In late-December 2025, the Polish energy sector was targeted by a coordinated series of destructive cyberattacks using a new malware tracked as DynoWiper [1]. The operation affected over 30 renewable energy sites and a major combined heat and power plant during a period of extreme cold.
Key Technical Observations:
DynoWiper is a destructive tool designed to overwrite or delete data. It shares significant code overlaps with the “ZOV” wiper previously used in Ukraine [2].
The attack focused on the distributed edge, specifically targeting Remote Terminal Units (RTUs) at wind and solar farms. Attackers damaged firmware to disable remote communication with the grid operator.
In several instances, access was gained via internet-exposed edge devices lacking multi-factor authentication (MFA).
Attribution Discrepancy
A fairly uncommon disagreement exists between private industry and Polish officials regarding the actor:
Sandworm (GRU): Linked by ESET and Dragos due to technical malware lineage and the 10th anniversary of the 2015 Ukraine blackout [3].
Dragonfly/Berserk Bear (FSB): Formally attributed by CERT.PL based on specific C2 infrastructure overlaps with current FSB espionage operations [4].
The evidence suggests a collaborative model or shared contractor network. One agency likely provided the initial access/infrastructure while the other provided the specialized destructive tradecraft. The targeting of Polish critical infrastructure is a shift for FSB-aligned actors from long-term pre-positioning to active destruction against NATO critical infrastructure.
Venezuela has increasingly become a narco-state where high-level officials enable drug trafficking to sustain their power. US authorities accuse Nicolas Maduro and his inner circle (dubbed “Cartel of the Suns“) of colluding with criminals to ship cocaine abroad. While not a traditional cartel hierarchy, this term best reflects how the regime allows criminal networks to operate in exchange for loyalty and funds. The result of this is a steady flow of cocaine through Venezuelan territory from Colombian producers, using Venezuela’s porous borders and ports as the transit points. These illicit revenues help Caracas offset economic collapse under sanctions, propping up Maduro’s government when legitimate oil income fell. In turn, Venezuela’s instability and lawlessness (fueled by drug money, corruption, and mass migration) have regional spillover effects, straining neighboring countries and providing openings for foreign powers to step in as patrons and exploiters.
Cuba’s Lifeline and Intelligence Footprint
Cuba has arguably the most intimate stake in Venezuela’s survival. Since the era of Hugo Chavez, a Caracas-Havana axis has existed where Venezuela ships subsidized oil to Cuba, literally keeping Cuban lights on. Without the Venezuelan oil lifeline, Cuba’s economy would be unsustainable, a fact that cements Havana’s interest in shoring up Maduro. In exchange, Cuba provides extensive political and security assistance. Over the past two decades, thousands of Cuban personnel, including doctors, teachers, but also security and intelligence advisors, have been posted in Venezuela. They advise and embed within Venezuelan military units and intelligence services, imparting Cuba’s decades of know-how in surveillance, counterintelligence, and political repression. This Cuban contingent is widely seen as a pillar of Maduro’s regime stability, helping prevent military coups and monitoring potential dissent. In essence, Havana leverages Venezuela’s turmoil (and its own advisors on the ground) to maintain an allied government and extend Cuba’s influence in South America. The partnership is deeply symbolic: Venezuela supplies Cuba with energy and funds, and Cuba’s security apparatus works to keep Caracas in friendly hands, frustrating US attempts to isolate the Maduro regime.
