EMET NEWS PRESS

Russia is conducting its intelligence offensive in the Nordic-Baltic space along four operational lines: covert technology procurement, cyber access, target intelligence and sabotage preparation. The war against Ukraine is straining Russian production chains. Western export controls are limiting regular access to precision, sensor, control and manufacturing technology. Spare parts, maintenance software, specialist electronics and optoelectronic components remain critical for missile, drone, aviation and defence production. The mission profile of Russian services is therefore shifting from classical intelligence collection to operational access generation against NATO states.

The assessments of the Nordic services confirm this shift in priority. The Swedish Security Service Säkerhetspolisen (Säpo), under Director General Charlotte von Essen, continues to assess Russia as a central threat to Sweden. Von Essen points to a deteriorating security environment, increased Russian risk tolerance, sanctions evasion, technology procurement and sabotage-related activity directed against Western support for Ukraine. The Finnish Security and Intelligence Service Suojelupoliisi (Supo), under Director Juha Martelius, classifies Russia as the most significant intelligence threat to Finland. Supo describes Russian interest in Finnish foreign policy, NATO-related changes, border policy, critical infrastructure, military facilities, supply chains, proxy actors and compromised cyber infrastructure. The Norwegian Police Security Service Politiets sikkerhetstjeneste (PST), under Director Beate Gangås, warns of increased Russian activity against military targets, Allied exercises, Ukraine support, the High North and critical infrastructure. In Denmark, the domestic intelligence service Politiets Efterretningstjeneste (PET) assesses the threat of physical sabotage as increasing; the military intelligence service Forsvarets Efterretningstjeneste (FE/DDIS), under Director Thomas Ahrenkiel, describes Russian hybrid warfare against NATO and the West as well as a high sabotage threat against the Danish Armed Forces.

The centre of gravity lies on NATO’s Northern Flank and in the Baltic Sea region, where Alliance infrastructure, Arctic operating areas, Baltic access routes, high technology, defence industry, maritime sensors, energy infrastructure and software-enabled industrial systems converge. Sweden holds key aviation and defence-relevant technologies, including systems connected to the JAS 39 Gripen, precision manufacturing, optoelectronic components and industrial control technology. Finland’s NATO membership, border with Russia, Arctic expertise, maritime technology, space-related capabilities and software-enabled industrial infrastructure make it a high-value intelligence and procurement target. Norway adds energy infrastructure, Arctic situational awareness, maritime domains and proximity to Russian strategic capabilities on the Kola Peninsula. Denmark forms the southwestern access zone to the Baltic Sea region and combines maritime chokepoints, military infrastructure, air bases, ports, airports and digital networks.

Moscow uses state intelligence services, front companies, third-country actors, criminal milieus, compromised cyber infrastructure and covert financial channels. The Main Directorate of the General Staff, still widely referred to internationally as the GRU, remains the most aggressive operational actor. It combines military procurement, target intelligence, cyber access, sabotage preparation and covert logistics. The SVR secures long-term access in politics, science, research, business and high technology. The FSB stabilises front-company, financial, cyber and proxy structures, integrates criminal service providers and creates an attribution shield below the threshold of open war. Service responsibilities remain overlapping; operational effect is decisive: material inflow, access generation, target intelligence and freedom of action.

The GRU procures defence-relevant goods: weapons systems, drone and missile components, precision machinery, control technology, optical systems, sensors and components for Western industrial facilities. CNC technology, industrial lathes, specialist electronics, microcomponents, navigation technology and optoelectronic parts are particularly relevant. These goods do not close marginal gaps. They feed core areas of Russian war production. The Nordic region offers a dense target environment: specialised suppliers, research ecosystems, maritime technologies, Arctic expertise, dual-use industry and companies deeply embedded in European defence and high-technology supply chains.

GRU-associated cyber structures, including APT28 and Forest Blizzard, operate globally against network components, routers, government networks, military communications structures and IT environments close to critical infrastructure. Their objectives are initial access, credential theft, network reconnaissance, persistence and later disruption or sabotage options. The mass compromise of SOHO routers and poorly secured network devices anonymises Russian attack vectors, obscures infrastructure, complicates attribution and creates operating space inside Western networks. Supo explicitly identifies compromised consumer routers as Russian anonymisation infrastructure.

The SVR conducts strategic long-term intelligence collection. Its target areas are politics, business, science, research and high technology. The methodology remains classical, but is adapted to wartime demand: legal residencies, contact development in diplomatic, scientific and economic environments, long-term source handling and the use of so-called illegals. These covert intelligence officers, operating without official diplomatic cover, secure access that is structural rather than short-term. The SVR is less visible than the GRU, but remains central to influence, research and technology intelligence.

