We have been investigating Russian cyber-attacks this week. Today we publish a timeline of Russian cyber-activities. In the interest of space, I am publishing just the timeline with little descriptive content. I have included a download link to a PDF and spreadsheet of the timeline with more detail, and links to sources.
Notice how these cyber attacks started out in 2004 as small, unsophisticated attacks against former soviet-bloc countries, done with as much secrecy and deniability as possible. As the Russians gained experience, and learned that there would be few, if any consequences from the west, they became bolder and more daring. They are at the point now where there is little concern from them about attribution and deniability, it is now just a part of there intelligence and military operations and foreign policy.
Timeline of Russian Cyber Attacks PDF, no links
Timeline of Russian Cyber Attacks XLSX, links to source
| Date | Attack | Actor | Actions |
| 6/26/2004 | Operation Pawn Storm | Fancy Bear | Espionage |
| 1/1/2005 | Turla aka Uroburos or Snake (2005 – 2014) | Venomous Bear | Political espionage and surveillance of western embassies |
| 4/1/2007 | Estonian DDoS April-May 2007 | Russian Cyber-crime or Hacker Collective | DDoS on Estonian financial institutions |
| 6/1/2008 | Lithuanian Web Site Defacement | Russian Cyber-crime or Hacker Collective | Web site defacement |
| 8/1/2008 | Georgian Internet Shut Down | Russian Cyber-crime or Hacker Collective | DDoS againt Internet access |
| 1/1/2009 | Kyrgyzstan Internet DDoS | Russian Cyber-crime or Hacker Collective | DDoS againt Internet access |
| 4/1/2009 | Kazakhstan DDoS | Russian Cyber-crime or Hacker Collective | DDoS againt media outlet |
| 8/1/2009 | Georgian Facebook and Twitter Shut Down | Russian Cyber-crime or Hacker Collective | Shut down Twitter and Facebook in Georgia |
| 1/1/2012 | Red October (2012) | FSB | Espionage |
| 7/26/2013 | Authorities bust Russian credit card hackers | Russian Cyber-crime or Hacker Collective | Response from the west against cybercrime group |
| 3/1/2014 | Cyber and Military Annexation of Crimea | GRU | Coordinated military and cyber DDoS attack |
| 3/6/2014 | US sanctions Russia over Ukraine and Crimea | USA | Western sanctions against Russia |
| 5/1/2014 | Ukrainian Presidential Election Interference | Russian Cyber-crime or Hacker Collective | Cyber attack against Ukrainian election commission |
| 10/13/2014 | iSight Report | Sandworm | Espionage |
| 10/17/2014 | State Department Email Breach | Cozy Bear | Espionage, email account hijacking |
| 10/29/2014 | White House Breach | Cozy Bear | Espionage, email account hijacking |
| 4/8/2015 | French TV5 Monde | Fancy Bear or Cozy Bear | Take down television station |
| 4/8/2015 | Crowdstrike Report on Russian Cyber Activity | Cozy Bear | Report on Russian cyber activity |
| 5/8/2015 | Bundestag Surveillance | Fancy Bear | Espionage |
| 6/1/2015 | Office of Personnel Management | Cozy Bear | Identity theft, theft of PII |
| 6/1/2015 | DNC Infiltration (June 2015 to November 2016) | Cozy Bear | Election interference, espionage |
| 7/25/2015 | Pentagon Joint Chiefs Email Compromise | Russian Cyber-crime or Hacker Collective | Espionage, military intellegence gathering |
| 10/1/2015 | Dutch Government Breach regarding Flight MH17 | Attributed to Russian Government | Information theft, coverup of military action |
| 12/23/2015 | Ukrainian Power Grid Attack | Russian Cyber-crime or Hacker Collective | Coordinated military and cyber infrastructure attack |
| 1/1/2016 | Finnish Foreign Ministry | Russian Cyber-crime or Hacker Collective | Espionage |
| 3/19/2016 | John Podesta (DNC) Email Compromise | Cozy Bear | Election interference, espionage, kompromat |