Russia’s Military and Strategic Leverage
Russia has has also cultivated Venezuela as a strategic foothold in the Western Hemisphere. Since Hugo Chavez reached out to Moscow in 2000, Russia became a vital source of arms, oil investments, and diplomatic backing for Venezuela. Billions in weapon sales, from aircraft to air defense systems, and joint projects in oil fields ensued, not always yielding profit for Moscow but serving a geopolitical purpose. In return, the Kremlin gained a significant presence in South America, fulfilling Putin’s ambition to challenge the US in its own backyard. By propping up Caracas, Russia forces Washington to divert attention and resources, effectively acting as a spoiler to US interests. Even amid Russia’s war in Ukraine, Moscow has maintained military ties with Venezuela. In May 2025, the two signed a Strategic Partnership Treaty to expand cooperation in energy, mining, defense technology, and intelligence sharing. Russian oil firms also quietly supply Venezuela with crucial diluents to keep its heavy crude flowing. Furthermore, Russia and Venezuela regularly engage in military exchanges and joint exercises, where Venezuela even hosted segments of Russia’s International Army Games in 2022). In past crises, the Kremlin showed willingness to deploy assets like sending strategic bombers and air defense units to Venezuela during moments of heightened US pressure. All of this highlights how Moscow leverages Venezuela’s anti-US stance and need for security guarantees to deepen its footprint. From intelligence operatives on Venezuelan soil to warship visits, Russia uses Venezuela as a forward base of influence in LATAM, complicating US strategic calculus. Notably, both countries vocally oppose US “unilateral sanctions” and invoke principles of non-intervention, aligning themselves at the UN and other forums. In short, Venezuela’s turmoil and isolation have been a golden opportunity for Russia to project its power westward, cementing an alliance that counters US presence in the region.
China’s Economic Stakes in Venezuela
China’s approach centers on economic and technological entrenchment in Venezuela. Over the last 15 years, Beijing has loaned Venezuela over $50 billion in exchange for oil. Even as Venezuela’s oil industry deteriorated, China remained its major buyer, responsible for nearly 3/4 of Venezuela’s oil exports, often through intermediaries to evade sanctions. Much of this oil repays Chinese loans, and steep discounts give China’s refiners a bargain supply. Outside buying oil, Chinese state giants hold enormous stakes in Venezuela’s oil reserves. As the chart below shows, Sinopec and CNPC together claim rights to over 4.4 billion barrels of Venezuelan oil.
Figure 1: CN state firms Sinopec and CNPC hold the largest oil entitlements in VE, surpassing RU, US, and other foreign firms through joint ventures with PDVSA. Source: Morgan Stanley Research, Wood Mackenzie
These investments grant Beijing long-term influence over venezuela’s most prized asset. China has also expanded into infrastructure and high-tech realms: Huawei built Venezuela’s national telecom backbone, ZTE designed the controversial “Fatherland Card” ID and social control system, and China’s CEIEC helped set up surveillance networks. Such technology transfers embed Chinese systems deep into Venezuela’s governance and security apparatus. In effect, Venezuela has become an outpost for China’s Digital Silk Road and resource acquisition strategy. Beijing leverages Venezuela’s financial desperation to secure favorable deals in oil, minerals, and telecom, all while portraying itself as Venezuela’s dependable partner amid US sanctions. China’s presence yields geopolitical dividends too; it gains political goodwill across LATAM for standing by Venezuela, and it challenges US influence by offering an alternative development model. However, China treads carefully; it has at times slowed new loans or investments, wary of Venezuela’s instability and inability to repay. Still, with a recent agreement on promoting bilateral investments (signed May 2024) and high-profile state visits, Beijing signaled its commitment to deepening ties with Caracas for mutual strategic benefit.
Venezuela as a Platform for Extra-Regional Influence
For Cuba, Russia, and China, an embattle Venezuela serves as a gateway to project power in LATAM. Under Chavez and Maduro, Caracas spearheaded an alliance of leftist governments (the ALBA bloc) that resisted US policies. Venezuela once bankrolled regional clients with oil subsidies (i.e. PetroCaribe program), buying influence in the Caribbean and Central America. Today, even with resources diminished, Venezuela provides a friendly territory for US rivals to operate. Intelligence reports indicate that Russian and Iranian military personnel have used Venezuelan bases to cooperate on drone programs and other strategic projects. Meanwhile, Cuba uses Venezuela as a forward post for its intelligence network in South America, extending Havana’s reach beyond the island. By hosting foreign military advisors, allowing port calls, or brokering diplomatic support, Venezuela amplifies the global influence of its patrons. Caracas often votes with Beijing and Moscow at the UN, and in turn receives diplomatic cover; for example, joint opposition to US “unilateral sanctions” has been a refrain of Venezuela, China, and Russia alike. The Venezuelan regime also harbors Colombian guerrilla groups and traffickers, whose activities destabilize neighboring Colombia and beyond. Importantly, Venezuela’s mere alignment with great-power competitors transforms it into a symbolic beachhead, demonstrating that US dominance in the Western Hemisphere can be contested. This emboldens other populist or authoritarian leaders in LATAM who seek multi-polar alternatives. In summary, Venezuela’s drug-fueled instability and anti-US stance make it a convenient platform for Cuba’s ideological agenda, Russia’s military forays, and China’s economic inroads, extending these countries’ influence throughout South America under the cover of “South-South” cooperation.
