While Russian espionage and sabotage have been targeting the European continent for decades, the war in Ukraine has caused a significant change in quality and modalities. However, in the last few months many events have happened, which could signal a strategy shift, especially in a period of changes which will impact the future of the war and of Ukraine in uncertain ways. The heads of many European intelligence agencies have been increasingly warning lately about Russian espionage and sabotage activities becoming more frequent and bolder at the same time as they are supposedly testing European red lines. This warning has been repeatedly issued by the head of the Norwegian Intelligence Service, but also by the chiefs of the British MI5 and MI6 and of the German intelligence agencies.

A new European Commission has taken office, the Republican candidate Donald Trump has been elected for a second mandate as the president of the United States and future elections may shake up things in many countries, including Germany, one of the main supporters of Ukraine in Europe. It seems to be the perfect time for Russia to strengthen its destabilizing campaign, in order to exert influence abroad and steer political will and public opinion to decrease support for Ukraine, especially with the prospect of negotiations between Russia and Ukraine.

How is Russian espionage changing?

Russian diplomats and employees of their embassies and consulates, the so-called “legals”, have long been involved in intelligence gathering and other state-led operations in the European continent and all around the world. This brought many countries, including the UK, Germany and France, to downsize Russian diplomatic presence in their territory in 2018, after the attempted murder of Sergei Skripal, a former Russian intelligence official and double agent for UK intelligence services. However, the downsizing was relatively modest in size compared to the one enacted in 2022. Diplomatic relations worsened due to the invasion of Ukraine and the widespread Western support for Kyiv. As a consequence, hundreds of diplomats and embassy staff have been expelled, especially after the start of the war in February 2022 and the discovery of civilian massacres in Bucha at the beginning of April 2022. State-backed Russian media channels, such as Russia Today and Sputnik, were also very active both in espionage and disinformation campaigns and were banned by the European Council in the early days of the war, although they managed to remain quite easily accessible.

These expulsions had a huge impact on the ability of Russian intelligence services to carry on their work. According to the 2023 annual report of the German Federal Office for the Protection of the Constitution (BfV), Russia is recurring more and more to the recruitment of civilians in order to collect useful information, especially through blackmail and financial incentives. For example, two German citizens charged for spying in August 2023 were each paid 400.000€ for their services. This shows that Russia is still able to allocate enormous financial resources to keep up with its intelligence needs. The BfV has estimated that Germans living in Russia, including diplomats and Germans with dual nationality, are especially exposed to the risk of blackmail because local intelligence agencies can collect compromising information on them and use it as leverage. This estimate could likely be extended to other EU citizens and other countries. Members of extremist groups are also quite vulnerable to recruitment as they are often supportive of Russia and a desire to stop military support for Ukraine. Recruitment often happens on less moderated platforms such as Telegram, where extremist groups are able to carry on their activities more freely. The far right is especially receptive towards the Kremlin, as shown by the attempt by Reichsbuerger to gain Russian support for their attempted coup d’état and by the close relationships that multiple European right wing parties have with Russian elites. However, far-left parties are also not safe, especially in an era of divisive political discourse, public distrust and widespread disinformation.

The Georgian case study?

A case that illustrates the extent of Russian espionage and its potential for influence is the Russian network used to spy Georgia, as revealed by a Bloomberg investigation. After a brief war in 2008 between Russia and Georgia, public discourse in Georgia became even more pro-Western and hostile towards the Kremlin. In its attempt to maintain influence over the country, Russia managed to spy the government and the biggest companies in Georgia, both through classic espionage strategies and hacking campaigns conducted between 2017 and 2020. As a matter of fact, the central bank and many government departments, including the Foreign Ministry and the Finance Ministry, were penetrated through malwares, as part of an operation that ran for many years. Hacking also affected the Central Election Commission, IT systems at Georgia’s national railway company, and media organizations, including the two biggest TV channels Imedi and Maestro.

