Russian cybercrime continues as government-backed attacks on companies dwindle, CrowdStrike says

Russian government-backed groups have turned their attention elsewhere, while the local ransomware scene thrives.
A spider spins a web in a garden outside Moscow on June 4, 2021. (Photo by YURI KADOBNOV/AFP via Getty Images)

The Russian approach to hacking shifted considerably over the past year, with state-sponsored attacks on commercial organizations dropping off even as the local cybercrime scene dominated the field, CrowdStrike said in a report Wednesday.

From July 2020 to June of this year, Russian state-backed hacking outfits accounted for only a tiny sliver of nation-sponsored attacks aimed at commercial enterprises detected by the cyber firm’s threat hunting service, at 1% compared to China’s 69%. (The figure represents the findings from only one threat intelligence firm, and does not account for hacking campaigns that CrowdStrike might have missed.)

Meanwhile, the suspected Russia-based hacking group that CrowdStrike calls Wizard Spider, and that has used the Ryuk ransomware since 2018, was responsible for double the number of detected attempted intrusions of any other cybercrime gang over the same period.

While CrowdStrike didn’t have comparison figures on the percentages of state-sponsored attacks on commercial organizations from past years, the company said there has been a change.


“Russian state-sponsored attack activities are still high but the focus has shifted from commercial organizations … to geopolitical targets such as think-tanks, journalists, dissidents,” said Param Singh, vice president of Falcon OverWatch, CrowdStrike’s threat platform. “As noted in the report, other state nexus groups from China, Iran and North Korea have been more active against commercial targets.”

The company also observed an uptick in suspected but unattributed nation-state backed intrusions, which accounted for 20% of all foreign government-sponsored attacks. It’s an apparent indication that financially-motivated hackers and nation-state groups are relying on more of the same tools, making attribution more difficult, Singh said.

Wizard Spider’s dominance continues a trend of Russian ransomware gangs overshadowing the cybercrime scene. One group, REvil, accounted for more than 40% of all known ransomware attacks before it suddenly went quiet, according to Recorded Future — although it’s recently shown signs of a possible revival.

A spree of high-profile, Russia-based ransomware attacks rose to the level of White House attention over the summer, with President Joe Biden publicly and privately calling on Russian President Vladimir Putin to halt the attacks emerging from within his borders.

While Russian government officials have repeatedly and uniformly denied all U.S. claims about malicious cyber activity, researchers say that the government tolerates cybercrime gangs as long as they don’t aim at domestic targets.


Another major trend in the CrowdStrike report is the degree to which nation-linked attacks on the telecommunications sector took off, outpacing attacks against all other industries at 40% of the total. Attacks targeting telecom companies doubled from the prior year, although other industries saw higher percentage rises, such as the government and academic sectors.

Telecommunications companies have always been a rich intelligence target as an access point for hackers looking to infiltrate their customers. A number of factors contributed to the uptick on attacks last year, Singh said, among them as COVID-19, the U.S. elections, Stressed geopolitical relationships, supply chain attacks, and tough 5G competition.

Yet another notable trend in the past year was how quickly attackers moved from their initial breach to move around laterally, known as “breakout time” — an average of one hour and 32 minutes, a threefold improvement from the prior year.

Latest Podcasts