US-Mexico Counter-Narcotics Efforts
Facing an unprecedented fentanyl overdose epidemic at home, the US has refocused on counter-narcotics cooperation with Mexico as a linchpin of its regional strategy. over 100k American die annually from drug overdoses, primarily fentanyl, putting intense pressure on Washington to act. Most illicit fentanyl is manufactured by Mexican cartels using Chinese-sourced precursor chemicals, then smuggled across the US-Mexico border. Yet until recently, Mexico was reluctant to confront the cartels head-on, even claiming Mexico does not produce fentanyl. Cooperative security programs like the Merida Initiative stagnated as Mexico scaled back US law enforcement presence and hollowed out joint anti-drug efforts. This approach gave transnational cartels free rein, worrying US officials. In late-2023, however, signs of a shift had emerged. Through intense diplomacy (and some hardball tactics like hinting at trade tariffs), the Biden administration got Mexico to acknowledge the crisis. Bilateral agreements were reached in late-2023. Around the same time, China agreed to re-engage in narcotics cooperation, promising to police chemical exports more rigorously after high-level talks.
Concrete actions followed these understandings. US pressure coincided with Mexico’s military capturing major cartel figures, most notably Ovidio Guzman (son of “El Chapo”), who was extradited to the US in September 2023 on fentanyl trafficking charges. The US Drug Enforcement Administration also helped Mexican forces target clandestine fentanyl labs, while joint operations at the border (like Operation Plaza Spike) ramped up inspections of vehicles for hidden drugs. By late-2024, under mounting US pressure, Mexico reportedly deployed thousands of troops to its northern border and stepped up seizures of fentanyl pills and precursor chemicals. This growing collaboration is reshaping narcotrafficking routes as land routes into Texas and Arizona toughen, cartels have begun exploring alternate corridors via sea and Central America. There is also evidence that traffickers are adapting by using new chemicals and dodging Chinese export curbs, a reminder that the narco-network is flexible and will seek the path of least resistance. Still, Washington’s message is that Mexico’s partnership is critical. Improved US-Mexico cooperation also serves as a counterweigh to extra-hemispheric actors: it shows that North America can tackle its own security problems, leaving less excuse for outside powers to meddle under the pretext of addressing lawlessness.
Implications for US National Security and Regional Stability
These developments carry far-reaching implications. US national security is directly challenged when hostile powers gain a foothold in the Americas under the guise of aiding a beleaguered Venezuela. The growing presence of Russian military advisors, Chinese tech infrastructure, and Cuban intelligence operatives in Venezuela undermines the traditional US sphere of influence and could threaten American assets or allies in the region. For example, Russia’s support to Venezuela is explicitly aimed at countering US influence in LATAM. Such encroachment harkens back to Cold War era concerns and has led US strategists to reassert the Monroe Doctrine logic of keeping external adversaries out of the hemisphere. Indeed, Venezuela’s alignment with Cuba, China, and Russia is cited in Washington as an unacceptable beachhead for “the United States’ main opponents” in its backyard. The illicit drug trade exacerbates this strategic contest. The Venezuelan regime’s role in narcotrafficking not only finances its own repression; it also exports instability northward (in the form of drugs and refugees) and tarnishes US credibility when the problem grows. American policymakers argue that failing to check Venezuela’s narco-network and its foreign sponsors would embolden other anti-US regimes and signal decline of US leadership.