| 4/1/2016 | Second DNC Attack | Fancy Bear, Cozy Bear | Election interference, espionage |
| 6/15/2016 | Crowdstrike Report on DNC Attacks | Fancy Bear, Cozy Bear | Report on Russian cyber activity |
| 7/8/2016 | US Election Systems | Attributed to Russian Government | Election interference, espionage, identity theft |
| 7/22/2016 | Wikileaks Published DNC Emails | Wikileaks | Kompromat or public embarrassment, election interference |
| 7/28/2016 | Cyber Attack Against Democratic Congressional Campaign Committee (DCCC) | Attributed to Russian Government | Election interference, espionage |
| 9/13/2016 | Colin Powell Gmail Leak | Attributed to Russian Government | Espionage, military intellegence gathering |
| 10/9/2016 | Podesta Emails Published | Wikileaks | Kompromat or public embarrassment, election interference |
| 10/17/2016 | Email and Network Breaches Attributed to Russia By DHS | DHS | Attribution to Russia |
| 11/9/2016 | Phishing Attacks on Think Tanks and NGOs | Attributed to Russian Government | Espionage, information gathering |
| 12/1/2016 | German Election Interference | Attributed to Russian Government | Election interference |
| 12/22/2016 | Ukrainian Army Android hack | Fancy Bear | Military tactic to use GPS to locate targets. |
| 12/29/2016 | Russian Diplomats Expelled | President Obama | US sanctions against Russia |
| 12/29/2016 | Report on Grizzly Steppe | US-CERT, DHS | US-CERT DHS joint report |
| 12/31/2016 | Vermont Electric Attack | Grizzly Steppe | Access of energy company laptop |
| 2/3/2017 | Cyber attacks on Norway and Netherlands governments | Cozy Bear | Disruptions of government operations |
| 2/10/2017 | Enhanced Analysis of GRIZZLY STEPPE Activity | US-CERT, DHS | US-CERT DHS joint report |
| 3/1/2017 | German and French Election Campaigns (March, April, May 2017) | Fancy Bear | Election interference |
| 5/23/2017 | Qatar News Agency Breach | Attributed to Russian Government | To create divishions between mid-eastern governments and the US |
| 7/9/2017 | Power plant breaches | Dragonfly | Remote access and control of energy infrastructure |
| 9/13/2017 | DHS Bans Kaspersky | DHS, FBI | US sanctions against Russia |
| 1/22/2018 | Russia Meddles in Swedish Elections | Attributed to Russian Government | Election interference |
| 2/15/2018 | Petya Ransomware | US-CERT, DHS | Operational disruption of targeted business sectors |
| 3/15/2018 | Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors | US-CERT, DHS | Operational disruption and control of targeted business sectors |
| 4/20/2018 | Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices | US-CERT, DHS | Operational disruption and control of targeted business sectors |
| 11/16/2018 | US spear-phishing campaign | Cozy Bear | Operational disruption and control of targeted government and business sectors |
| 11/20/2018 | new malware against US and European targets | Fancy Bear | Operational disruption and control of targeted government and business sectors |
More information:
- Timeline of Russian Cyber Attacks – InvestigateRussia.org
- Ten Years of Russian Cyber Attacks – NBC News
- December 29, 2016: US-CERT Joint Analysis Report (JAR-16-20296A) GRIZZLY STEPPE – Russian Malicious Cyber Activity (PDF)
- February 10, 2017: Analysis Report (AR-17-20045) – Enhanced Analysis of GRIZZLY STEPPE Activity (PDF)
- March 15, 2018: Technical Alert (TA18-074A) – Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors
- April 16, 2018: Technical Alert (TA18-106A) – Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices
- Russia Meddles in Swedish Elections
- Russian Spearphishing Campaign
- Russian Malware Campaign
21
DEC
DEC
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com