Russian State Cyber Ops Are Reshaping Cyber Underwriting

APT28, APT29, and APT44 operate undetected for 277+ days, driving $20–100M losses that demand new underwriting models for state-sponsored risk.

APT28, APT29, and APT44 operate undetected for 277+ days, driving $20–100M losses that demand new underwriting models for state-sponsored risk.

The New Shape of Russian State-Sponsored Cyber Operations

On 8 March 2025, threat intelligence teams released a consolidated update on Russian state-backed cyber activity, drawing on telemetry from Mandiant, Microsoft, the UK’s NCSC, the NSA, and CISA. The picture that emerges is not a single campaign but a coordinated, multi-actor operation spanning espionage, sabotage, influence, and pre-positioning for future disruption. For cyber insurers, underwriters, and corporate security leaders, the report signals a structural shift in the threat landscape that directly affects loss expectations, coverage design, and risk selection. Russian state actors are no longer opportunistic visitors in Western networks. They are persistent residents, and the question for risk-bearing organisations is no longer whether they are present, but what they have already done.

Why This Matters for Cyber Insurance

State-sponsored intrusions behave very differently from financially motivated ransomware on a claims ledger. Russian GRU-linked groups such as APT44 (Sandworm) and APT28 (Fancy Bear) do not always detonate destructive payloads. APT29, attributed to the SVR, has been documented operating inside compromised networks for 14 months or more before detection, as seen in the SolarWinds intrusion of 2019–2021 and follow-on activity against Microsoft 365 tenants in 2023–2024. The economic damage is therefore not always a single event loss. It accumulates as data exfiltration, intellectual property theft, regulatory exposure, and remediation cost.

For underwriters, three figures matter. First, the 2024 IBM Cost of a Data Breach report placed the global average breach at USD 4.88 million, but state-attributed incidents involving large enterprises routinely clear USD 20–100 million once remediation, legal, and reputational costs are tallied. Second, dwell time for state actors averages 277 days according to Mandiant’s 2024 M-Trends report, more than double the median for criminal groups. Third, the proportion of breaches attributed to nation-state actors rose to 15 percent of investigated incidents in Mandiant’s 2024 dataset, up from 9 percent in 2020. Each of these data points pushes the loss curve upward, particularly for long-tail, multi-year policy structures.

The Actor Landscape: Who Is Who in 2025

The March 2025 report consolidates attribution across at least five distinct Russian state-backed clusters, each with a different operational mandate.

APT44 (Sandworm, GRU Unit 74455) remains the primary destructive actor. Its 2022 Industroyer2 deployment against Ukrainian energy infrastructure and the 2017 NotPetya campaign, which produced an estimated USD 10 billion in global insured and uninsured losses according to the US Department of Justice, set the template. In 2024, APT44 was observed targeting operational technology in European water utilities and logistics providers, often via initial access from third-party IT service providers.

APT28 (Fancy Bear, GRU Unit 26165) concentrates on credential harvesting, particularly against government, defence, and aerospace supply chains. Recent reporting has linked APT28 to the exploitation of edge devices including Outlook, Citrix NetScaler, and Fortinet appliances, with median patch-to-exploitation windows measured in days rather than weeks.

APT29 (Cozy Bear, SVR) is the espionage specialist. Its 2024 operations, including the abuse of Microsoft device code authentication flows, gave it access to high-value diplomatic, pharmaceutical, and research targets without traditional malware deployment. For insurers evaluating the residual risk on technology E&O and media policies, APT29 is the actor most likely to trigger litigation around duty-of-care, given its preference for legitimate credentials and built-in tooling.

UNC2589 is the cluster most associated with destructive and disruptive activity inside North Atlantic Treaty Organisation member states. Its 2024 campaigns have included distributed denial-of-service against financial services, wiper attacks against municipal government networks in the Baltics, and credential theft campaigns aimed at managed service providers.

A fifth cluster, the so-called “graveyards” or dump-leak actors, releases stolen data to influence operations, complicating the difference between espionage and information warfare from a coverage standpoint.