On the other hand, a robust US counter-narcotics push, especially in partnership with Mexico, could alter the balance. Success in curbing fentanyl flows and cartel power would deprive Venezuela (and by extension Cuba/Russia) of one modus operandi for influence (the chaos and corruption spread by drug money). It would also bolster US standing as a security provider in LATAM, perhaps reassuring countries that Washington, not Beijing or Moscow, can best address regional crises. Already, the extradition of a top fentanyl trafficker and the slight dip in US overdose deaths in 2024 have been lauded as proof that coordinated action yields results. However, there are risks. If the US approach veers into unilateral military action (as some hawks urge, citing narco-terrorism), it could spark backlash akin to past interventions, playing into the hands of Cuba, China, and Russia, who would eagerly condemn US “imperialism” and rally regional opinion against Washington. Striking a balance is key: the US looks to strengthen alliances (like with Mexico and Colombia) to choke off drug routes, while diplomatically isolating Venezuela’s regime and its enablers. The coming years will test whether this strategy can stabilize LATAM’s drug economy without inflaming geopolitical tensions. One thing is clear: Venezuela’s crisis has become a linchpin issue at the crossroads of organized crime and great power rivalry. The outcome will significantly shape US influence and the security architecture of the Western Hemisphere for years to come
This analysis was prompted by recent reporting from Matthew Luxmoore at the Wall Street Journal, which highlighted how deeply military content has been integrated into Russian schools. I reviewed additional reporting, open-source research, Russian government documents, and independent analyses to understand the broader context.
Overview
Recent reporting by Matthew Luxmoore at the Wall Street Journal (WSJ) prompted a deeper look into how far the Kremlin has reshaped Russia’s education system for long-term militarization. His work highlights a trend that has accelerated significantly since the invasion of Ukraine in 2022, and after reviewing additional sources, the picture that emerges is sharper and more concerning than a single article can capture.
A Systematic Shift Since 2014
Russia’s patriotic education initiatives began expanding after the annexation of Crimea, but the scale shifted significantly following the 2022 invasion. Federal spending grew from roughly $40 million in 2021 to nearly $600 million by 2024, supporting curriculum rewrites, school-based training programs, and the proliferation of state-run youth organizations.
New standardized history and civics textbooks portray the US and NATO as direct threats and depict Ukraine as a Western proxy. Tactical training equipment and mock Kalashnikov rifles have been distributed to thousands of schools. In many regions, these activities are now compulsory, not extracurricular.
Youth participants in military training exercises, equipped with camouflage uniforms and training equipment, highlighting the integration of militarization in Russian education. Source: Jamestown
Education as a Mobilization Pipeline
The Defense Ministry’s Youth Army (Yunarmiya), established in 2016, now claims more than 1.8 million members. It operates as a nationwide cadet network that integrates students into military culture early and maintains engagement through adolescence.
Active-duty personnel increasingly teach in classrooms, leading instruction on weapons safety, basic first aid, drone operation fundamentals, and military discipline. By eighth grade, these courses resemble structured pre-conscription preparation. In occupied Ukrainian regions, Russia has imposed these same curricula while removing Ukrainian-language materials.
Map showing the assessed control of terrain in the Russo-Ukrainian War as of November 14, 2025, highlighting significant fighting areas and territorial claims. Source: Institute for the Study of War
Strategic Messaging
The Kremlin frames these programs as tools for national unity and resilience. Critics inside Russia describe them as mechanisms for suppressing dissent and reducing independent thought. Teachers who resist implementation face administrative penalties or prosecution, underscoring the coercive nature of the effort.
While patriotism in Russian schools is not new, the current approach is more centralized, more compulsory, and more explicitly linked to real-world conflict. The expansion into early childhood (down to the first years of primary school) represents a significant change from previous decades.
