Russian Grey Zone activities, APT Groups - Timelines and Capabilities

A historical overview of Russian advanced persistent threat groups, their capabilities, timeline

Russian Grey Zone Activities: Russian grey zone activities refer to a range of state-sponsored activities that fall below the threshold of traditional military conflict but aim to achieve strategic objectives through covert or ambiguous means. These activities often include cyber operations, disinformation campaigns, influence operations, economic coercion, and proxy warfare. They exploit vulnerabilities, sow discord, and gain leverage over targeted countries without directly engaging in open conflict.

Advanced Persistent Threats (APTs) Associated with Russia: Several APT groups have been associated with Russia in cyber operations. These groups operate with the support or direction of Russian state-sponsored entities. Notable APT groups associated with Russia include APT28 (Fancy Bear), APT29 (Cozy Bear), SandWorm Team, and PawnStorm. These groups have been involved in various cyber campaigns targeting governments, military organizations, critical infrastructure, political entities, and other sectors.

APTs Associated with Russia and Their Capabilities:

  1. APT28 (Fancy Bear): APT28 is known for its sophisticated cyber operations, including spear-phishing campaigns, zero-day exploits, and the use of custom malware. APT28 is known forcyber espionage activities targeting governments, military organizations, political entities, and think tanks. APT28 has strong ties to Russian intelligence agencies.
  2. APT29 (Cozy Bear): APT29 is another APT group associated with Russia. It has been involved in cyber espionage campaigns targeting governments, diplomatic entities, defense contractors, and research institutions. APT29 is known for its stealthy techniques, including the use of zero-day exploits and advanced malware.
  3. SandWorm Team: SandWorm Team is associated with Russia and has been implicated in various cyber campaigns, including disruptive attacks targeting critical infrastructure. Notable incidents attributed to SandWorm Team include the NotPetya ransomware attack, which caused widespread disruption globally.
  4. PawnStorm: PawnStorm is an APT group associated with Russia that has targeted governments, military organizations, media outlets, political entities, and defense contractors. It has been involved in cyber espionage campaigns, influence operations, and disinformation campaigns.

Timeline of Significant Events: The timeline of significant events associated with Russian cyber operations is vast and constantly evolving. Here are a few notable incidents (non-inclusive) we cover in the training:

  • 2007: Estonia cyberattacks: Following a political dispute between Estonia and Russia, a series of DDoS attacks targeted Estonian government websites and critical infrastructure.
  • 2008: Georgia cyberattacks: During the Russia-Georgia conflict, cyber operations targeted Georgian government and media websites.
  • 2014: Cyber operations during the annexation of Crimea: Around the time of Russia's annexation of Crimea, cyber operations targeted Ukrainian government institutions and critical infrastructure.
  • 2015-2016: DNC hack and U.S. election interference: APT28 and APT29 executed cyber intrusions into the Democratic National Committee (DNC) networks, resulting in the release of sensitive information. These incidents were part of broader Russian efforts to interfere in the 2016 U.S. presidential election.
  • 2017: NotPetya ransomware attack: SandWorm Team conducted the massive NotPetya ransomware attack, which affected organizations globally, primarily in Ukraine but with significant collateral damage worldwide.
  • Ongoing: Targeted cyber espionage and influence operations: APT groups associated with Russia continue to engage in targeted cyber espionage campaigns, disinformation efforts, and influence operations, with varying targets and objectives.


Your Instructor


Treadstone 71
Treadstone 71

Treadstone 71 is a woman and veteran-owned small business exclusively focused on cyber and threat intelligence consulting, services, and training. We are a pure-play intelligence shop.

Training dates and locations here

Since 2002, Treadstone 71 delivers intelligence training, strategic, operational, and tactical intelligence consulting, and research. We provide a seamless extension of your organization efficiently and effectively moving your organization to cyber intelligence program maturity. Our training, established in 2008, follows intelligence community standards as applied to the ever-changing threat environment delivering forecasts and estimates as intelligence intends. From baseline research to adversary targeted advisories and dossiers, Treadstone 71 products align with your intelligence requirements. We do not follow the create once and deliver many model. We contextually tie our products to your needs. Intelligence is our only business.

  • We use intuition, structured techniques, and years of experience.
  • We supply intelligence based on clearly defined requirements.
  • We do not assign five people to do a job only one with experience.
  • We do not bid base bones only to change order you to overspending.
We do not promise what we cannot deliver. We have walked in your shoes. We understand your pressures.

We are known for our ability to:

  • Anticipate key target or threat activities that are likely to prompt a leadership decision.
  • Aid in coordinating, validating, and managing collection requirements, plans, and activities.
  • Monitor and report changes in threat dispositions, activities, tactics, capabilities, objectives as related to designated cyber operations warning problem sets.
  • Produce timely, fused, all-source cyber operations intelligence and indications and warnings intelligence products (e.g., threat assessments, briefings, intelligence studies, country studies).
  • Provide intelligence analysis and support to designated exercises, planning activities, and time-sensitive operations.
  • Develop or recommend analytic approaches or solutions to problems and situations for which information is incomplete or no precedent exists.
  • Recognize and mitigate deception in reporting and analysis.
    Assess intelligence, recommend targets to support operational objectives.
  • Assess target vulnerabilities and capabilities to determine a course of action.
  • Assist in the development of priority information requirements.
  • Enable synchronization of intelligence support plans across the supply chain.
  • ...and Review and understand organizational leadership objectives and planning guidance non-inclusively.

Course Curriculum


  Russian Grey Zone activities, APT Groups, capabilities, and associated timelines
Available in days
days after you enroll

Frequently Asked Questions


When does the course start and finish?
The course starts when you enroll. Timeframe to complete the course depends on the number of lectures, assignments, and student availability. Meaning, we are flexible.

Get started now!