{ "id": "3cc209c4-2952-451b-ad99-bbeae46aaeb1", "created_at": "2026-04-06T00:21:51.249444Z", "updated_at": "2026-04-10T03:37:09.05633Z", "deleted_at": null, "sha1_hash": "4b80372b5383ae77c492fa41afb97df8df505abc", "title": "Preparing for a Russian cyber offensive against Ukraine this winter - Microsoft On the Issues", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 366038, "plain_text": "Preparing for a Russian cyber offensive against Ukraine this\r\nwinter - Microsoft On the Issues\r\nBy Clint Watts\r\nPublished: 2022-12-03 · Archived: 2026-04-05 18:45:34 UTC\r\nAs we report more fully below, in the wake of Russian battlefield losses to Ukraine this fall, Moscow has\r\nintensified its multi-pronged hybrid technology approach to pressure the sources of Kyiv’s military and political\r\nsupport, domestic and foreign. This approach has included destructive missile and cyber strikes on civilian\r\ninfrastructure in Ukraine, cyberattacks on Ukrainian and now foreign-based supply chains, and cyber-enabled\r\ninfluence operations[1]—intended to undermine US, EU, and NATO political support for Ukraine, and to shake\r\nthe confidence and determination of Ukrainian citizens.\r\nIn recent months, cyberthreat actors affiliated with Russian military intelligence have launched destructive wiper\r\nattacks against energy, water and other critical infrastructure organizations’ networks in Ukraine as missile strikes\r\nknocked out power and water supplies to civilians across the country. Russian military operators also expanded\r\ndestructive cyberactivity outside Ukraine to Poland, a critical logistics hub, in a possible attempt to disrupt the\r\nmovement of weapons and supplies to the front.\r\nMeanwhile, Russian propaganda seeks to amplify the intensity of popular dissent over energy and inflation across\r\nEurope by boosting select narratives online through state-affiliated media outlets and social media accounts to\r\nundermine elected officials and democratic institutions. To date, these have had only limited public impact, but\r\nthey foreshadow what may become broadening tactics during the winter ahead.\r\nWe believe these recent trends suggest that the world should be prepared for several lines of potential Russian\r\nattack in the digital domain over the course of this winter. First, we can expect a continuation of Russia’s cyber\r\noffensive against Ukrainian critical infrastructure. We should also be prepared for the possibility that Russian\r\nmilitary intelligence actors’ recent execution of a ransomware-style attack – known as Prestige – in Poland may be\r\na harbinger of Russia further extending cyberattacks beyond the borders of Ukraine. Such cyber operations may\r\ntarget those countries and companies that are providing Ukraine with vital supply chains of aid and weaponry this\r\nwinter.\r\nSecond, we should also be prepared for cyber-enabled influence operations that target Europe to be conducted in\r\nparallel with cyberthreat activity. Russia will seek to exploit cracks in popular support for Ukraine to undermine\r\ncoalitions essential to Ukraine’s resilience, hoping to impair the humanitarian and military aid flowing to the\r\nregion. The good news is that, when equipped with more information, a media-savvy public can act with\r\nawareness and judgment to counter this threat.\r\nHere’s what we are seeing at Microsoft since Ukraine’s counteroffensive has pushed the Russian army into retreat,\r\nwhat we anticipate Russia’s cyber and influence operations might look like headed into the winter months, and\r\nhow we at Microsoft will help prepare and prevent harm to Microsoft customers and democracies facing these\r\nattacks.