Hand and Glove: How Authoritarian Cyber Operations Leverage Non-state Capabilities

Probing the safe-haven promise

International law enforcement efforts have repeatedly pursued criminals operating from the perceived safety of Russian territory. In what appeared to be an auspicious case of collaboration with the Russian Federal Secu­rity Service (FSB), agents from the FBI and the US Secret Service went to Moscow in 2009 to witness the planned arrest of Roman Seleznev, who had been behind the large-scale online theft of credit card infor­mation. Because of his connections, Selez­nev was a test case for the safe haven assur­ances of the Russian authorities: by his own admission, he had secured protection from the cybercrime division of the FSB. After being tipped off by his FSB contacts, Selez­nev escaped arrest in 2009; but at the re­quest of the US, he was ultimately appre­hended in 2014 while vacationing in the Maldives. He was subsequently sentenced by a US court to twenty-seven years in prison. Having strayed beyond Russia’s pro­tection, Seleznev was one of a handful of Russian hackers serving a sentence abroad until his release as part of a prisoner ex­change in August 2024.

Since Seleznev’s arrest and sentencing, law enforcement actions have evolved to take into account the low likelihood that such successes can be repeated. Operation Endgame, the largest international law-enforcement crackdown on cybercrime to date, has expanded beyond arrest warrants to the dismantling of the tools and attack infrastructure of criminal groups as impact vector. In the second phase of the crackdown, German law enforcement working together with international partners recently issued arrest warrants for twenty actors, mainly Russia-based, who are unlikely to leave their safe haven. Although BKA communi­cations about Operation Endgame promi­nently cite these arrest warrants, there are different success indicators for taking down criminal infrastructure. Disruptive objec­tives are measured in metrics such as the number of servers seized and domains shut down during Operation Endgame – 300 and 650, respectively – these being the means with which criminals control intru­sion tools and compromise victim systems.

The fact that, in parallel, the US unsealed overlapping indictments against seventeen actors underscores the low probability of the supporting US warrants resulting in arrests. Typically, such charges are kept secret to allow for unsuspecting offenders to be detained – for example, during trips to cooperating jurisdictions, as in the case of Seleznev. The indictments in May 2025 were filed back in 2022 and had not led to any arrests in the interim.

From laissez-faire to state capture

The laissez-faire perspective on safe havens puts the emphasis on the advantages gained by criminal actors. For their part, Russian intelligence services have sought to lean on capabilities and actors operating under their umbrella – either by coercion, through symbiosis or as paying customer.

Criminal groups proclaiming support for the Kremlin following Russia’s full-scale in­vasion of Ukraine has further focused atten­tion on what intelligence services receive in return for providing sanctuary. Shortly after Trickbot had pledged allegiance in February 2022, leaked internal chats of the group revealed that, at least since the spring of 2021, it had been communicating with the FSB about targeting regime critics. Since then, the war on Ukraine has put significant pressure on the resources of Russia’s offen­sive cyber units, which, in turn, has boosted the relevance of the criminal underground as a comparatively cheap source of assets.

However, reports about FSB efforts to make use of cybercriminals long precede the war. In 2017, the United States indicted Aleksey Belan, a hacker of Latvian and Rus­sian nationality, and his two FSB handlers. The charges brought against these individ­uals officially documented for the first time the Russian authorities’ practice of using cybercriminals.

In early 2014, the FSB approached Belan to break into the system of the technology company Yahoo and obtain credentials for at least 500 million email accounts, includ­ing those of journalists and government officials. At the time, Belan had already been on the radar of European law enforce­ment and had even spent time in custody. Indicted twice (in 2012 and 2013), he was detained in Greece in 2013 on a US arrest warrant. After being released on bail, he managed to flee to Russia. Just two months before he was approached by the FSB in January 2014, Belan had been added to the “Cyber’s Most Wanted” list of the FBI. From the perspective of his FSB handlers, neither the criminal charges brought against Belan nor his run-ins with law enforcement posed an obstacle for clandestine operations. On the contrary, Belan’s criminal notoriety pro­vided deep cover for the intelligence agents steering the operations.

