The following is the Jan. 4, 2021 Congressional Research Service In Focus report, Russian Cyber Units.
From the report
Russia has deployed sophisticated cyber capabilities to conduct disinformation, propaganda, espionage, and destructive cyberattacks globally. To conduct these operations, Russia maintains numerous units overseen by its various security and intelligence agencies. Russia’s security agencies compete with each other and often conduct similar operations on the same targets, making specific attribution and motivation assessments difficult. Congress may be interested in the various Russian agencies, units, and their attributes to better understand why and how Russia conducts cyber operations.
Early Russian Cyber Operations
According to media and government reports, Russia’s initial cyber operations primarily consisted of Distributed Denial of Service (DDoS) attacks and often relied on the co-optation or recruitment of criminal and civilian hackers. In 2007, Estonia was the target of a large-scale cyberattack, which most observers blamed on Russia. Estonian targets ranged from online banking and media outlets to government websites and email services.
Shortly thereafter, Russia again employed DDoS attacks during its August 2008 war with Georgia. Although Russia denied responsibility, Georgia was the victim of a large-scale cyberattack that corresponded with Russian military actions. Analysts identified 54 potential targets, (e.g., government, financial, and media outlets), including the National Bank of Georgia, which suspended all electronic operations for 12 days.
Russian Security and Intelligence Agencies
Over the past 20 years, Russia has increased its personnel, capabilities, and capacity to undertake a wide range of cyber operations. No single Russian security or intelligence agency has sole responsibility for cyber operations. Observers note that this framework contributes to competition among the agencies for resources, personnel, and influence, and some analysts cite it as a possible reason for Russian cyber units conducting similar operations, without any apparent awareness of each other. Additionally, some agencies appear to prioritize the development of in-house capabilities, whereas others look to contract outside actors for operations.
The Main Directorate of the General Staff, commonly referred to as the GRU, is Russia’s military intelligence agency. The GRU has been implicated in some of Russia’s most notorious and damaging cyber operations. Media reporting and U.S. government indictments identify two primary GRU cyber units. The U.S. Department of Justice (DOJ) has charged personnel from both units for actions ranging from election interference in the 2016 U.S. presidential election to multiple damaging cyberattacks. The units’ public profile underlines a high operational tempo. The GRU also reportedly controls several research institutes that help develop hacking tools and malware. Observers have noted an apparent willingness by GRU cyber units to conduct brazen and aggressive operations, sometimes with questionable levels of operational security and secrecy. Collectively, these units are sometimes referred to as APT (Advanced Persistent Threat) 28, Fancy Bear, Voodoo Bear, Sandworm, and Tsar Team.
Download documents here.