\r\nhttps://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/\r\nPage 1 of 10\n\nCombined missile and cyber strikes focus on destruction of civilian infrastructure\r\nAs Russia retreated from formerly occupied territory in Ukraine in late October, the Kremlin unleashed new\r\nmissile and drone strikes against Ukrainian cities and the energy and transportation infrastructure that supports\r\nthem. Missile barrages cut power to more than 10 million Ukrainians and left up to 80% of Kyiv’s population\r\nwithout running water.[2] The intent to inflict suffering on Ukraine’s civilians has been clear, and was effectively\r\nacknowledged by Russian officials.[3]\r\nNotably, these recent missile strikes have been accompanied by cyberattacks on the same sectors, perpetrated by a\r\nthreat group – known at Microsoft by the element name IRIDIUM and by others as Sandworm – associated with\r\nRussia’s military intelligence service, the GRU. The repeated temporal, sectoral and geographic association of\r\nthese cyberattacks by Russian military intelligence with corresponding military kinetic attacks indicate a shared\r\nset of operational priorities and provides strong circumstantial evidence that the efforts are coordinated, as\r\nreflected in the timelines below.\r\nMicrosoft’s research of IRIDIUM shows a history of destructive attacks against Ukraine’s critical energy\r\ninfrastructure that dates back nearly a decade. Following Russia’s annexation of Crimea in 2014, IRIDIUM\r\nlaunched a series of wintertime operations against Ukrainian electricity providers, cutting power to hundreds of\r\nthousands of citizens in 2015 and 2016.[4] The group’s pursuit of destruction in Ukraine spread globally in 2017\r\nwith the NotPetya attack, which inflicted $10 billion of damage to companies including international firms such as\r\nMaersk, Merck and Mondelēz, and underscores the risk of this actor’s operations to the global digital ecosystem.\r\n[5]\r\nThe wave of Russian destructive cyberattacks that began on February 23, and subsequent destructive attacks\r\nagainst Ukrainian targets in support of the Russian war effort have been the responsibility of IRIDIUM, as we\r\nhave previously reported.[6] In October, IRIDIUM’s destructive attacks against Ukrainian critical services\r\nnetworks spiked, after two months of little to no wiper activity. As the Ukrainian counteroffensive progressed and\r\nwinter approached, Microsoft observed that IRIDIUM deployed Caddywiper and FoxBlade wiper malware to\r\ndestroy data from networks of organizations involved in power generation, water supply and the transportation of\r\npeople and goods. The predominant focus was on the Kyiv region, as well as the southern and central-eastern\r\nregions of the country, where the physical conflict has been the most intense.\r\nCyber and missile strikes on transportation and logistics companies may interfere with the transportation of\r\nweapons and supplies. However, such attacks can also disrupt the passage of humanitarian aid to Ukrainian\r\ncitizens, compounding the harm from curtailing the supply of electricity.\r\nhttps://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/\r\nPage 2 of 10\n\nThis tactic of targeting civilian infrastructure has been in play since the beginning of the conflict. Of the roughly\r\n50 Ukrainian organizations that Russian military operators have hit with destructive wiper malware since February\r\n2022, 55% were critical infrastructure organizations, including in the energy, transportation, water, law\r\nenforcement and emergency services, and health care sectors.\r\nIn most instances, threat actors have deployed wipers against the business networks of the targeted critical\r\ninfrastructure organizations. However, operational technology networks are also vulnerable. For example,\r\nIRIDIUM attempted to inflict severe damage on energy production in April by targeting the industrial control\r\nsystems (ICS) of a Ukrainian energy provider.[7] Quick action by CERT-UA and international partners thwarted\r\nthe attack, but the risk of future ICS attacks that would disrupt or destroy the productive capacity of Ukrainian\r\npower or water infrastructure is high.