The responsibilities of the FSB Centre for Information Security – also known as Centre 18 and by its military unit number 64829 – are emblematic of a structural design that facilitates the interlacing of state objectives and criminal activities. Offi­cially, Centre 18 serves as the FSB’s cyber­crime unit; but the information it collects is also used to identify criminal hackers (such as Aleksey Belan) as possible recruits for agency projects. At the same time, Centre 18 oversees a cyber espionage programme of its own. State-led groups under its direc­tion include Star Blizzard, which, since at least 2019, has been tasked with gathering intelligence on civil society organisations and defence and government targets in NATO countries. Further, it is thought that Centre 18 coordinates the activities of Gamaredon, a cluster of FSB officers in Crimea that have been conducting operations against the authorities and critical infrastructure of Ukraine in support of Russia’s occupation of the peninsula.

Appropriation of tools

FSB efforts to co-opt criminal actors, as in the case of Aleksey Belan, are complemented by attempts across the Russian intelligence services to adopt and adapt criminal tools. The bid to blend into the criminal landscape became most evident during the destructive wave of the NotPetya cyber­attack in June 2017. Attributed to Unit 74455 of Russia’s military intelligence ser­vice (GRU), NotPetya leveraged the encryp­tion framework of an existing ransomware tool, while making modifications for un­controlled propagation with no technical possibility of decryption in order to increase the capacity for causing permanent damage.

A lower-profile attempt at criminal camouflage observed in 2024 for a separate GRU unit relies on access data sourced from underground markets. Tracked as “Void Blizzard”, the hacking department of Unit 26165 specialises in the purchase of stolen credentials to infiltrate high-value targets across NATO and EU member states, includ­ing foreign and defence ministries, defence companies, technology firms with government clients, political parties and journalists. In the assessment of the Dutch intelli­gence services AIVD and MIVD, the group’s use of criminal resources makes it difficult to distinguish its activities from those of other known Russian actors.

Such tactics have economic ramifications. The state’s interest in acquiring or licencing capabilities, rather than engineering them, generates new market demand. Criminal developers cater directly to this demand with tailored offerings. For exam­ple, the Russia-based network behind DanaBot, which is used to steal information and load additional malware onto infected devices, created two versions of its tool. One version, targeted at criminal affiliates, enables the deployment of ransomware or initial access for fraudulent purposes. The other version, designed for espionage, was made available to unidentified threat actors (possibly state actors) who used it to steal confidential communications extracted from military, diplomatic, government and non-government targets. As an additional precaution to preserve exfiltrated informa­tion in the event of discovery, data chan­nelled through the espionage pipeline was stored exclusively in Russia.

An expendable and expandable resource

The integration of non-state actors and tools into the offensive cyber programme of the Russian intelligence services stands out as a concerning development against the back­ground of the reported use of “disposable agents” to assist with physical sabotage at­tempts across Europe. Western security offi­cials in late 2024 revealed that a network of proxies had been recruited by the GRU to carry out the final stages of a plot to plant explosive packages on cargo planes headed for North America. Enlisting such proxies is part of a concerted effort to minimise the loss of intelligence service assets and limit the diplomatic fallout in the event of detection.

Moreover, diversification away from state assets is in keeping with tactics to reduce the risk of detection in the first place. From an operational security perspective, the goal has been to turn a weakness into a strategic advantage. On-demand recruitment and the decentralised organisation of proxies allow for the compartmentalisation of tasks, which means that discovery of one node does not imperil other parts of the network.

Just as the deployment of proxy networks for physical operations aims to offset the travel restrictions in Europe faced by Russian operatives, so the use of criminal assets in cyber operations seeks to overcome limitations by covering digital foot­prints. Rotating in previously undocumented actors or deploying capabilities associated with non-state groups are part of a concerted attempt to blur the lines of continuity in state-sanctioned activity.

The cyber operations units of Russia’s in­telligence services have become among the most extensively tracked threat actors since a number of their members and leaders were named in criminal indictments. Be­cause of the close scrutiny to which they are now subject, these groups risk early discovery, which may necessitate the costly redesigning of plans and a slower operational tempo. The use of proxies deliberately expands the landscape of threat actors in order to misdirect investigative efforts. Putt­ing analytic resources under additional strain may delay the uncovering of malicious activities and their strategic objectives.

To ensure situational awareness and the ability to impose costs on malicious actors, the response tools need to be recalibrated to the strategic switch points in the coordi­nation of state and non-state capabilities.

Escalation control

The PRC leadership reasserted command over the cyber capabilities of the People’s Liberation Army (PLA) as part of two wider restructurings of the armed forces. After an initial reorganisation launched in December 2015 had pooled most cyber capabilities within the Strategic Support Force, a sub­sequent reform in April 2024 further con­solidated technical reconnaissance capabil­ities across PLA services. Under this revised structure, cyber components have been ele­vated to a dedicated Cyberspace Force but placed under the direct supervision of the Central Military Commission. In a bid to ensure discipline, the Cyberspace Force cen­tralises control previously dispersed across PLA regional commands. The overall stra­tegic focus of the new Cyberspace Force following the reorganisation is to develop offensive cyber capabilities and plan what could prove highly escalatory operations that put critical infrastructure of target coun­tries at risk.

