Google's threat analysts say Russia's sprawling online influence operation, retooled over four years of war in Ukraine, is now turning that machinery back toward the wider West. In new research, the Google Threat Intelligence Group (GTIG) describes a pro-Russia "influence ecosystem" that has grown more capable, more coordinated, and increasingly reliant on generative AI.
The shift matters because it signals a change in aim. Since 2022 the bulk of this activity served Russia's frontline goals in Ukraine. GTIG's analysts, James Sadowski and Alden Wahlstrom, assess that the ecosystem is now pivoting back to Moscow's pre-war priorities, with the European Union, NATO and the United States moving back into the crosshairs, and they judge that influence activity against those targets is likely to intensify.
What the "ecosystem" actually is
Rather than a single agency, GTIG describes an interconnected web of state media, covert operations and nominally independent actors that the Kremlin curates to blend overt, covert and deniable activity. The researchers trace it to Soviet-era "active measures" updated for the internet age, and note that its tangled, overlapping structure makes it resilient: knocking out one piece rarely disrupts the whole. The team also documents a revival of pro-Russia hacktivism at what it calls unprecedented scale, the loose and deniable crews that deface sites and run denial-of-service attacks under patriotic banners.
Generative AI enters the workflow
One of the clearest trends in the report is the growing use of generative AI for planning, research and content creation across these operations. That lowers the cost and raises the volume of believable propaganda, and it fits a broader pattern IntelFusions has tracked of Russian operators folding AI into their tradecraft, including APT28's move to disposable malware and AI-driven tooling.
Why defenders should care
GTIG frames the war in Ukraine as a feedback loop that let Russia refine techniques it will reuse globally, from targeting elections and the Olympics to amplifying divisions inside Western alliances. For network defenders and trust-and-safety teams, the takeaway is that information operations and intrusion activity increasingly travel together; the same ecosystem that pushes narratives also feeds and benefits from cyber operations. US agencies recently underscored the cyber side of that threat when they warned that Russian intelligence is still phishing popular messaging apps.
Because the ecosystem is decentralized and self-sustaining, GTIG cautions that piecemeal takedowns will not blunt it; defenders need to map how its parts reinforce one another to mount an effective response.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.