
The Russian Cyber Threat in 2026: Escalation, intimidation or misdirection?
CYBER THREAT INTELLIGENCE
Four years into the conflict in Ukraine, Russian cyber operations have evolved from destructive attacks into a sustained campaign of espionage, surveillance, sabotage and influence directed at Ukraine’s allies, suppliers and supporters. LRQA’s specialist threat intelligence team examines what Russia is doing, why it is doing it and what it means for organisations far beyond the battlefield.
Inside the report
- Information confrontation, the Russian M.O.: How Russian doctrine blends technical and psychological operations, why so-called hacktivist groups function as state propaganda outlets and what Russia’s growing desperation means for the threat landscape.
- Russian operations: From battle damage assessment and critical infrastructure espionage to the surveillance of 10,000 compromised IP cameras, a detailed look at how Russian cyber activity now supports military and geopolitical objectives.
- Sabotage, physical and digital: Arson on Olympic rail lines, parcel bombings across Europe and the December 2025 attack on the Polish power grid, and why Russia’s most notable cyber attacks are better understood as influence operations than destruction.
- Critical undersea infrastructure and Viasat: Rising tensions over North Atlantic cables and pipelines, and how the collateral damage of the AcidRain wiper may have shaped Russia’s playbook four years later.
- Actors of concern: Profiles of APT28 and Sandworm, including the PRISMEX campaign, mass router compromises and the overlap between state sponsored operations and financially motivated Russian cybercrime.
- The Persian Gulf conflict: How the March 2026 conflict connects to the war in Ukraine, why battle damage assessment goes both ways and whether Russian influence helped shape events.
- Actor TTPs: A full appendix of the most commonly observed MITRE ATT&CK techniques for Sandworm and APT28, mapped by tactic and technique ID.