Information Environment Pressures
A key driver appears to be the changing information landscape. Russian youth have greater exposure to Western media, global online discourse, and alternative political viewpoints than previous generations. Surveys consistently show that younger Russians are the least aligned with Kremlin narratives and the most likely to bypass state information controls.
This environment has prompted more aggressive ideological programming. Early-age indoctrination is used to establish state-approved narratives before outside information becomes accessible.
Implications for Future Confrontation
Taken together, these developments suggest deliberate social preparation for long-term geopolitical tension with the West. Russia is not only modernizing its armed forces; it is shaping future generations to accept sustained confrontation and large-scale mobilization as normal.
This generational strategy will influence Russia’s military posture, information operations, and cyber workforce for years to come. For the US and allied nations, it suggests a security environment where societal militarization becomes a persistent feature of Russia’s strategic behavior.
On 23 October 2025, Recorded Future assessed that Russia has shifted from a largely permissive “safe haven” model for cybercriminals to a managed cybercrime ecosystem. This evolution reflects a strategy of controlled impunity, where Kremlin authorities selectively tolerate, leverage, or regulate cybercriminal actors based on intelligence value, geopolitical utility, and risk of international pressure. State-linked or state-aligned operators remain insulated, while lower-tier enablers, money-laundering intermediaries, and infrastructure providers have faced increased arrests, disruption, and publicity-driven crackdowns. The report notes growing mistrust inside the criminal underground, leading to closed recruitment, collateral requirements, affiliate vetting, and frequent rebranding. Ransomware activity remains steady, with hundreds of new variants emerging as operators fragment and adapt to law-enforcement pressure. Western counter-ransomware operations, sanctions, payment restrictions, and coordinated takedowns continue to raise operational risk and cost for Russia-based cybercriminal groups.
Analysis: Russia’s cyber ecosystem is entering a state-directed equilibrium where criminal capability remains accessible to the government while the Kremlin applies selective enforcement to maintain plausible deniability and political signaling. This model resembles a regulated illicit market as opposed to a laissez-faire sanctuary. Expect continued fragmentation, OPSEC tightening, and increased friction in monetization pipelines, but not any meaningful reduction in Russian-nexus cyber operations. Western pressure is reshaping incentives without removing cybercrime’s value as an instrument of state power. Network defenders should prioritize disruption of enabling services and financial channels, not anticipate Russian law enforcement to meaningfully degrade core ransomware operators.
A recent Financial Times report revealed that the US has quietly provided intelligence support to enable Ukraine’s long-range strikes on Russian energy infrastructure, representing a significant evolution in the strategic landscape of the war. This isn’t just about Ukraine landing successful drone or missile strikes. It’s about deliberately going after the economic base that keeps Russia’s war machine running.
According to the reporting, US intelligence has played a central role in shaping Ukraine’s route planning, timing, and target prioritization. This has allowed Ukrainian forces to bypass layers of Russian air defense and strike energy assets far beyond the frontline. Over the last few months, at least 16 of Russia’s 38 oil refineries have been hit, disrupting more than one million barrels per day of refining capacity. These strikes have forced Moscow to cut diesel exports and rely more on imports, tightening supply chains across sectors vital to its economy and military.
Flames and smoke rise from a Russian oil refinery after a Ukrainian drone strike in October 2025, part of a US-backed campaign targeting energy infrastructure. Source: The Moscow Times
The operation points to a deliberate shift in US strategy. Rather than direct military engagement, the US appears to be enabling Ukraine to impose economic costs through precision strikes on energy infrastructure. These assets are crucial to financing and sustaining Russian military operations. By degrading this capacity, Ukraine is eroding the Kremlin’s ability to wage a prolonged war.
The timing is notable, too. The escalation in intelligence sharing reportedly followed a July conversation between President Donald Trump and President Volodymyr Zelenskyy, signaling a change in Washington’s willingness to support deeper strikes. This is a departure from earlier caution, signaling a move toward indirect pressure on Moscow, as opposed to direct escalation.