The consequences of these penetrations could be huge, especially considering that hackers gained the ability to tamper with vital infrastructure, such as power and communication networks, that could be used to exert pressure on the government through blackmail. In some regions they managed to turn off electrical substations and cut power, which could grant huge leverage to advance their interests. At telecommunications operator Skytel, hackers gained access to admin systems and network routers, likely being able to shut down telecommunications. Hacking campaigns were also supported by a covert operation targeting the Foreign Ministry, including embassies and consulates, which resulted in 2.1 GB of data being stolen by the Federal Security Service of the Russian Federation (FSB).

Georgia has a certain strategic and economic importance for the Kremlin and Russia does not want to let the country get closer to the European sphere of influence. The survival of the current governing party, Georgian Dream, is fundamental to this matter as it is staunchly pro-Russian, both in public discourse and enacted policies. While the party maintained control of the government after the elections in October 2024, Russia undoubtedly has the means to exert a huge pressure on the country if the government ever decided to take an undesirable course.

Recent espionage cases

As the recruitment of intelligence agents primarily targets civilians, spies are often working normal jobs that let them access relevant events, buildings and people. To this end, Russian agents can still be employed by making them fake their nationality. This happened, for example, with a Russian couple posing as art dealers from Austria and Mexico who gained Argentinian citizenship and a Spanish-Russian freelance journalist covering conflicts for a small Basque newspaper. Highly trained and equipped with strong personal alibis, especially through Latin American countries, these so-called “illegals” carry on most of the activities of Russian intelligence agencies, including the infiltration of radical groups to influence their ideology and activities. The case of Pablo Gonzalez, a Spanish-Russian journalist who was part of a prisoner exchange with Russia in August 2024, is especially important. Being an accredited member of the press working in conflict areas, he managed to gain access to critical sites, such as a besieged military base during the Russian annexation of Crimea in 2014.

In Italy, two entrepreneurs suspected of selling sensitive information to Russia are currently being investigated. The entrepreneurs were tech professionals exploiting their knowledge of technology to gather information and acted out of political sympathies as they supported Russia since early 2023. They were allegedly in contact with an agent from the FSB who handed them various assignments. Among their activities there were the mapping video surveillance systems of military sites, streets and squares in Milan, Rome and Aviano, a town in north-east Italy that hosts an important US air base, especially on spots not covered by video surveillance devices. They also attempted to install dash cams on taxis to monitor the activity of specific subjects without the knowledge of the drivers. The FSB allegedly paid the entrepreneurs a few thousand euros through cryptocurrencies.

This is not the first case and it definitely highlights a trend that involves many European countries. Arrests have also been carried out in Nordic countries. In November 2024, a Norwegian student who was working as a guard at the US embassy in Oslo was arrested for obtaining sensitive information and sharing it with Russia and Iran. He is now detained, pending further investigations. In Estonia, a Russian professor of political science at the University of Tartu was convicted on espionage charges and had likely been collecting information on security and infrastructure vulnerabilities for Russian intelligence agencies for decades. Last year, the Metropolitan Police uncovered a spy ring in the UK. The group was targeting Russian dissidents and investigative journalists in the UK and was planning to collect information on Ukrainian soldiers training at the US military base in Stuttgart, Germany.

These cases show how strong of a motive political and ideological sympathy can be. As circumstances pushed Russia to diversify its intelligence workforce, ideological support could be of immense help to the expansion of intelligence activities. Individuals ideologically aligned with Russia may start approaching Russian intelligence services more, with the intent of sharing critical information or lending itself to sabotage activities. This type of recruits might offer various benefits, including a stronger motivation, greater discipline and a lower financial compensation requirements.

Sabotage campaign becoming stronger

Sabotage is getting more sophisticated, possibly as an alternative to a full-scale war with NATO countries. According to the head of the Norwegian Intelligence Service, sabotage attempts to critical infrastructure are now more likely. This moment is especially important for Russia, who has little left to lose in the European continent. After the election of Donald Trump as the next President of the United States, Moscow might try to strengthen its sabotage campaign. Trump has signaled an intention to quickly end the war in Ukraine, as soon as he takes office. With the US likely reducing its support for Ukraine, Russia may seek to increase pressure on European countries to secure a stronger position at the negotiating table.