\r\nRussian cyberattacks extend outside Ukraine\r\nhttps://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/\r\nPage 3 of 10\n\nRussian cyber strikes extended outside Ukraine in October, when IRIDIUM deployed its novel Prestige\r\nransomware against several logistics and transportation sector networks in Poland and Ukraine.[8] This was the\r\nfirst war-related cyberattack against entities outside of Ukraine since the Viasat KA-SAT attack at the start of the\r\ninvasion.[9]\r\nThe Prestige event in October may represent a measured shift in Russia’s cyberattack strategy, reflecting a\r\nwillingness by Moscow to use its cyberweapons against organizations outside Ukraine in support of its ongoing\r\nwar. Since Spring 2022, Microsoft has observed that IRIDIUM and suspected Russian state operators have\r\ntargeted transportation and logistics organizations across Ukraine in probable attempts to collect intelligence on or\r\ndisrupt the flow of military and humanitarian aid through the country. But these recent attacks in Poland suggest\r\nthat Russian state-sponsored cyberattacks may increasingly be used outside Ukraine in an effort to undermine\r\nforeign-based supply chains.\r\nIRIDIUM’s success in the Prestige destructive attack was limited. Early customer notifications and rapid response,\r\nincluding from Microsoft’s Detection and Response Team (DART) and the Microsoft Threat Intelligence Center\r\n(MSTIC), along with local incident responders in Poland, reportedly helped contain the attack’s impact to less\r\nthan 20% of one targeted organization’s network. However, while the destructive impact was limited, IRIDIUM\r\nalmost certainly collected intelligence on supply routes and logistics operations that could facilitate future attacks.\r\nPerhaps in part because the impact was successfully limited by the defenders and responders in this instance,\r\ninternational outcry against this new extension of the hybrid war beyond the borders of Ukraine has been muted.\r\nNevertheless, this attack highlights the continued risk of Russian destructive cyberattacks to European\r\norganizations that directly supply or transport humanitarian and military assistance to Ukraine.\r\nCyber-enabled influence operations seek to fuel real-world discord across Europe\r\nThis winter, European populations seeking to keep warm amid energy shortages and heightened inflation will\r\nlikely be targeted by Russian attempts to stir up and potentially mobilize grievances through cyber-enabled\r\nhttps://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/\r\nPage 4 of 10\n\ninfluence operations.\r\nSuch operations offer the Kremlin a more deniable but nonetheless effective method of shaping discourse around\r\nconflict and major geopolitical events. Russia’s “active measures” approach involves infiltrating the constituencies\r\nof Kremlin adversaries while elevating candidates and officials who share Russia’s preferred foreign policy\r\npositions. Since 2014, Russia has sought to achieve its objectives “through the force of politics, rather than the\r\npolitics of force,”[10] across democratic contests including the 2016 Brexit referendum and elections in the US,\r\nFrance and Germany, among others. Russia has also exploited political, economic and social divisions to mobilize\r\ncitizens and even incite violence inside democracies. It is likely that these tools will be deployed in Europe and\r\nglobally to reduce support for Ukraine’s defense.\r\nRussia has a well-established ability to sway public opinion both in the U.S. and Europe through cyber-enabled\r\ninfluence operations. In 2016, the Internet Research Agency in St. Petersburg, known better as the Russian “troll\r\nfarm,” famously orchestrated protests in Texas[11] and Florida.