The operational implications are just as significant. Ukraine has combined improved domestic drone production with high-quality targeting data to achieve strategic effects once reserved for major powers. This model of intelligence-enabled, long-range strikes highlights how modern warfare increasingly relies on precision, adaptability, and economic disruption rather than massed forces alone.
In the months ahead, Russia is likely to face mounting financial pressure as repeated strikes force expensive repairs, disrupt production cycles, and strain export revenue. Even if individual facilities recover, the cumulative effect of sustained targeting will weaken Moscow’s economic resilience. This campaign is designed to shift the balance through systemic pressure on the Kremlin’s capacity to sustain its war.
Summary: On 19 September 2025, three Russian MiG-31 fighters violated Estonian airspace near Vaindloo Island, remaining inside NATO territory for about twelve minutes before being intercepted by Italian F-35s deployed under NATOs Baltic Air Policing mission. The aircraft entered without flight plans, had their transponders off, and failed to communicate with air traffic control, prompting a rapid NATO response.
Estonia reported the jets penetrated up to five nautical miles into its territory. NATO officials framed the incident as another deliberate provocation, testing alliance readiness along the eastern flank. Reports indicate these MiG-31s were carrying Kinzhal hypersonic missiles during the incursion.
Analysis: Russia is deliberately testing the NATO alliance by sending strategic assets into allied territory to measure response times and resolve. Putin likely views NATOs restraint as an opportunity to exploit through unconventional warfare and hybrid tactics. These incidents are likely to also shape his perception of alliance weakness, influencing future decisions in possible future conflicts in the Baltics or APAC region.
As Poland approached a critical presidential runoff on June 1, Russian-linked influence networks ramped up efforts to flood Polish social media with anti-Ukrainian messaging. The Institute for Strategic Dialogue (ISD) recently published a detailed report showing how these campaigns are designed to erode public support for Ukraine and stir domestic resentment, right when political tensions are at their peak
Two main disinfo operations are behind this push. One is Operation Overload, which has a track record of impersonating media outlets and recycling content. The other is a newer ecosystem tied to the Pravda and Portal Kombat networks, which lean heavily on AI-generated articles and fake screenshots to manufacture outrage.
Some of the false claims spreading online included:
A fake story alleging that Ukrainian refugees were planning terror attacks in Poland
A re-edited satire video presented as real, suggesting Ukrainians were exploiting Poland’s welfare programs
AI-written content designed to look like legitimate Polish journalism
False narratives amplified so widely that even language models like ChatGPT ended up echoing them when prompted
Analyst Comments
This is classic information warfare, just modernized.
Russia doesn’t need to hack a system if it can hack the conversation. These campaigns are trying to fracture Poland’s support for Ukraine by painting refugees as a threat socially, economically, and even physically. It is low-cost, high-volume influence work, meant to stoke outrage, not debate.
What makes this different from past operations is how AI tools and platform vulnerabilities are baked into the tactics. Generative models are now being used to churn out disinfo content that mimics real reporting. Influencer accounts are being used to frame false stories as trending news. Even satire is weaponized, knowing that once something goes viral, the original context is often lost.
As we head into another global election cycle, Poland is not the only target. Similar tactics are already being seen elsewhere, especially in countries where refugee issues, defense policy, or migration tensions are front and center. This is a good reminder for policymakers, tech platforms, and threat analysts: the battlefield may be digital, but the consequences are real.
Disclaimer:This post is based on unclassified, open-source reporting and reflects my personal analysis and interpretations. The views expressed here are my own and do not represent the views or positions of my employer.
In a previous post, I detailed GRU Unit 29155’s role in physical sabotage campaigns across Europe, from the Skripal poisoning to the Czech arms depot blasts. For years, their operations reflected a legacy of Cold War-era tradecraft. Covert, kinetic, and plausibly deniable.
But according to a new investigation from The Insider, Unit 29155 has undergone a major transformation. While their physical sabotage capabilities remain intact, they have expanded into the cyber domain, developing a set of offensive capabilities that go far beyond what most attributed to this unit.
