Russia's Cyber Spies: APT Bears and the Battle for Digital Dominance

Russia’s modern wars are fought not only with tanks and missiles, but also with code and compromised networks. Since the early 2000s, the Russian state has deployed a constellation of cyberespionage units under the umbrella of her intelligence services, each tailored to a specific strategic purpose. Amongst the most active and sophisticated of these are four so-called advanced persistent threat (APT) groups: Venomous Bear and Energetic Bear, both associated with the Federal Security Service (FSB), and Fancy Bear and Cozy Bear, linked to the military intelligence agency (GRU) and the foreign intelligence service (SVR) respectively.

These names are used by cybersecurity researchers to categorise state-sponsored hacker groups. The “Bear” motif denotes Russian origin, while the adjectives are arbitrary but have become standard within global cybersecurity discourse. The term advanced persistent threat refers to a covert cyber actor, usually a nation-state, with the ability to maintain long-term access to networks while remaining undetected.

Understanding the structure and operations of these four cyber units is essential not only to grasp Russia’s strategy of hybrid warfare but also to see how the battlefields of the twenty-first century are increasingly digital, blurred, and deniable.

Venomous Bear (also known as Turla)

Venomous Bear, often referred to in technical circles as Turla, is widely believed to be a unit of the FSB’s Centre 16 — the agency’s signals intelligence division. Active since at least 2008, Turla is among the most sophisticated cyberespionage groups ever documented. It is known for its stealth, creativity, and long-term infiltration of government and military networks, primarily in Europe and the Middle East.

One of Turla’s most notorious operations was the hijacking of other hacker groups’ infrastructure — a technique known as false flagging. In 2018, Turla hijacked malware tools used by Iranian cyber units and used them to launch attacks across multiple countries, complicating attribution efforts. This approach not only allowed the FSB to disguise its operations, but also to feed misinformation to the cyber threat intelligence community, thereby weakening collective Western cyber defences.

Venomous Bear tends to favour traditional espionage over sabotage. Its targets include ministries of foreign affairs, defence contractors and international organisations. Its malware arsenal is custom-built and constantly evolving, often delivered through compromised websites or watering hole attacks — a method where hackers infect websites that are frequently visited by their targets.

Energetic Bear (also known as Dragonfly)

Energetic Bear, attributed to another branch of the FSB, has a more specialised mission: the penetration of industrial control systems and critical infrastructure, particularly in the energy sector. This group gained global notoriety around 2013 for attacks against energy grids and power generation companies in the United States, Canada and Europe.

While Energetic Bear does not generally aim to cause immediate destruction, it is believed to map vulnerabilities and position itself to potentially disable or degrade national infrastructure in times of conflict. This approach — known as pre-positioning — is a hallmark of Russian cyber doctrine: to hold latent capacity for sabotage in the event of open hostilities.

Unlike Turla, Energetic Bear tends to use more standardised, commodified malware, often obtained through semi-criminal contractors. It is less elegant but no less dangerous, and its focus on the interface between digital systems and physical utilities gives it a unique strategic role within the FSB’s cyber portfolio.

Fancy Bear (also known as APT28)

Fancy Bear, linked to the GRU (Russia’s military intelligence agency), is the most aggressive and publicly visible of Russia’s cyber actors. It came to international prominence for its role in the hacking of the Democratic National Committee in the United States during the 2016 presidential election, as well as cyber operations against the German Bundestag and the World Anti-Doping Agency.

Unlike the FSB-linked groups, Fancy Bear is not primarily interested in stealth. Its mission is to shape the information environment in favour of Russian military and strategic objectives. It conducts disruptive operations: leaking stolen emails, defacing websites, spreading disinformation, and sowing confusion in enemy states.

Technically proficient and politically reckless, Fancy Bear often operates in tandem with broader psychological operations. The GRU’s cyber activities are coordinated with influence campaigns run through media outlets such as RT (Russia Today) and Sputnik, two Russian government-run media organisations, as well as with troll farms and social media botnets. These campaigns aim not to convince but to confuse — to pollute the information space with conflicting narratives.

Cozy Bear (also known as APT29)

Cozy Bear, attributed to the SVR (Russia’s foreign intelligence service), is the quietest and most methodical of the four. It was also implicated in the 2016 US election interference campaign, though with a more espionage-oriented mandate than Fancy Bear. In recent years, it has focused heavily on infiltrating Western diplomatic, research and health institutions — including the cyberattacks on vaccine developers during the COVID-19 pandemic.

The SVR’s cyber unit mirrors the agency’s Cold War approach: long-term, high-value espionage conducted with plausible deniability. Cozy Bear operations are notable for their restraint and technical finesse. They are rarely detected until long after the breach, and their malware often includes sophisticated self-destruct mechanisms to avoid forensic analysis.

Cozy Bear prefers credential theft and access through trusted supply chains — such as the infamous SolarWinds breach in 2020, which compromised multiple US federal agencies via a corrupted software update. This indirect access model underscores the SVR’s strategic patience and mastery of modern digital tradecraft.

Contrasts and Convergence

Although these four APT groups operate under different agencies, their missions often overlap. This is partly by design — Russian intelligence structures are intentionally opaque and competitive — and partly a reflection of evolving cyber norms in which espionage, sabotage and influence are increasingly interlinked.

The FSB’s Venomous and Energetic Bear are focused on surveillance and infrastructure. They are the quiet scouts, mapping the territory. The GRU’s Fancy Bear is the saboteur, publicly disruptive and willing to burn tools in order to create chaos. The SVR’s Cozy Bear is the collector, meticulously building dossiers of classified intelligence.

Whereas Fancy Bear seeks impact and political effect, Venomous Bear prioritises long-term access. Energetic Bear explores how to hold a foreign society’s lights and water supply hostage. Cozy Bear wants to know what foreign ministries are planning before they say it aloud. Together they form a digital triad of espionage, disruption and latent sabotage.

Strategic Implications

The sophistication of Russia’s APT ecosystem has shaped how NATO and other Western powers define cyber defence. The emphasis has shifted from purely technical firewalls to a model of resilience that includes information integrity, social trust and operational continuity.

For Ukraine, these groups represent not just theoretical threats but real adversaries. All four have been involved at different times in attacks on Ukrainian systems: Venomous Bear in government breaches, Energetic Bear in power grid mapping, Fancy Bear in psychological operations, and Cozy Bear in diplomatic surveillance.

The West’s continued support for Ukraine must include countermeasures not only on the battlefield but in cyberspace — because in today’s war, sovereignty is defended as much through servers and silicon as through soldiers.

Understanding these Bears is not just a matter of cybersecurity; it is a matter of national survival.