Russia’s Cyber Firms Are Getting Rich During War

Ahead of his Alaska meeting with Russian President Vladimir Putin, President Trump threatened “severe consequences” for Russia if it did not stop its violence in Ukraine. More than three years into Russia’s full-scale war, however, one pillar of the Kremlin’s power has evaded its share of consequences: Russia’s cyber industry.

Russia has been home to competitive, innovative cybersecurity companies for decades. Many of these companies provide products and services to the state, ranging from defensive firewalls to specialized trainings to offensive hacking capabilities. (While the energy sector makes up a significant portion of Russia’s gross domestic product, the strategic importance of several other industries—private military companies for projecting power; cyber firms for blocking foreign hacks and facilitating offensive operations—shows that Russia is far more than, as some reductively quip, a “gas station with nukes.”) But despite the waves of sanctions put on Russia since February 2022, these firms’ closeness to the regime, and Russia’s growing technological isolation, some of Russia’s top cyber firms made more money in 2024 than ever before.

Plenty of Russian cyber firms—even sanctioned intelligence contractors—are continuing to build commercial products during war, illicitly access Western software, and land deals in the likes of Latin America, the Middle East, and the Asia-Pacific. Their profits and adaptation during war are striking. The success of these firms underscores some of the biggest cracks in Western efforts to technologically isolate Russia—and requires American policymakers to rethink their “trusted vendor” approach to global cybersecurity.

Russia’s technology sector might not rival its Chinese peer in economic scale, technological breadth, or hardware manufacturing (where Russia’s capacity is dismal). Yet some of the world’s most competitive, innovative cybersecurity firms came from Russia. Kaspersky was founded in 1997, opened its first international office in the United Kingdom in 1999, and built its antivirus software for pocket computers in 2001. By 2003, it had opened offices in Japan, Germany, France, Spain, Italy, and China. While less widely known than Kaspersky, plenty of other cyber companies, such as Positive Technologies and Security Code, cropped up in the ensuing years, offering network security, penetration testing, and other services to a growing market.

As the industry grew, many companies serviced public and private customers in Russia and abroad. They held global conventions, hired global talent, and worked with Western law enforcement. Some companies had little to no engagement with the state, even as they remained susceptible to its influence and coercion. Other firms, meanwhile, contracted and partnered with the Russian government to support offensive operations, identify vulnerabilities and exploits, provide defensive products and services, and train and educate future generations of the cyber workforce. Media reports that Kaspersky aided cyber espionage by the Federal Security Service (FSB)—allowing the FSB to pull files from computers running Kaspersky antivirus—are a prime example of such offensive support.

In the lead-up to and aftermath of Russia’s full-scale invasion of Ukraine, the U.S. designated and tried to isolate plenty of these firms. The U.S. government sanctioned Positive Technologies for supporting FSB offensive operations and helping the security organs recruit hackers. It banned almost all Kaspersky products and services from being sold in the U.S. and sanctioned some of the company’s leadership. And it sanctioned Security Code for providing defensive technologies to the Russian military and national police—as well as sanctioning companies like Sinto for providing infrastructure for Russian cyber intelligence operations. At the same time, the U.S. government kept pursuing something of a companion effort to boost international support for the idea of “trusted vendors,” or tech companies whose headquarters in democratic countries make them less susceptible to coercion than those based in authoritarian states (for example, Kaspersky in Russia).

Yet some of Russia’s top cyber firms made more money in 2024 than ever before. Kaspersky, Security Code, and Positive Technologies hit lifetime revenue highs. Security Code made much of its money contracting for Russian “critical information infrastructure” entities. Kaspersky opened its 13th global “transparency center,” this time in Colombia, enticing visitors to allegedly learn about internal security controls and audit product source code, and sold twice as much of its endpoint security product as the year prior. Positive Technologies more than tripled its profits in 2022, grew attendance at its annual conference (which the intelligence services use to recruit hackers), and even poached engineers when Cisco shut down its Moscow office.

Despite U.S. efforts, Russian cyber firms have adapted remarkably well. On the domestic front, companies upped their nationalistic rhetoric to appeal to the state, talked about “cyber war” to land government contracts, and pivoted their businesses to meet the growing cyber threats to Russian systems. Plenty of firms also decided to shadow install Western software—quietly using state-banned products in lieu of broken or nonexistent alternatives. In all cases, companies are navigating the confines of the Russian political system, in the current moment, to survive or even grow. Some companies’ nationalism and talk of “cyber war” is genuinely pro-Putin, driven by executives committed to the full-scale war in Ukraine. Other companies make such remarks out of political savvy—aligning themselves with the Kremlin’s increasingly militarized worldview to boost revenues. And all around, companies know that legal mandates to not use this or that Western product are unworkable when their business functions would break without it.

Overseas, Russia’s top cyber companies have sold more products and services across Latin America, the Middle East, and the Asia-Pacific. In some countries, such as India, customers may sympathize with the Putin regime—or simply ignore that a company reportedly supports FSB espionage. Kaspersky’s growing transparency center network, intended to convince new customers that its products can be trusted, underscores this point. In other cases, Russian cyber firms like Positive Technologies make a compelling sales pitch: Don’t forgo American, Chinese, or Israeli cyber providers; rather, add a Russian vendor into the mix. Diversify your risk, and don’t put all your eggs in one country’s basket.

This adaptation poses multiple risks for the United States. Russian cybersecurity companies that help defend the Russian military against Ukrainian and other cyber operations are financially thriving. So are contractors that help the Russian government carry out open-source intelligence on prospective cyber targets, teach schoolchildren and military cadets to hack, and support the security services’ offensive activities. The more the companies grow, the better they can advance Russian objectives that undermine U.S. and Western security.

Broadly, the Russian cyber industry’s success also makes the U.S. “trusted vendor” approach to global cybersecurity much more uncertain. The idea behind trusted vendors is a good one—that companies in the U.S. and its allies and partners build more secure technologies than companies in authoritarian adversaries, due to technical design differences and the democratic surveillance laws they operate under. As such, the logic goes, the U.S. should prioritize and promote those technologies around the world compared to, say, products from Chinese telecom Huawei or Russia’s Kaspersky, which are prone to authoritarian surveillance demands and rampant state coercion. Ideally, more countries buy the trusted products and services, and they pose fewer risks to the U.S. and its allies and partners when deployed—a win-win.

But as demonstrated by Russia’s cyber industry growth, plenty of countries will not instinctively distrust a tech product from a U.S. adversary country. They may feel agnostic about it; they may look at the price (such as in ever-declining rubles) and find it more competitive or practical given their budgets compared to, say, Estonian or Japanese products; or they may actively distrust the United States, finding greater calm in the idea of diversifying their risk across Russian and other cyber providers. Sanctions designations, clearly, are not enough to slow cyber companies that hustle in emerging markets and proudly put FSB logos on their marketing materials.

American policymakers should focus on making more Western businesses aware of where Russian state cyber contractors may be unknowingly sitting in their supply chains, such as in cyber threat-sharing groups or downstream in a vendor’s network. They should consider how measures beyond sanctions could attempt to slow the innovations of Russia’s most innovative cyber intelligence contractors—such as by exploring the Department of Commerce’s new ICTS supply chain security powers to limit their tech access. And as policymakers pursue trusted vendor efforts to counter Russia, China, and other adversaries, they should choose explanation over assumption to clearly and effectively articulate the rationale for avoiding risky tech companies.

Because if Kaspersky was banned in the U.S. last year but closed out 2024 richer than ever, the West clearly isn’t getting it right.