U.S. Places $10 Million Bounty on Russian FSB Cyber Officers

The U.S. Department of State has announced a reward of up to $10 million for information leading to the identification or location of three officers from Russia’s Federal Security Service (FSB). The individuals, named as Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov, are accused of conducting long-running cyber campaigns against U.S. critical infrastructure on behalf of the Russian government¹. This action, administered through the Rewards for Justice program, represents a continued escalation in a established strategy of using high-value bounties to counter state-sponsored cyber threats².

Targeted FSB Officers and Their Track Record

The three FSB officers are affiliated with Military Unit 71330, a group tracked by the cybersecurity industry under names including Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, and Koala Team¹. The U.S. Justice Department initially charged these individuals in March 2022 for campaigns spanning from 2012 to 2017. Their operations targeted sensitive U.S. government agencies, including the Nuclear Regulatory Commission, and numerous energy sector firms¹. According to a recent FBI warning issued in August 2025, this same unit has been actively exploiting CVE-2018-0171, a critical vulnerability in end-of-life Cisco Smart Install Client software, to gain initial access into organizations across multiple critical infrastructure sectors¹. This demonstrates a pattern of persistence and adaptation in their tactics.

A Pattern of $10 Million Bounties for Russian Cyber Actors

The bounty on the FSB officers is not an isolated event but part of a consistent U.S. strategy. Since 2023, the State Department has repeatedly utilized the $10 million figure for high-priority Russian cyber threats. In May 2023, a $10 million reward was offered for Mikhail Matveev (aka “Wazawaka”), a ransomware affiliate linked to attacks on the Washington, D.C. Police Department². This was followed by a bounty on Amin Timovich Stigal in June 2024 for conspiring with Russian military intelligence (GRU) to deploy the destructive WhisperGate wiper malware against Ukrainian and U.S. targets². The strategy expanded in October 2024 with a $10 million offer for information on the Russian propaganda outlet Rybar, targeting its role in information warfare aimed at sowing discord in the U.S.².

More recent bounties continue this trend. In June 2025, a $10 million reward was announced for information on state hackers linked to the RedLine infostealer and its alleged author, Maxim Alexandrovich Rudometov². In December 2024, a similar bounty was placed on Dmitry Khoroshev, the alleged developer and lead administrator of the LockBit ransomware suite, following an attack on Fulton County, Georgia’s government systems². This pattern establishes a clear price point for actors deemed to pose a high-level threat to U.S. national security, spanning cybercrime, state-sponsored hacking, and influence operations.

Technical Context and Infrastructure Targeting

The recent activities of the FSB’s Military Unit 71330 highlight a continued focus on operational technology (OT) and industrial control systems (ICS). The exploitation of CVE-2018-0171 is particularly concerning because it affects network management protocols in widely deployed Cisco devices that may be difficult to patch or replace in industrial environments. This vulnerability allows an unauthenticated remote attacker to cause a buffer overflow, leading to a reload of the device or potential remote code execution. The group’s choice of this vector indicates a deliberate effort to find and exploit weaknesses in foundational network infrastructure that supports critical services.

For security teams, this underscores the necessity of maintaining rigorous asset management and vulnerability management programs, even for systems considered end-of-life. Network segmentation remains a primary defense mechanism to limit the lateral movement of threat actors who breach perimeter devices. Monitoring for anomalous traffic patterns, especially related to the Cisco Smart Install protocol (TCP port 4786), is advised. The FBI’s detailed warning provides specific indicators of compromise that organizations can use to hunt for related activity within their networks.

Relevance for Security Professionals

This announcement is highly relevant for security operations centers and threat intelligence teams. The naming of specific individuals and their unit provides valuable context for attributing ongoing campaigns. The technical details surrounding their latest exploitation efforts, specifically targeting Cisco devices, offer actionable intelligence for defensive posturing. Organizations within the energy, nuclear, and other critical infrastructure sectors should treat this announcement as a direct call to review their security controls related to internet-facing network infrastructure and SCADA systems.

From a threat intelligence perspective, the consistency of the $10 million reward amount signals the U.S. government’s prioritization of certain threat types. It also serves as a strategic warning, as noted by analysts from cybersecurity firm Field Effect, to individuals considering working with Russian intelligence services, highlighting the significant personal risks involved². However, it is also important to note public skepticism regarding the payout of these rewards, a perception that could impact the program’s effectiveness as a deterrent².

Conclusion and Future Implications

The U.S. government’s deployment of a $10 million bounty against specific FSB officers signifies a continued and escalating response to state-sponsored cyber threats against critical national infrastructure. This action, coupled with the previous indictments and public attributions, forms a multi-faceted approach to imposing consequences on malicious actors. The pattern of similar bounties against a range of Russian cyber operatives demonstrates a sustained commitment to this strategy.

Looking forward, the security community can expect these actors to continue adapting their tactics, techniques, and procedures. The focus on legacy vulnerabilities in critical infrastructure underscores the need for continued vigilance and investment in securing these environments. While the ultimate effectiveness of the bounty program in securing arrests may be debated, its role in signaling intent, facilitating intelligence collection, and potentially deterring some individuals is a notable component of modern cyber statecraft.