[12] Earlier that same year, Russian state media\r\nran a story about an alleged assault of a young girl by migrants in Germany – accusations later disproved – and\r\npromoted the narrative that the German government had deliberately concealed the truth. The subsequent media\r\nflurry sparked a series of protests within Germany’s sizeable Russian diaspora, who were outraged by what they\r\nwere being told was failure on the part of the German justice system.[13]\r\nIn 2018, the same Kremlin trolls involved in the 2016 US presidential election amplified the “yellow vest”\r\nprotests in France. Russia did not organize these protests, but its online campaigns elevated calls to protest\r\nPresident Emmanuel Macron’s government by using a blend of overt, state-sponsored media to promote the cause\r\nwhile boosting the movement’s hashtag #giletsjaunes via covert accounts online.[14]\r\nOur Digital Threat Analysis Center (DTAC) team closely tracks cyber-enabled influence operations. Protests in\r\nEurope this fall related to energy, inflation, and the war in Ukraine broadly – and their steady promotion by\r\nRussian propaganda outlets – foreshadow additional operations we may encounter this winter in support of\r\nRussian objectives by seeking to increase European dissatisfaction with energy supply, energy pricing and\r\ninflation.[15] If energy and electricity disruptions in Ukraine lead to more refugees throughout Europe, Russian\r\ncyber-enabled influence operations may seek to increase frictions over migration to create intra- and inter-country\r\nconflicts – a theme visible in the Kremlin’s campaigns over the last decade as refugees fled to Eastern and Central\r\nEurope during the Syrian Civil War.[16]\r\nIn the coming months, European nations will likely be subjected to a range of influence techniques tailored to\r\ntheir populations’ concerns about energy prices and inflation more broadly. Russia has and will likely continue to\r\nfocus these campaigns on Germany, a country critical for maintaining Europe’s unity and home to a large Russian\r\ndiaspora, seeking to nudge popular and elite consensus toward a path favorable to the Kremlin.[17] Strong\r\nconnections between Kremlin-affiliated ideologues and Germany’s far right will likely be leveraged both online\r\nand offline in campaigns targeting German audiences with hardline narratives on the war in Ukraine as well as\r\ncriticism of the government’s handling of the energy crisis.[18]\r\nRecent quantitative analyses support these assessments. Microsoft’s AI for Good Lab has created a Russian\r\nPropaganda Index (RPI) to monitor the consumption of news from Russian state-controlled and state-sponsored\r\nnews outlets and amplifiers. This index measures the proportion of this propaganda flow to overall news traffic on\r\nhttps://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/\r\nPage 5 of 10\n\nthe internet. The RPI in Germany currently is the highest in Western Europe, over three times the regional\r\naverage.\r\nHigher Russian propaganda consumption in Germany may be in part due to decades of Russian investment in soft\r\npower and public diplomacy targeting the country, home to one of the largest Russian diaspora populations in\r\nEurope. Many of the soft power organizations’ express purpose is to create people-to-people and party-to-party\r\nties between the two countries, and several Russian state-sponsored media outlets have been based in Germany.\r\n[19] Germany’s large Russian-speaking population, estimated at nearly 6 million people, makes Russian cyber-enabled influence operations and propaganda published in both Russian and German more accessible to German\r\naudiences.[20] Meanwhile, German policy since the end of the Cold War, during which time Soviet and East\r\nGerman active measures efforts were conducted synergistically,[21] has sought a normalization of relations with\r\nRussia bolstered by economic cooperation, with no greater example than the Nord Stream 2 natural gas pipeline.