Possible targets for sabotage include energy infrastructure, telecommunications, military production and transport. Western intelligence agencies are currently investigating whether Russia has been plotting to place incendiary devices on cargo planes. According to intelligence officials, the Kremlin tested this strategy during summer 2024 and was able to set off fires in shipping hubs in the UK and Germany, likely to cause fear in the population and disruptions. In Leipzig airport, Germany, an incendiary bomb exploded in a DHL air freight container. However, the package was on the ground only because of a delay in a connecting flight. Investigations are ongoing for these and other incidents that may be related, including arson attacks, especially on critical productions and in Eastern Europe and Baltic states.

Attribution for sabotage is extremely difficult, especially as Russian intelligence agencies are using local criminal proxies, who may not know who they are actually working for. This campaign may be testing how far the Kremlin can go without triggering article 5 of the North Atlantic Treaty and surely depicts a concerning situation.

Critical seabed infrastructure

The movements of Russian ships, especially research ships, are increasingly monitored as they are suspected of collecting sensitive data that could be used to plan sabotage operations. Ships have been recently discovered many times close to particularly sensitive infrastructure, such as wind farms, pipelines and internet cables, often carrying research equipment and drones that might have been used to collect information on said infrastructure. This comes at a critical time, as Russia is allegedly building up capabilities to carry out sabotage on seabed infrastructure.

An investigation conducted by the Dutch organization Follow the Money in cooperation with the newspaper De Tijd revealed in June 2024 that at least 167 Russian commercial ships were used to spy on seabed cables and pipelines in the North Sea, including areas that are particularly sensitive for telecommunications and energy. The observed ships showed suspicious behavior close to critical infrastructure in European waters peaking in 2021, including odd maneuvers and temporary disconnection of their Automatic Identification Systems (AIS), which are required to be active at all times by the International Convention for the Safety of Life at Sea. Some of them would also approach NATO military vessels and are suspected of employing underwater drones to collect data on critical infrastructure, possibly to later carry on attacks and disruptions. Drones, such as the ones used for repairs, could also be used to damage cables and pipelines. When interrogated, the crew usually explains this behavior as being due to navigational errors and bad weather conditions, which would cause abrupt and odd changes to the usual navigation route. Russian maritime doctrine allows the armed forces to use Russian civilian ships for special operations. However, even research vessels, built for scientific purposes, are allegedly used to gather data on potential targets. These are especially useful as they already carry equipment that can be repurposed for spying campaigns. While these incidents only involved espionage activities, the targets of this campaign are potentially at risk of disruption as the data collected by these ships can be used to plan sabotage operations.

Recent events highlight a trend, especially after the disruption of two submarine fiber-optic internet cables in the Baltic Sea. On the morning of November 17, 2024, the BCS East-West Interlink, connecting Lithuania and Sweden, was cut. The following morning the C-Lion1, linking Germany and Finland, was similarly compromised. The disruption caused by these instances is luckily limited as telecommunication services use many different routes to avoid complete blackouts. The traffic was rerouted and only some data transfers were affected, although without redundancy this disruption could have had a serious impact on business continuity. Repair vessels were dispatched a few days after and by the end of November both cables had already been restored.

