Proactive, efficient threat mitigation and risk management require understanding adversaries’ fundamental thought processes, not just their tools and methods.

Our cyber threat intelligence analysts combed through 15 years (2004 to 2019) of public sources that have documented the activities of one prolific threat actor, Russia’s military intelligence agency, the GRU. The statements of at least a dozen governments link the GRU to more than 200 espionage, disruption, and disinformation incidents and campaigns. Our analysis revealed novel links between these activities and Russia’s stated military doctrine. We showed that, by aligning cyber activity with strategic doctrine, we can reveal the logic underlying state-linked cyber activity.

This report, Bearing Witness: Uncovering the Logic Behind Russian Military Cyber Operations, presents 33 case studies that reexamine GRU-linked operations. Our analysis shows that the timing, targets, and impacts of this activity mirrored Russian strategic concerns about specific events and developments. Consequently, we can predict potential activity as Russia’s military priorities continue to evolve.

Defending against cyber operations—like those of the GRU—demands understanding not just how these operations occur but, more importantly, why. By understanding why adversaries act, defenders can better anticipate when, where, and in what form those actions may occur and take deliberate action to mitigate their risk based on that insight.

Download the report to discover insights into Russian cyber activity, predictions for what’s next, and guidance on how to use this historical data to anticipate and plan for future cyber risks.