\r\nU.S. sanctions against this project, unpopular in both Russia and Germany, gave anti-Western and pro-Russian\r\npropaganda and influence operations, particularly on economic and energy topics, a more sympathetic audience.\r\n[22]\r\nThroughout Western Europe, readers are exposed to Russian propaganda on both Russian-language sites –\r\nincluding Russian state-owned media sites – and local-language, pro-Russia sites. Consumption of local-language\r\nsites in Germany is three times higher than the Western European average, in keeping with Germany’s high levels\r\nof Russian propaganda consumption in the aggregate. In Germany, the local-language sites that generate the most\r\ntraffic are anti-spiegel.ru, uncutnews.ch and the German-language edition of Russia Today (RT), de.rt.com.\r\nLocal sites focus more attention on local issues. Anti-Spiegel in particular has focused its content on leveraging\r\nthe current economic climate to promote the Kremlin and vilify the West. The headlines of its three most-read\r\narticles, for example, from the last four months are:\r\n1. “That the US wants to destroy the German economy is considered a conspiracy theory and Russian\r\npropaganda, but it is obvious.”[23]\r\n2. “The Nord Stream pipelines have been blown up and the Western media are staging what is arguably the\r\nstupidest propaganda operation ever.”[24]\r\n3. “I am often asked why I am so convinced that Russian President Putin is not part of [the World Economic\r\nForum] \u0026 Co. and its new world order. Here I want to answer that.”[25]\r\nAside from Germany, many other European nations may also need to reckon with the combined weight of Russian\r\nmeddling and organic popular discontent. Earlier this year, Russia-affiliated threat actor SEABORGIUM (which\r\noverlaps with threat groups tracked as Callisto Group, TA446 and COLDRIVER) targeted the UK, utilizing\r\nallegedly stolen material to sow distrust in the British government,[26] while pro-Russia media like Modern\r\nDiplomacy and Strategic Culture Foundation, an outlet directed by the Russian Foreign Intelligence Service\r\n(SVR),[27] publish content alleging British involvement in the Kerch Strait Bridge explosion.[28]\r\nOngoing protests in the Czech Republic, meanwhile, have promoted Russia’s talking points on energy and are\r\nrepeatedly featured in Russian state-owned and state-affiliated media.[29] Ladislav Vrábel – one of the organizers\r\nof the protest movement Czech Republic First – has been a repeated guest on Russian media such as Sputnik\r\nNews since protests began,[30] while PolitNavigator – a Russian-language site reportedly directed by the FSB[31]\r\n– sent a correspondent to cover the protests from the beginning.[32] Further, among public figures who supported\r\nhttps://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/\r\nPage 6 of 10\n\nand spoke at the demonstrations are several politicians with long and well-documented records of pro-Russian\r\nactivity, such as unofficial trips to occupied Crimea and high-level involvement with Kremlin-funded biker gang\r\nNight Wolves.[33]\r\nFrance, not as reliant on Russian gas as its neighbors, is perhaps less vulnerable to energy-related influence.\r\nHowever, there is an ongoing risk that Russian agencies will seek to meddle in French affairs through inauthentic\r\nsocial media campaigns – building on previous efforts[34] and its success seeding and exploiting anti-French\r\nsentiment throughout Africa via propaganda, fake think tanks, and local engagement – which point to Russia’s\r\nwillingness undermine French leadership.[35] Finally, Italy, with rising energy costs,[36] emerges as an additional\r\ntarget.