Investigators quickly assessed that the damage was caused by human activities but they couldn’t be sure whether this was intentional or accidental. However, some government officials were quick to describe it as sabotage. Soon after the news was announced, independent OSINT researchers noticed that a Chinese bulk carrier, the Yi Peng 3, was in the proximity of the scene of both accidents, around the time the cables were cut. Joint investigations led by Swedish authorities are currently ongoing on the suspicion of sabotage, as the authorities of the countries involved suspect the Yi Peng 3 is responsible for the damage to the cables. According to a reconstruction by the Wall Street Journal, the ship dropped its anchor before crossing over the BCS East-West Interlink. After damaging the cable, the Yi Peng 3 continued to sail dragging the anchor, and subsequently cut the C-Lion1. The anchor was then raised and the ship continued its course. During this time, the AIS were suspiciously turned off. This behavior is deemed very unusual as sailing with the anchor lowered is economically inefficient and can result in damages, both to undersea infrastructure and to the anchor. An investigation by Danish broadcaster TV 2 also uncovered that the Yi Peng 3 slowed down over two power cables and a data cable at the beginning of November while en route to Russia. The ship, departed from the Russian port of Ust-Luga towards Port Said, Egypt on November 15, was in the Kattegat Strait, in the Danish exclusive economic zone, when Danish authorities stopped it for the investigation. According to international maritime law, states do not have complete sovereign rights within their exclusive economic zone as they would in their territorial waters, so investigations are more complicated. To avoid these issues, Sweden asked the captain to return to Swedish waters, where the damage to the cables happened. As the ship didn’t oblige, authorities instead convinced China to cooperate with their investigation. Swedish investigators managed to board the ship on December 19, although they only acted as observers in an investigation conducted by Chinese authorities and they couldn’t access some parts of the vessel. According to the Wall Street Journal, investigators think the captain of the ship may have been acting on orders given by Russian intelligence. After being monitored for one month by European coast guard ships and warships, on December 21, the ship resumed its trip towards Egypt, although there are no official updates on the investigation.

The Baltic Sea is particularly affected by these events, from espionage campaigns to frequent GPS disruptions affecting both ships and airplanes. A similar accident happened in October 2023: the Chinese merchant ship NewNew Polar Bear damaged a gas pipeline and two telecommunication undersea cables by dragging its anchor across them. According to Chinese authorities, the damage was accidental although European authorities couldn’t conduct an investigation before the ship reached international waters. Back then, awareness about these kinds of accidents was lower and the countries involved were less willing to take a more resolute stance. However, as a new case affecting a power cable between Finland and Estonia during the Christmas holidays is being investigated, it is clear that affected governments are taking a stronger stance. These kinds of accidents will continue to raise questions. Attribution tends to be difficult and investigations might never uncover whether these are actually accidents or they are part of a sabotage campaign. Caution is certainly needed to avoid diplomatic incidents and the escalation of tensions. However, in some cases the lack of political will prevents authorities from attributing responsibility and leads to a troubling inaction that could be interpreted by malicious actors as a green light to step up their destabilizing campaigns.

Lessons and future outlook

Subtle operations have always been employed, both in violent and nonviolent conflicts. However, it is clear that Europe has been particularly affected since severing ties with Moscow at the beginning of the Russian invasion of Ukraine. These campaigns could have a negative effect on Western support for Ukraine. As fatigue about the war becomes evident, both in the population and in the governments, sabotage campaigns, coupled with misinformation and manipulation, may disrupt military and financial support to Ukraine and ultimately weaken its position at the negotiating table. Among all this, NATO member states are discussing whether sabotage could eventually lead them to call upon allies for support and invoke the mutual defense clause or, alternatively, to start joint consultations, as provided by the article 4.

NATO tools are inadequate to deal with this kind of confrontation and there is a strong need for policy adaptation to better reflect the nature of current threats, but also for preparedness to quickly face sabotage, especially as it could affect critical areas of everyday life. Even official doctrine on hybrid threats is lacking, as there is no common definition of this term. While NATO is making progress and has already established a few bodies and initiatives aimed at improving the resilience of critical submarine infrastructure, things in the European Union are progressing at a much slower pace. On the other hand, readiness is fundamental also for private companies that own and handle critical infrastructure. However, experts deem it impossible to protect all critical infrastructure as it would require enormous resources. Deterrence is then fundamental to protect such infrastructure and, among all, requires attribution to be effective. Ultimately, addressing these challenges will demand a coordinated effort from governments and international institutions, with the cooperation of private stakeholders to build resilience and deter future threats effectively.