This evolution has implications not only for Ukraine but for NATO supply chains, digital infrastructure, and future hybrid conflicts.
Cyber Attacks
The reporting confirms what many in the threat intelligence space have suspected. Unit 29155 is no longer limited to physical acts of disruption. In 2022, the group ran the WhisperGate operation in Ukraine, using destructive malware to damage government systems and leak personal data. The intent was not just disruption. It was psychological destabilization.
This operation was structured and deliberate. The malware wiped systems while the data leaks created distrust. This fits Russia’s broader approach to hybrid warfare, where technical, cognitive, and physical effects are coordinated for maximum pressure.
Disinformation Campaigns
Unit 29155 also operated false flag personas like Anonymous Poland. These were used to publish disinformation that undermined trust between Ukraine and its Western partners. This was not unsophisticated trolling. It was part of a campaign using multilingual content and coordinated narratives.
In one example, the group reportedly collaborated with Bulgarian journalist Dilyana Gaytandzhieva to publish stolen material. This gave the operation a veneer of journalistic legitimacy. Russia has long used this kind of media laundering to amplify leaks, but seeing it connected to Unit 29155 shows their deeper involvement in the information space.
Hacker Recruitment
This evolution started more than a decade ago. Around 2012, the GRU began recruiting programmers and hackers through online forums and competition platforms. They focused on individuals who could operate quietly, build offensive tools, and maintain strong operational security.
Some of these actors developed malware, access frameworks, and data exfiltration tools that supported both espionage and sabotage. This is the convergence of cybercrime tradecraft and military doctrine. Unit 29155 has grown into a force that can operate in the digital domain with the same intent and effect as their physical missions.
NATO Supply Disruption
The investigation also highlights the unit’s interest in transportation and logistics networks, particularly in countries like Poland. This is a strategic move. It targets the rear areas that support Ukraine’s defense by interfering with how weapons and supplies reach the front lines.
Instead of blowing up rail lines, the modern version might involve tampering with scheduling software, triggering false alarms, or planting disruptive code that causes bottlenecks. The outcome is the same. Slow the response. Introduce uncertainty. Force decision makers to question the integrity of their support systems.
This aligns closely with Russian military thinking. Create friction, delay, and confusion through minimal but high impact actions.
Analyst Comments
This isn’t a new threat; it’s a mature one. GRU Unit 29155 has evolved from a physical sabotage unit into a hybrid operations group. Their capabilities now span cyber access, information warfare, and physical disruption. All under the same command structure.
For security professionals, this should change how we think about attribution and intent. A single unit may now be responsible for an email phishing campaign, a leaked set of government documents, and a compromised transportation system. That complicates response planning and forces a more integrated intelligence posture.
In my opinion, cyber sabotage is no longer the prelude to conflict. In many cases, it is the conflict.
Microsoft Threat Intelligence has surfaced a new Russia-affiliated cyber actor: Void Blizzard, also tracked as LAUNDRY BEAR. Active since at least April 2024, this group is focused on long-term espionage targeting sectors critical to Western governments, infrastructure, and policy-making.
Void Blizzard is not just another APT clone or cluster moniker. It represents an evolution in operational flexibility and tradecraft, shifting from relying on stolen credentials bought off the dark web to more aggressive adversary-in-the-middle (AitM) phishing campaigns. These newer efforts leverage typosquatted domains mimicking Microsoft Entra portals to harvest authentication tokens and compromise enterprise identities.
Target Profile
Void Blizzard’s campaign focus aligns closely with Russian state priorities. It has gone after targets in:
Defense and government agencies
Transportation and healthcare infrastructure
NGOs, education institutions, and intergovernmental organizations
Media and IT service providers
While some activity overlaps with known Russian actors like APT29, Void Blizzard appears to operate as a distinct cell, coordinating within a larger ecosystem of state-sponsored espionage.
Notable Tactics
Credential-based access remains a preferred entry point, but the shift to AitM phishing is a signal of increasing confidence and offensive posture.