\r\nDefending the digital domain this winter: A way forward \r\nIn our June 2022 report, Defending Ukraine: Early Lessons from the Cyber War, Microsoft offered a methodology\r\nfor combating digital threats. Multidimensional threats require multidimensional defenses. At Microsoft, we’ve\r\nbuilt our approach around “Four Ds” to counter malicious cyber and influence activity. Throughout the winter and\r\ninto 2023, we will be working with our customers and in support of democracies to:\r\nDetect: Collectively identify, across Microsoft’s threat intelligence teams, those cyber actors that may\r\nstrike at supply chains supporting Ukraine and the energy industry keeping Europe warm this winter. We\r\nwill also evaluate cyberattacks to determine which are designed to limit support and supplies to Ukraine\r\nand which may be part of broader hack-and-leak operations designed to undermine unity of support for\r\nUkraine. For customers, we’ll preemptively evaluate and assess potential risks to those that may be targets\r\nof Russia or other nation state threat actors. This vulnerability assessment will closely evaluate\r\ntransportation, defense and energy companies Microsoft serves to help increase the collective speed of\r\ndetection and response. Microsoft will also continue to track and identify Russian cyber-enabled influence\r\noperations, publishing our findings to notify the public and industry partners to improve information\r\nintegrity of our own platforms and broader detection efforts.\r\nDisrupt: Microsoft’s Threat Intelligence Center (MSTIC) will alert customers and the public to emerging\r\ncyber methods enabling the entire ecosystem to rapidly employ sensors, patches, and mitigations. Where\r\nwe encounter cyber-enabled influence campaigns, we will pursue a similar strategy, shining a light on\r\noperations aimed at creating doubt, distrust or dissent within Ukraine or across its partners seeking to\r\nundermine support for Ukraine. Our team will share this information with our customers and the public to\r\nthese operations and lessen their impact.\r\nDefend: Microsoft will increase the collective defenses of the broader cyber ecosystem through increased\r\ninformation sharing and improved technology to defend against Russian threats and address vulnerabilities.\r\nOur teams will continue to support nonprofits, journalists and academics both within Ukraine and across\r\nallies, allowing those partners to broaden their defense of the information ecosystem. For example,\r\nMicrosoft recently partnered with International Media Support (IMS) and the Center for Strategic\r\nCommunication and Information Security within Ukraine to improve rapid information sharing and\r\nresponse between the private sector, NGOs and journalists within Ukraine through a dedicated secure\r\ncommunications hub.\r\nDeter: Microsoft has been dedicated for more than a decade to securing international norms for\r\ncyberspace. This winter, our Digital Diplomacy and Democracy Forward teams will work with affected\r\nhttps://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/\r\nPage 7 of 10\n\ncustomers and their representative governments to push for unified action to protect our customers’ supply\r\nchains against nation state attacks. And we will continue our ongoing efforts to provide actionable threat\r\nintelligence to entities targeted or compromised by Russian actors in Ukraine and in the countries\r\nsupporting its defense.\r\nFinally, for customers, Microsoft encourages the use of strong cyber hygiene and the latest detection and response\r\ntechnology to reduce vulnerabilities to and recover from cyberattacks – a listing of these specific\r\nrecommendations can be found in the recently released Microsoft Digital Defense Report (MDDR) 2022.[37]\r\nUkraine has fought a brave defense both online and on-the-ground against a merciless Russian assault. With the\r\nhelp of its partner nations, companies and democratic citizens, we all can ensure that Ukraine and Europe’s\r\ninfrastructure is protected and democracy resilient in the face of authoritarianism this winter.\r\n[1] Cyber-enabled influence operations refer to targeted, online information campaigns designed to shift public\r\nopinion through manipulative or subversive means.