Ending cyber offensive against Russia could reduce threat intel

As the U.S. reportedly ends its cyber offensive operations against Russia, intelligence collected through cyber espionage operations against the country also stands to decline, potentially compromising a source of threat information on which U.S. banks and other providers of the nation's critical infrastructure rely.

The Record, a publication of cybersecurity company Recorded Future, first reported that Defense Secretary Pete Hegseth had ordered U.S. Cyber Command to cease all offensive actions against Russia, citing three people familiar with the matter. Outlets including the New York Times and NBC News have since confirmed the report.

The Department of Defense did not respond to a request for comment.

The U.S. has maintained a reputation for rarely conducting cyberattacks, especially compared to the four countries that present the primary cyber risk to national security and critical infrastructure: China, Russia, North Korea and Iran.

However, U.S. cyber-espionage capabilities are also widely understood to be among the most sophisticated of any nation, and these capabilities help to inform some of the threat reporting that the government offers to the private sector.

The major agency that offers threat intelligence to the private sector is the Cybersecurity and Infrastructure Security Agency, or CISA, which has not changed its own posture toward Russia and will continue to defend against "all cyber threats to U.S. critical infrastructure, including from Russia," the agency said on X.

The statement followed a report from the Guardian that said the Trump administration signaled it does not believe Russia represents a cyber threat against U.S. national security or critical infrastructure.

Russia has historically posed a variety of threats to U.S. banks, though not always to the extent predicted. For example, despite warnings of a digital Pearl Harbor in the wake of Russia's invasion of Ukraine and subsequent economic sanctions by the U.S. and Europe on country leaders and oligarchs, no major cyber operation affecting U.S. entities came to pass.

Despite the lack of any major disruption, Russia-backed groups have engaged in a variety of attacks against U.S. banks.

CISA catalogs the advisories it has issued regarding Russia state-sponsored cyber threats. The most recent advisory, issued jointly by agencies including the FBI, the Department of Treasury and CISA in September, warned that a Russian military cyber actor, known as Unit 29155, was responsible for computer network operations against global targets for the purposes of espionage, sabotage and reputational harm since at least 2020.

Cyber attacks

Pro-Russia hackers target Italian banks in apparent DDoS attack

February 21, 2025 2:27 PM

One of the most notable cyber operations by Russian operatives was the 2020 breach that exploited Microsoft, SolarWinds and VMware credentials and vulnerabilities to steal data from executive branch departments and some private companies.

Russia's response to U.S. sanctions has been the primary source of unease for cybersecurity specialists protecting the U.S. banking industry. A report from the Office of the Comptroller of the Currency, released in July, said increased geopolitical tensions had "heightened the risk of the Russian government exploring options for potential cyberattacks in response to the unprecedented economic sanctions imposed in response to Russia's invasion of Ukraine."

Besides threats directly from the Russian government, pro-Russia actors also pose a threat to U.S. critical infrastructure, though the threat to banks appears to be relatively small. Ideologically motivated attackers — so-called hacktivists — have had only a "minimal" impact on the financial sector, according to a report released last year by the Financial Services Information Sharing and Analysis Center.

"Since Russia's invasion of Ukraine in February 2022, ideologically motivated hacktivist incidents have increased, but the impact on the financial services sector has been minimal," reads the FS-ISAC report. "Security-mature organizations can defend themselves from significant harm, and damage to smaller firms largely results from brief public website outages."

The FS-ISAC report highlighted distributed denial of service, or DDoS, attacks as the prototypical threat posed by pro-Russia hacktivists and specifically named NoName057 as a "more successful" and opportunistic attacker. The group went after Italian targets. including banks, last month after the country's president compared Russia's invasion of Ukraine to the "wars of conquest" by the Nazis, though the attack had little impact on victim organizations.

Other, more prominent hacking groups also have ties to Russia and benefit from the safe harbor the country offers to cybercriminals.

For example, LockBit, a group that global law enforcement agencies have attempted to disrupt for the past year, has targeted financial institutions with ransomware attacks that have led to data breaches and, in some cases, operational disruptions.

How each of these groups will respond to recent changes in the U.S. posture toward Russian cyber operations — whether they take advantage of the reduced offensive pressures by ramping up their own offensive operations, cool down their attacks or carry on their business as usual — is currently unclear.

In the wake of the U.S. ending offensive operations against Russia, the ability of banks and other companies to track the actions of these groups could depend more on the capabilities of industry groups such as FS-ISAC and less on cyber espionage efforts by the U.S.