A critical component of this ecosystem is Russia’s propaganda machine. Evidence suggests that after Prigozhin’s death, his bot networks evolved, becoming AI-powered. Which made them even more pervasive and persistent, with automated responses amplifying their impact. And when AI-powered disinformation is left unregulated and uninterrupted, it not only amplifies propaganda messaging but also reinforces the effectiveness of the entire cyberwarfare ecosystem.

Endless Loop

As Russia’s cyber operations increasingly integrate peripheral and core actors, they form a functional symbiosis that enhances both scale and technical expertise. This convergence erodes the distinctions between independent hacktivism, criminal syndicates, and state-sponsored entities, creating a seamless and adaptable cyberwarfare ecosystem.

It also raises a critical question: Is Russian propaganda as powerful as it appears, or has it evolved into an ideological force that transcends state control?

“They do not know it, but they are doing it.” Philosopher Slavoj Žižek borrowed this quote from Karl Marx’s theory of ideology to transmit a key idea: ideology is not just what we consciously believe, but also what we unknowingly enact or embody through our behavior. One might outwardly reject capitalism but still engage in behaviors that sustain and reproduce it, like consumerism or competition.

Similarly, Qilin might proclaim that their activities are aimed at supporting those who is suffering today, yet their actions—such as halting critical surgeries across a European capital of nearly 10 million people—contradict the stated ideals.

In the endlessly adaptive ecosystem of Russian cyberwarfare, the fusion of ideology, propaganda, and technology forms a potent force that transcends individual actors. The interplay between peripheral and core entities, amplified by AI-driven disinformation, challenges traditional defense paradigms, demanding a response as dynamic and multifaceted as the threat itself.