Attack Patterns and Technical Tradecraft in Business Terms

State actors optimise for stealth, scale, and strategic effect, not speed of monetisation. Three patterns are worth tracking for risk engineers.

Living-off-the-land and identity abuse. APT29 and APT28 increasingly rely on stolen credentials, OAuth tokens, and cloud console access rather than custom malware. For an underwriter, this means that EDR-centric application forms and signature-based detection scores tell a partial story. Controls on identity governance, conditional access, and MFA fatigue training carry comparable weight.

Edge-device exploitation. Russian groups target perimeter appliances because they are rarely covered by EDR and frequently skipped during patch cycles. The 2023–2024 wave of exploitation against Citrix NetScaler and Fortinet gateways gave initial access to dozens of organisations before vendors issued advisories. For a broker, an applicant’s exposure here often sits with a small IT team that does not own the appliance lifecycle.

Supply chain and managed service provider compromise. This is the pattern with the highest loss amplification. The 2020 SolarWinds incident reached roughly 18,000 downstream customers through a single tampered update. More recent activity against MSP RMM tools and Salesforce/CRM integrations in 2024 demonstrates that the threat actor’s return on investment sits with the platform, not the individual tenant. Cyber underwriters pricing an SMB book or a portfolio with concentration in technology, legal, or accounting professional services should treat vendor concentration as a multiplier, not a checkbox.

Coverage and Underwriting Implications

The 2025 intelligence picture has at least four practical consequences for policy design and risk selection.

Exclusion clarity. War exclusions, whether drafted under the Lloyd’s Market Association LMA5400 language or equivalent war and cyber operations exclusions, are now being tested in real claims. The 2022 Mondelez v. Zurich litigation, which centred on whether NotPetya constituted a warlike action, remains unresolved in many jurisdictions. Brokers should be able to articulate to clients which wording their policy carries and how attribution is determined when a state actor is involved. The recent move by some carriers to remove ambiguous language in favour of named-actor or kinetic-attack triggers is a meaningful shift, and broker scorecards should track it explicitly.

Sublimits and waiting periods. Long dwell times mean that the moment of “event” or “discovery” can differ by twelve months or more. Policies that trigger on discovery rather than occurrence, and that include a 24-month extended reporting period for state-attributed losses, materially reduce coverage dispute risk. Underwriters who push for 12-hour waiting periods on forensic retainer should be willing to extend discovery windows for monitored environments.

Attestation and active monitoring. State actors prefer networks with low visibility. Underwriting questions that ask whether applicants have 24/7 SOC coverage, EDR on 90 percent of endpoints, and MFA on all internet-facing systems, including service accounts, are no longer table stakes; they are the floor. Risk engineers should be able to evidence the difference in loss ratios between accounts that pass these tests and those that do not.

Vendor and concentration risk. A small cluster of MSPs and software platforms accounts for a disproportionate share of state-actor initial access. Brokers assembling submissions for SMB books should consider asking applicants to disclose their top five technology vendors and any prior notifications of supply chain compromise in the last 36 months. This is a faster proxy for actual exposure than a self-completed questionnaire.

Underwriters can model these factors using structured FAIR-based cyber risk reports, which translate threat actor behaviour into annualised loss expectancy and scenario frequency. When APT44’s prior loss record against operational technology is fed into a FAIR model, the loss expectancy for a manufacturing policyholder with European exposure typically doubles compared to a baseline criminal-ransomware scenario. That is the kind of figure that justifies both a higher premium and a more substantive conversation with the insured.

Actionable Recommendations

For CISOs and risk engineers, four steps follow directly from the March 2025 report.

First, prioritise identity and edge-device hardening. Mandiant’s data shows that 75 percent of state-actor intrusions in 2024 involved credential abuse at some stage. Phishing-resistant MFA, conditional access policies, and a 72-hour service-level agreement for patching critical CVEs on internet-facing appliances are the highest-yield controls.

Second, monitor the supply chain. Track the top five vendors by data volume and ensure contractual notification rights exist for any suspected state-actor compromise. Add these vendors to a risk register and review their security posture at least quarterly.

