The Blurring Lines Between Financially Motivated Attacks and Nation-State Cyber Operations

Since the outset of the Russia-Ukraine war in early 2022, our Incident Response Team at Profero has been engaged in multiple investigations involving Russian threat actors across Europe, ranging from ransomware intrusions to credential theft.
Over the past 12 months Western Europe has seen a marked surge in both the volume and sophistication of incidents targeting organisations of every size.
In particular, these attacks were affiliated with notorious Russian ransomware groups that have been forced out of their apolitical zone.

For companies in Europe and beyond, this approach of profit-driven attacks with state-endorsed hacking presents a dual threat scenario, unlike anything seen in the past.
The key insight is clear: the lines between financially motivated attacks and nation-state operations have blurred, and every organization must be prepared for threats that blend both worlds.
By highlighting the patterns, we have been observing, and the proactive steps that have delivered measurable resilience for our clients, we hope to help peers across the region harden their environments before the next wave strikes.

Lessons From The Russia Ukraine War

The Russia–Ukraine war has provided stark examples of how cyber warfare is leveraged alongside traditional military force, a strategy often termed “hybrid warfare.”
One of the most dramatic cases was the cyberattack on satellite communications provider Viasat at the very start of the war.
Just hours before the February 24, 2022 invasion, Russian military hackers breached Viasat’s satellite network, which was used by Ukraine’s military and countless civilians across Europe. The attackers exploited compromised VPN credentials to access the network control systems in Italy.
Once in, they deployed destructive malware that wiped the modems of around 40,000 users, rendering them inoperable.

The result was a massive loss of communications in Ukraine right as the war began. This attack crippled command-and-control channels and even knocked internet service offline for other European customers of Viasat.
It was a coordinated operation intended to pave the way for the physical invasion.

Another powerful example came later, highlighting the synchronization of cyberattacks with kinetic strikes. In October 2022, as Russian missiles rained down on Ukraine’s power grid, Russian state-linked hackers known as Sandworm launched a parallel cyberattack on a Ukrainian electrical substation.
The attackers tripped circuit breakers to cause a blackout at the same moment missiles hit, magnifying the overall damage to the grid. They then deployed wiper malware on the facility’s computers to erase evidence of their break-in.
‍
This synchronized cyber-physical attack, confirmed by Ukraine’s security service and documented by researchers, is a rare feat of cyber warfare, one that only a few nations are capable of achieving.
The incident demonstrates the advanced cyber capabilities Russia wields against critical infrastructure and the willingness to use them in coordination with military objectives.
For European nations, it raises concern that similar tactics could be used against NATO countries or allies in a future escalation.

‍

From Profit to Proxy

Today’s Russian ransomware groups wear two hats: one as profit-seeking attackers and another as self-declared patriots or covert instruments of state interests.
Traditionally, many Russian ransomware groups operated under an unspoken rule: don’t target Russian or friendly territories, and in return enjoy safe harbor from law enforcement. This “benign neglect” fostered a thriving cybercriminal ecosystem within Russia.
‍
However, the Ukraine war has tested these boundaries, revealing how quickly financially motivated actors can pivot when geopolitics come into play.
A notable example came right as the war began. The Conti ransomware group publicly announced support for the Russian government as the invasion of Ukraine unfolded. In a leaked February 2022 declaration on their site, Conti threatened to retaliate against any adversary launching cyberattacks against Russia.

Almost immediately, this stance backfired internally: Ukrainian members of Conti leaked months’ worth of the gang’s internal chats, exposing their operations. Yet, those leaks also inadvertently confirmed what many had suspected: Conti’s leadership had previously discussed targeting entities “against the Russian Federation” and saw themselves as Russian “patriots.” In other words, the seeds of dual-purpose motivation were already present, and the war simply brought them into the open.

‍

Stolen Credentials and Info-Stealer Malware

While ransomware attacks have been one side of the coin, a quieter but equally dangerous trend has been unfolding in the shadows: the explosion of information-stealing malware and the Russian dark web marketplaces that trade in stolen data.
Over the past few years, and accelerating during the Russia–Ukraine war, threat actors have increasingly turned to infostealers as a quick, scalable way to collect user credentials, system data, and more.
For companies, this is a crucial trend to understand because it’s fueling a vast underground economy of compromised access that both hackers and state actors can draw upon.

What are infostealers? Stealers are a class of malware designed to grab passwords saved in browsers, saved emails, cookies and session tokens (which can bypass logins), auto-fill data, system information, and even cryptocurrency wallets in a matter of seconds. Notable examples include malware like RedLine, Raccoon, Vidar, and Agent Tesla, though dozens of variants exist.

