Multiple hacker groups are currently active in Russia, gathering intelligence about Russian citizens to justify new sanctions by the United States and other countries, Ilya Sachkov, the head of the information security company Group-IB, announced at this year’s “AntiFraud Russia” international forum. “Their assignment is to replenish American sanctions lists, not to steal money from banks. It’s a completely different target of attack,” Sachkov said on December 7, without citing specific examples.

A source in the cybersecurity industry confirmed to the magazine RBC that there have been two or three known incidents in Russia, where hackers penetrated Russian banks’ computer systems, studying customers’ transactions and account balances, seeking candidates for foreign sanctions.

Speaking to RBC, Sachkov said there are several “pro-government hacker groups” operating around the world, collecting information about businesses and individuals that could be used to justify sanctions by multiple states, and not just by the U.S. and European Union. According to Group-IB, these groups exist in Russia, but they’re even more active in China, North Korea, and Iran.

Sachkov says these hackers don’t always target banks. Groups often go after business partners and subcontractors, whose computer systems are usually easier to penetrate. Hackers looking for sanctionable offenses aim to establish “a long-term presence on the networks of critical infrastructure,” Sachkov explains, adding that Group-IB has worked with companies that were under the control of hackers for an entire year without realizing it.

In August 2016, a hacker group called “the Shadow Brokers” (with suspected ties to Russian intelligence) released a treasure trove of apparent NSA hacking tools, including exploits allegedly used to target the Dubai-based EastNets SWIFT service bureau. Part of the leaked data “appears to confirm that the NSA had successfully set up backdoor monitoring,” Forbes reported in April 2017.