\r\n[2] https://www.msn.com/en-us/news/world/russian-strikes-on-ukraine-leave-most-of-kyiv-without-running-water/ar-AA13zw4A, https://www.axios.com/2022/10/31/russia-strikes-ukraine-kyiv-water \r\n[3] Following the attack, Dmitry Peskov, Russian President Vladimir Putin’s press secretary, implied Russia’s\r\nintentions with its strikes on Ukraine’s critical infrastructure is to force President Zelenskyy to negotiate.\r\n[4] https://www.wired.com/story/sandworm-kremlin-most-dangerous-hackers/\r\n[5] https://www.darkreading.com/threat-intelligence/3-years-after-notpetya-many-organizations-still-in-danger-of-similar-attacks\r\n[6] https://blogs.microsoft.com/on-the-issues/2022/06/22/defending-ukraine-early-lessons-from-the-cyber-war/\r\n[7] https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/;\r\nhttps://cert.gov.ua/article/39518\r\n[8] https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/\r\n[9] https://techcrunch.com/2022/05/10/russia-viasat-cyberattack/\r\n[10] https://securingdemocracy.gmfus.org/so-what-did-we-learn-looking-back-on-four-years-of-russias-cyber-enabled-active-measures/\r\n[11] https://www.dallasnews.com/news/politics/2019/10/08/russian-trolls-orchestrated-2016-clash-houston-islamic-center-senate-intel-report-says/\r\n[12] https://www.thedailybeast.com/russians-appear-to-use-facebook-to-push-pro-trump-flash-mobs-in-florida\r\n[13] https://www.reuters.com/article/us-germany-russia-idUSKCN0VA31O, https://www.bbc.com/news/blogs-eu-35413134\r\nhttps://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/\r\nPage 8 of 10\n\n[14] https://www.theguardian.com/world/2018/dec/17/gilets-jaunes-grassroots-heroes-or-kremlin-tools\r\n[15] https://www.politnavigator.news/fiala-ty-idiot-reportazh-s-prorossijjskogo-mitinga-v-chekhii.html\r\n[16] https://www.vice.com/en/article/y3pqwk/russia-propaganda-rt-ukraine-refugees,\r\nhttps://www.atlanticcouncil.org/blogs/ukrainealert/six-outrageous-lies-russian-disinformation-peddled-about-europe-in-2016/, https://www.dw.com/en/russia-uses-the-refugee-crisis-for-propaganda/a-18989796;\r\nhttps://www.atlanticcouncil.org/blogs/syriasource/russia-s-disinformation-campaign-has-changed-how-we-see-syria/\r\n[17] https://www.politico.eu/article/russia-influence-ukraine-fake-news; https://www.dw.com/en/russian-disinformation-threat-looms-large-over-cold-german-winter/a-63096336\r\n[18] https://sputniknews.com/20220819/germany-should-immediately-launch-nord-stream-2-bundestag-vice-speaker-says-1099755921.html, https://www.rt.com/business/559754-horror-chart-germany-energy-crisis,\r\nhttps://www.rt.com/news/559740-german-mayors-nord-stream-letter, https://www.rt.com/business/567368-\r\ngermany-russian-gas-alternatives\r\n[19] https://www.csis.org/analysis/kremlin-playbook, https://www.thedailybeast.com/grassroots-media-startup-redfish-is-supported-by-the-kremlin, https://www.reuters.com/world/europe/exclusive-russian-news-agency-berlin-faces-staff-exodus-over-ukraine-invasion-2022-02-28\r\n[20] https://www.dw.com/en/germanys-russian-community-faces-harassment-and-hostility/a-61055867\r\n[21] https://www.wilsoncenter.org/blog-post/operation-denver-kgb-and-stasi-disinformation-regarding-aids,\r\nhttps://www.wilsoncenter.org/publication/kgbstasi-cooperation\r\n[22] https://www.nytimes.com/2022/12/02/world/europe/germany-russia-nord-stream-pipeline.html\r\n[23] https://www.anti-spiegel.ru/2022/mit-hilfe-der-gruenen-die-usa-planen-die-zerstoerung-der-deutschen-wirtschaft/\r\n[24] https://www.anti-spiegel.ru/2022/nord-stream-gesprengt-die-wohl-duemmste-propaganda-aller-zeiten/\r\n[25] https://www.anti-spiegel.ru/2022/sitzt-putin-mit-schwabs-weltwirtschaftsforum-co-in-einem-boot/\r\n[26] https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/\r\n[27] https://home.treasury.gov/news/press-releases/jy0126\r\n[28] https://moderndiplomacy.eu/2022/10/14/the-grayzone-ukraine-blew-up-kerch-bridge-british-spies-plotted-it,\r\nhttps://strategic-culture.org/news/2022/10/13/before-ukraine-blew-up-kerch-bridge-british-spies-plotted-it\r\n[29] https://cz.sputniknews.com/20221122/dalsi-rozpoutani-valky-je-zradou-vuci-cechum-vrabel-rekl-kdo-je-zodpovedny-za-umrti-na-ukrajine–18906016.html, https://www.rt.com/news/565552-czech-protestors-demand-pm-resign/, https://cz.sputniknews.com/20221028/vrabel-ceska-vlada-hraje-valecny-fotbal-kdy-fandi-jedne-strane-https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/\r\nPage 