These tools are cheap to buy, easy to deploy (often spread via phishing emails or trojanized software downloads), and hard to detect before they do their job and self-destruct.
The stolen logs are pure gold on the Russian dark web. Each log typically contains a victim’s entire collection of saved passwords, a list of running programs, browser cookies, and snapshots of the system environment.
These logs are then put up for sale on underground marketplaces.

Instead of spending weeks crafting a zero-day exploit to break into a company, a hacker can spend $5 on a stolen log that might already contain valid VPN credentials for that company’s network.
It’s disturbingly trivial: a would-be intruder can filter millions of stolen logs by criteria like company domain, geography, or even specific applications, then simply “add to cart” the log that fits their intended target.
Some marketplaces provide search filters for particular email domains or corporate services, allowing attackers to pinpoint an employee’s credentials at a specific organization.
In other words, an attacker could literally search for “@yourcompany.com” in a database of stolen logins and find employees’ passwords to purchase.
This means that even small organizations are not hidden in the noise; if your users get infected by an infostealer, your company’s credentials could be neatly indexed and sold within hours.

‍

Strategic Takeaways

Security teams should recalibrate their strategies to ensure both classic attacks and the added geopolitical dimension are taken into account.
Here are key takeaways and recommendations for security teams navigating these challenges:

• Stay informed about not just ordinary attacks but also geopolitical developments. Understand which threat groups are active, what their motivations are, and whether any have made statements or moves that could put your sector or region in their sights.
  Ensure your threat intelligence feeds track Russian ransomware and hacker forums for chatter related to your industry or country.
• Given the surge in infostealer activity, assume that some percentage of your employees’ credentials are either already exposed or could be at any time.
  Mitigate this by enforcing strong authentication measures, implementing multi-factor authentication (MFA) everywhere feasible (and considering phasing in phishing-resistant methods like FIDO2 security keys for especially sensitive accounts).
• Speed matters if credentials do get stolen. It’s wise to invest in dark web monitoring specifically for your organization’s credentials.
  For example, Profero’s credential breach monitoring platform provides visibility into stolen credentials by continuously tracking stealer-log dumps on Russian darknet forums and alerting the organization when their usernames, passwords, or other identity data surface, giving your security team a chance to quickly reset compromised accounts and investigate related threats before attackers leverage those credentials.
• When handling an incident, keep an open mind that you might be dealing with more than just one type of threat. A ransomware infection might be accompanied by data exfiltration aimed at espionage, or a seemingly low-level malware alert could be cover for a nation-state foothold. Develop incident response playbooks that consider dual-purpose scenarios.
  This means, for example, if you suffer a ransomware attack from a known Russian-based group, involve your threat intel team to look for any signs of broader espionage (such as unusual data access patterns before the ransomware detonates).
  Conversely, if you detect a breach and suspect nation-state motives, be prepared that a criminal element (like a ransom demand or destructive action) could still emerge.

‍

Conclusion

Russia has invested heavily in both its state hacking units and in cultivating an ecosystem of threat actor talent. In turn, Western governments and the cybersecurity industry are upping their game to counter these threats.
Russian threat actors continually evolve their tactics, ransomware groups rebrand and refine their malware, infostealer tools are proliferating, and spear-phishing and supply chain attacks remain dangers. We’ve seen Russian-based attackers adapt by using more sophisticated phishing lures, zero-day exploits, or by exploiting the vast troves of leaked credentials available. The dark web marketplaces themselves operate like businesses, with competition and innovation in malware offerings.
For European companies, the arms race isn’t abstract: it translates into day-to-day security challenges. A midsize company in France or Germany might suddenly find itself the victim of a zero-day exploit developed by a state-backed hacker. The speed at which threats evolve means that yesterday’s best practices might not suffice tomorrow. For example, as multi-factor authentication and password managers become common, threat actors respond by stealing session cookies or hijacking authenticated sessions.
For companies in Europe and around the world, this means rethinking assumptions. An attack may not fit neatly into the “ransom” box or “nation-state” box anymore; it could be both. Security strategies and investments should reflect this reality by covering the full spectrum of threats, from ransomware extortion to credential theft and espionage.
On the positive side, being aware of these trends is half the battle. By hardening identity security, monitoring for breach indicators (both on your networks and on the dark web), and planning for the worst-case scenarios, security teams can greatly reduce the risk of falling victim to these attacks.

‍