Third, rehearse the long-dwell scenario. Tabletop exercises should include a 12-month-old APT29-style intrusion, not a 72-hour ransomware detonation. Tabletop output should drive policy and coverage choices, including cyber insurance limits, sublimits, and the structure of the business interruption indemnity period.

Fourth, support broker and underwriter transparency. Provide threat-informed answers on application forms. Underwriters increasingly reward accounts that can articulate which actors are most relevant to their sector, what compensating controls are in place, and which third parties would have to be breached before a catastrophic loss occurred. The brokers and underwriters who ask the right questions will price risk more accurately, and the accounts that can answer them will receive better coverage terms and capacity.

The Bottom Line

Russian state-sponsored cyber operations in 2025 are a portfolio-level concern, not a sector-specific one. The same actors are routinely observed across financial services, energy, healthcare, government, manufacturing, and professional services. Insurers and brokers who treat state exposure as a niche or political risk will misprice the next cycle. The data points in the March 2025 report, longer dwell times, identity-centric tradecraft, and supply chain reach, are not temporary anomalies. They are the operating environment, and the cyber insurance market that recognises this most clearly will be the one with the most stable loss ratios and the most credible client conversations.

Michael Guiao Michael Guiao gründete Resiliently AI und schreibt Resiliently. Er hat CISM, CCSP, CISA und DPO-Zertifizierungen — aber sie verfallen lassen, denn im Zeitalter von KI ist Wissen billig. Worauf es ankommt, ist Urteilskraft — und die kommt aus acht Jahren Praxis bei Zurich, Sompo, AXA und PwC.

Get the full picture with premium access

In-depth reports, assessment tools, and weekly risk intelligence for cyber professionals.

Starter

€199 /month

Unlimited scans, submission packets, PDF downloads, NIS2/DORA

View Plans →
Best Value

Professional

€490 /month

Full platform — continuous monitoring, API access, white-label reports

Everything in Starter plus professional tools

Upgrade Now →
30-day money-back
Secure via Stripe
Cancel anytime

Free NIS2 Compliance Checklist

Get the free 15-point PDF checklist + NIS2 compliance tips in your inbox.

No spam. Unsubscribe anytime. Privacy Policy

blog.featured

WordPress Plugin Flaw CVE-2023-4213 Exposes 10K+ Sites to Cyber Claims

Cyber Risk ·

6 min read

WordPress Plugin XSS Vulnerability Exposes Cyber Insurance Portfolios to Persistent Web Risks

Cyber Risk ·

5 min read

WordPress Security Plugin Flaw Exposes Organizations to Cyber Claims

Cyber Risk ·

6 min read

WordPress Plugin Flaw Exposes Cyber Insurance Portfolios to SQL Injection Risks

Cyber Risk ·

6 min read

Premium Report

2026 Cyber Risk Landscape Report

24 pages of threat analysis, claims data, and underwriting implications for European cyber insurance.

View Reports →

Verwandte Artikel

Abandoned WordPress Plugin Exposes 12,000+ Sites to Cyber Risk
Cyber Risk · · 5 min read

Abandoned WordPress Plugin Exposes 12,000+ Sites to Cyber Risk

CVE-2023-5336 in iPanorama 360 plugin creates systemic risk for small businesses. SQL injection vulnerability affects unpatched WordPress sites, highlighting third-party component gaps in cyber insurance coverage.

Acronis CVE-2022-46869: How Consumer Software Creates Enterprise Risk
Cyber Risk · · 5 min read

Acronis CVE-2022-46869: How Consumer Software Creates Enterprise Risk

Local privilege escalation vulnerability in Acronis backup software highlights underwriting risks from consumer-grade tools and patch management gaps.

Acronis Privilege Escalation Flaw Exposes Endpoint Security Gaps
Cyber Risk · · 5 min read

Acronis Privilege Escalation Flaw Exposes Endpoint Security Gaps

CVE-2023-41743 highlights critical endpoint protection weaknesses that expand attack surfaces and increase cyber insurance risk exposure for organizations.