Executive Summary

Much of the Western analysis and commentary on Russian cyber threats since Russia’s full-scale invasion of Ukraine in February 2022 have focused on state actors as well as some cybercriminal groups. However, another set of players has a key role in the Russian cyber ecosystem: private sector cybersecurity companies.

The Russian “cyber web” is complex, shifting, and often opaque, encompassing state-encouraged “patriotic hackers,” independent developers, and state-recruited cybercriminal groups, among many other actors. The state does not control every actor—it could not control every single actor, in all ways, at all moments even if it wanted to do so. Entrepreneurialism, competition, and innovation abound in the Russian cyber web, too. Nonetheless, the state can coerce any actor at a single time and can use incentives, procurement contracts, and other mechanisms to compel them to behave in different ways. In this vein, the Russian government can and does draw on a spectrum of actors to assist with offensive, defensive, educational, recruitment, and other objectives related to cyber. The Russian government can use nonstate cyber actors to augment state capabilities, acquire new talent or services for the state, add a veneer of deniability to intelligence operations, and much more. Furthermore, security agencies such as the Federal Security Service (FSB), Foreign Intelligence Service (SVR), and military intelligence agency (GRU) have relationships with nonstate cyber actors that vary in structure and purpose over time.

Private cyber firms in Russia occupy an important role in this ecosystem. Although not every Russian cybersecurity firm is a government contractor, many firms provide services to the state. These services include supporting defensive operations, supplying defensive technologies, providing defense-oriented threat intelligence, identifying vulnerabilities to patch in Russian systems, offering open-source intelligence and reconnaissance services and technologies, identifying vulnerabilities for offensive operations, building exploits for offensive operations, assisting with offensive operations, cultivating talent, building propaganda-guided and national security– themed educational materials, and helping the security services recruit cyber talent. Some of these dynamics are not unique to Russia, such as a private company providing a state agency with firewalls. Other dynamics do stand out, such as the potential for the state to coerce a company or to carry out intelligence operations against dissidents or civilian critical infrastructure.

This paper offers case studies on three companies: Kaspersky, Security Code, and Positive Technologies. We analyze their relationships with the Russian government and how their functions tie into the Kremlin’s objectives. Kaspersky is a global company that has been repeatedly accused of quietly supporting Russian government cyber operations— including by allegedly using its antivirus platform to exfiltrate classified and sensitive information from other countries’ systems. Security Code provides what appear to be principally defensive technologies and services to Russian customers, including the FSB, Ministry of Internal Affairs (MVD), Federal Protective Service (FSO), Russian Railways, Gazprom, and Sberbank. It also maintains educational partnerships with public and private institutions in Russia that train the future cyber workforce. Positive Technologies has been identified by the US government and in media reporting as a Russian intelligence contractor that supports offensive operations, reportedly by reverse engineering Western capabilities and turning vulnerabilities into exploits for offensive cyber operations. It also runs Russia’s largest security conference and capture-the-flag hacking competition—an annual event that the FSB and GRU use to recruit highly talented hackers into the intelligence services.

Since February 2022, the three companies have been subject to additional levels of scrutiny, but they have adapted relatively well. Kaspersky went from being banned on US federal government systems to being sanctioned by the United States. It was also banned from providing many cyber products and services to American consumers and businesses, and it was identified by Germany, Poland, and others as a potential national security threat. But it has opened “transparency centers” in Latin America and elsewhere, which—contrary to what some in the West might expect—have paid off greatly for the firm as it has expanded. The company’s marketing pitches seem to be landing well in many parts of the world, whether because of distrust of American technology post–Edward Snowden leaks, well-publicized abuses by Silicon Valley giants, or the mere fact that Kaspersky is a global firm with talented personnel. However, Kaspersky is now providing protections to a notorious Russian “bulletproof” web hosting provider for cybercriminals (meaning one that hides and refuses to disclose its customers, even to governments), marking a notable departure from its past efforts to portray itself as a trustworthy brand.

Security Code has been sanctioned by Ukraine and the United States but not by the European Union. It has also remained out of the Western press, perhaps because of its role in Russian cyberdefense rather than the much more headline-grabbing category of cyberoffense. In its 2024 financials, it disclosed that most of its clients are those protecting “critical information infrastructure,” a Russian legal term for entities handling information systems, networks, and technologies that are critical to the state’s security. As a result, most of Security Code’s clients ostensibly reside in Russia. It appears that the company’s bottom line is strengthening because of growing demands in Russia for cyberdefense amid the continued war.

Positive Technologies has been marketing itself as a way for entities in other countries to diversify their cybersecurity services. It does not suggest that countries forgo American, Chinese, or Israeli cyber providers; rather, it makes the case for adding a Russian vendor to avoid depending too much on one country for cyberdefenses. In addition, the company has launched new product offerings, and in-person attendance at its flagship conference (the event the FSB and GRU use to recruit personnel) has more than quintupled from 10,000 in 2022 to 55,000 in 2023, with another 100,000 tuning in online. All three of these companies—despite waves of Western sanctions, export controls, and technology isolation efforts—had their highest revenue figures ever in 2024.

Some of these firms (and others not covered in this paper) are directly supporting the Russian government’s offensive cyber operations, making them direct security risks for the United States and the West. Other firms may be providing defensive services, such as helping the Russian government and economically critical entities detect and mitigate intrusions from countries such as Ukraine. To understand the security implications of private companies working with the Russian government, we recommend that analysts, practitioners, and policy-makers consider three critical questions:

1. How can companies better identify Russian providers in supply chains and determine whether they present risks?
2. In which regions and markets are Russian cyber firms expanding the most, and what can their sales pitches and successes teach the United States and the West?
3. What would a more analytically robust, comprehensive assessment of possible Russian private company support for the Kremlin look like?