9 of 10\n\nproti-druhe-nemuzeme-si-to-dovolit-18803610.html, https://cz.sputniknews.com/20221025/havel-prioritou-vlady-ma-byt-pomoc-cechum-abychom-mohli-pomahat-druhym-musime-nejprve-pomoci-sobe-18789293.html\r\n[30] https://www.idnes.cz/zpravy/domaci/vrabel-rusko-omluva-ukrajina-demonstrace.A220909_143314_domaci_vapo, https://odysee.com/@Sputnjik.Srbija:7/Sputnjik-Intervju—\r\nLadislav-Vrabel:6, https://www.tydenikhrot.cz/clanek/cesko-by-se-melo-orientovat-na-moskvu-tvrdi-organizator-protivladnich-protestu-vrabel\r\n[31] https://apnews.com/article/russia-ukraine-coronavirus-pandemic-health-moscow-media-ff4a56b7b08bcdc6adaf02313a85edd9\r\n[32] https://www.politnavigator.net/fiala-ty-idiot-reportazh-s-prorossijjskogo-mitinga-v-chekhii.html\r\n[33] https://manipulatori.cz/jaroslav-foldyna-a-jeho-nocni-vlci-a-srbsti-nacionaliste/,\r\nhttps://www.lidovky.cz/domov/putinovi-nocni-vlci-dorazili-do-prahy.A190506_122904_ln_domov_zdp,\r\nhttps://blog.aktualne.cz/blogy/roman-maca.php?itemid=39721, https://www.idnes.cz/zpravy/zahranicni/bitva-o-stalingrad-vyroci-75-volgograd-putin-vojenska-prehlidka.A180202_134302_zahranicni_PAS,\r\nhttps://www.parlamentnilisty.cz/arena/rozhovory/Rusku-zapadni-sankce-skutecne-nadmiru-prospivaji-Komunista-Skala-se-vratil-z-Ruska-a-toto-vse-tam-videl-549240, https://hlidacipes.org/__trashed/,\r\nhttps://zpravy.tiscali.cz/na-navstevu-za-chirurgem-sef-nocnich-vlku-prijima-hosty-na-krymu-pozval-i-slovenskeho-prezidenta-kisku-316604, https://www.theguardian.com/world/2015/may/08/pro-putin-bikers-russia-night-wolves-state-funds\r\n[34] https://www.bbc.com/news/blogs-trending-39845105, https://www.politico.eu/article/france-election-2017-\r\nrussia-hacked-cyberattacks, https://www.theguardian.com/technology/2022/sep/27/meta-takes-down-influence-operations-run-by-china-and-russia, https://www.dw.com/en/frances-yellow-vests-and-the-russian-trolls-that-encourage-them/a-46753388\r\n[35] https://home.treasury.gov/news/press-releases/jy0126, https://www.4freerussia.org/wp-content/uploads/sites/3/2020/09/The-Company-You-Keep-Yevgeny-Prigozhins-Influence-Operations-in-Africa.pdf\r\n[36] https://www.reuters.com/business/energy/italys-regulated-household-electricity-prices-rise-59-q4-arera-2022-09-\r\n29/#:~:text=According%20to%20the%20regulator%2C%20the,inflation%20hit%209.1%25%20in%20August.,\r\nhttps://www.reuters.com/business/energy/italy-spend-100-bln-euros-this-year-import-energy-2022-09-03/\r\n[37] https://www.microsoft.com/en-us/security/business/security-insider/threat-guidance/using-cybersecurity-to-help-manage-volatility-in-the-global-threat-landscape/\r\nTags: Microsoft Threat Analysis Center\r\nSource: https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/\r\nhttps://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/" ], "report_names": [ "preparing-russian-cyber-offensive-ukraine" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5dae3c71-8be1-4591-a2fb-b851ea6f083d", "created_at": "2022-10-25T16:07:23.432642Z", "updated_at": "2026-04-10T02:00:04.600341Z", "deleted_at": null, "main_name": "Callisto Group", "aliases": [], "source_name": "ETDA:Callisto Group", "tools": [ "RCS Galileo" ], "source_id": "ETDA", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434911, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4b80372b5383ae77c492fa41afb97df8df505abc.pdf", "text": "https://archive.orkl.eu/4b80372b5383ae77c492fa41afb97df8df505abc.txt", "img": "https://archive.orkl.eu/4b80372b5383ae77c492fa41afb97df8df505abc.jpg" } }