Microsoft Entra impersonation suggests a deliberate focus on trusted identity systems, highlighting how fragile authentication flows can be under targeted pressure.
Operational consistency across NATO states and Ukraine further indicates strategic alignment with geopolitical goals, not just opportunistic targeting.
Analyst Comments
If you’re in defense, energy, public health, or civil society work, Void Blizzard’s tradecraft should raise alarm bells. Organizations should be:
Auditing Entra ID and authentication logs for anomalies tied to session replay or suspicious SSO activity
Deploying phishing-resistant MFA such as FIDO2 keys
Training users to identify lookalike URLs and domain spoofing, particularly in password reset or login prompts
Tracking overlaps with other Russian campaigns, especially Star Blizzard and Midnight Blizzard, to catch infrastructure reuse or strategic convergence
Final Thoughts
Void Blizzard is not flashy, but it is serious. It demonstrates how Russia continues to evolve its cyber espionage toolkit beneath the noise of more destructive attacks. In an era of hybrid conflict, groups like Void Blizzard are the quiet operatives laying groundwork for geopolitical advantage. They definitely won’t be the last.
Rethinking Russian Influence Operations in the Age of Weaponized Visibility
Earlier this month, Sweden’s Psychological Defence Agency and Lund University released Beyond Operation Doppelgänger, a 200-page deep dive into the capabilities of Russia’s Social Design Agency (SDA). While most public reporting has focused on the now-infamous mirror sites used to spread fake news, this report makes a clear case that those cloned websites were just one piece of a much broader, and more enduring, strategy.
According to the authors, SDA isn’t some freelance influence shop. It’s part of a well-funded, Kremlin-directed propaganda network that merges digital marketing tactics with political messaging, psychological ops, and elements of classic espionage. This ecosystem is not designed to convince people of a particular narrative. It’s built to persist, to stay present, and to dominate the conversation. Success isn’t measured by belief, it’s measured by visibility.
What the Report Really Tells Us
Doppelgänger was not the operation, it was a delivery method
Those cloned news sites? One tactic among many. The report makes it clear that SDA’s influence work goes far beyond any one campaign. Doppelgänger was part of a series of coordinated “counter-campaigns” aimed at Europe, Ukraine, the United States, and beyond.
SDA uses attention, not persuasion, to justify effectiveness
The goal isn’t to get people to agree, it’s to make sure Russian messaging shows up in the conversation. If a piece of content gets fact-checked, reported on, or criticized, that’s considered a win. The more visibility these campaigns get, the more SDA is rewarded by its Kremlin backers.
The leaks could have been deliberate
One of the more provocative angles in the report is the suggestion that some of the leaked SDA documents might have been released on purpose. Whether the goal was to overload researchers, build internal prestige, or tie up resources while new infrastructure was being built, the leak may have been a calculated move.
Narratives are interchangeable, presence is the goal
SDA isn’t wedded to any particular storyline. The messages are interchangeable. If a campaign, whether it’s a meme, a bot swarm, or a fake news drop, gets traction, it’s scaled up. If it doesn’t, it’s dropped. The point is to flood the zone, not to persuade.
Some Questions Worth Asking?
This report calls into question a lot of our assumptions about what influence operations are trying to do—and how we should be responding. A few questions that come to mind:
If visibility is the goal, not the risk, how do defenders responsibly counter disinformation without amplifying it?
Are we unintentionally helping adversaries by publicizing their operations too effectively?
Where is the line between countering propaganda and participating in its feedback loop?
Are our current frameworks designed to deal with long-term influence ecosystems or only isolated events?
Are we seeing the emergence of a disinformation-industrial complex, where performance metrics and funding cycles shape how propaganda is created and sustained?
Beyond Operation Doppelgänger doesn’t just describe a disinformation campaign, it maps out a system that adapts, exploits visibility, and treats media attention, sanctions, and cyber takedowns as signals of progress.
It’s not about changing minds. It’s about owning space…
The Security Brief 