Risk acceptance

For operations below the threshold of the use of force – especially sustained efforts to collect information on targets of political and economic interest – responsibility has been delegated to the MSS and the contractor model it oversees. This fleet of contractors, managed by “digital quartermasters” that coordinate the assigned tasks, has evolved into an ecosystem of more than 100 com­panies. The proliferation of actors involved has led to the emergence of complex net­works and overlaps in private and state-sponsored activity.

The close cooperation between clusters such as I-Soon, APT27 and Silk Typhoon highlights the difficulty of disentangling operational relationships between contractors and state actors. This applies, in particu­lar, when contractors not only develop tools but actively compromise overseas targets. Part of the business model of contractors is the development of shadow infrastructure by meshing together hijacked network equip­ment (so-called ORBs) of unwitting organi­sa­tions in third countries. Channelling opera­tions through ORBs provides state actors with the means to obfuscate their activities.

For the high-confidence identification of state-sanctioned actions, careful parsing is required, as contractors are liable to pursue financially motivated activities on their own accord – for example, by using access points to drop ransomware. These osten­sible criminal crossovers may be either delib­erate or symptomatic of the clash of divergent (state, company or individual) in­terests. Threat actors may opportunistically seek to monetise access before they are locked out of compromised systems. Or they may endeavour to misdirect investigative efforts by making the compromise appear to have been financially motivated. Irrespective of whether ransomware deploy­ments are carried out for profit or to avoid detection, the sensitive access the MSS en­courages contractors to develop illustrates the risks that such destructive pivots pose. With contractors crowding the operational space, the risks for miscalculations increase.

In April 2020, a security researcher work­ing for the contractor Sichuan Silence used a novel vulnerability to target 81,000 fire­walls and break into the organisations pro­tected by those devices. To cover up intru­sions, the researcher deployed ransomware when remediation efforts were detected. The indiscriminate nature of these clean-up at­tempts has potentially far-reaching conse­quences. In 2024, the US Treasury noted in a sanctions communication that without preventive measures, the ransomware could have caused the malfunctioning of oil rigs operated by a targeted US energy company, endangering the lives of its employees. This incident highlighted the potential for col­lateral damage, underscoring the risks that are outsourced to contractors engaged in the de­velopment of shadow infrastructure. More critically, the prioritisation of deni­ability and the disparate risk-evaluation pro­cesses across the contractor ecosystem may lead to inadvertent high-risk accept­ance by the MSS quartermasters tasked with over­seeing that system.

Bridgehead beyond borders

Owing to limited connectivity and regime control over telecommunications infrastructure, cyber activities conducted from within the DPRK are comparatively trace­able. To blend in, DPRK groups have ex­panded geographically as they scout for safe operational spheres in neighbouring China and Southeast Asian countries.

Similarly, Pyongyang’s concerted campaign to plant North Korean IT specialists working undercover at international firms requires a personal and physical footprint outside the DPRK. Although North Korean IT professionals seek out remote work arrange­ments, the scheme relies on what are often unwitting facilitators in-country that set up laptops or file employment records. Through the development of this support network, a bridgehead of laptop farms has been estab­lished across at least eight states in the US and in Europe – the cybersecurity firm CrowdStrike has identi­fied clusters in the United Kingdom, Poland and Romania.

In late 2024, individual operatives began to deviate from this playbook, originally con­ceived to generate revenue for the regime, by threatening upon discovery to publish stolen data in order to extract maximum financial value. The Google subsidiary Mandiant considered this extortionist shift to be part of an exit scheme. For its part, the security firm DTEX observed that in rare instances, extortion extended to the explicit threat of network access being given to North Korean APTs for further exploitation.

Repatriating knowledge

In March 2025, the RGB began to set up a new offensive research centre with a focus on “developing offensive hacking technol­ogies and programmes”. The goal is to “respond immediately to real-time informa­tion from RGB hacking groups deployed overseas”. Research Centre 227 recognises the value offered by the access and visibility achieved through the bridgehead abroad. Its creation points to a strategic interest in harnessing the lessons learned from those deployments in order to refine and advance the DPRK’s cyber capabilities overall.