The FSB complements this structure as a domestic security service with extended foreign-facing functions. Its role lies in counterintelligence, control of Russian external networks, technical support, cyber operations and the use of criminal milieus. FSB-linked structures secure front companies, procurement routes, financial movements and intermediaries. Actors from cybercrime and organised crime handle sabotage preparation, logistics and intelligence collection below the threshold of open war. This integration creates an attribution shield: state direction remains deniable, operational effect remains achievable.

In the Swedish operating area, Russian procurement and intelligence interests converge where aviation technology, precision manufacturing and military sensors overlap. Target areas include data and components connected to the JAS 39 Gripen fighter aircraft, laser-based targeting and location systems, optoelectronic components, precision machinery and industrial manufacturing technology. In May 2026, Swedish authorities reported a counterintelligence operation against a suspected procurement network. Two suspects are alleged to have supported Russia in acquiring advanced technical or industrial products and thereby evading EU sanctions. Säpo referred to multi-stage procurement structures, intermediaries and reduced traceability. Details on specific products, end users, full delivery routes, arrest locations and company sites remained limited because of ongoing investigations and operational security.

Sweden is also under increased pressure in the cyber domain. Cyber access against energy, control and supply environments can have physical follow-on value and may serve as a preparatory phase for later disruption or sabotage. Target categories include power generation, control systems, industrial control networks and supply nodes. In each case, it must be distinguished whether access is designed for immediate destructive effect, later access preservation or technical reconnaissance. The operational line remains clear: cyber access is not only an intelligence collection instrument. It is a pre-positioning tool for physical effect.

In the Finnish operating area, Russian interest is concentrated on technology fields relevant to the Northern Flank, the Baltic Sea, the Barents Sea and Arctic operating areas. These include space technology, quantum research, Arctic technology, naval engineering, icebreaker expertise, maritime sensors and software-enabled industrial infrastructure. Supo links this environment to Russian cyber intelligence against central government bodies, foreign and security policy actors, defence-capable products and militarily usable innovation. Arctic mobility, maritime situational awareness, resilient communications and navigation systems, sensors and control technology have direct relevance for Russian defence programmes.

Norway expands the target picture to energy, the Arctic and maritime infrastructure. As a central gas supplier to Europe, a NATO state on the Northern Flank and an observation space facing Russian capabilities in the High North, Norway holds significant operational value for Russian services. PST assesses Russian reconnaissance against critical infrastructure as preparation potential for later intelligence, influence or sabotage activities. Target areas include energy facilities, maritime traffic routes, ports, underwater infrastructure, military sites, Allied exercises and support structures for Ukraine.

Denmark forms the southwestern control and transit zone of the Baltic Sea region. PET assesses the threat of physical sabotage as increasing and describes Russian target selection as opportunistic: proxy groups or recruited individuals may select and execute targets without every target being directed in detail from Moscow. FE/DDIS assesses the sabotage threat against the Danish Armed Forces in particular as high. Drone incidents over military and civilian facilities, disruptive cyber operations and influence effects against public security fit the pattern of hybrid pressure.

A separate tasking concerns software security updates for Western industrial facilities already located in Russia but subject to sanctions. These systems remain relevant for production lines, precision manufacturing, energy infrastructure and military-adjacent industry. Regular maintenance, spare-part supply and software support are restricted. Russian procurement actors therefore attempt to secure digital access through circumvention structures. This field does not necessarily move through classical goods deliveries. Credentials, maintenance software and technical documentation can be extracted through digital channels, intermediary companies, former business partners or recruited specialists.

Russian operational activity follows a connected pattern. First: procurement of dual-use goods, CNC technology, sensors, control technology, software updates and spare parts. Second: intelligence collection against politics, research, industry, military target profiles and technological key milieus. Third: cyber access through routers, credentials, compromised infrastructure, persistence and networks close to critical infrastructure. Fourth: sabotage preparation against energy, logistics, industrial control systems and critical supply nodes. These lines are analytically separable but operationally linked. Cyber access is not limited to data theft. It creates access space for later disruption or sabotage.

HUMINT operations are increasingly conducted from Russian territory because diplomatic expulsions have degraded classical residency work. Supo explicitly describes this methodological shift: professional HUMINT activity from Russian soil, alongside the use of proxy actors for simple intelligence collection, sabotage or vandalism. Contact development, recruitment approaches and handling run through digital communications channels, third countries, business travel, academic contacts or private networks. In the cyber domain, compromised Western routers and servers serve as operational infrastructure; attacks thereby appear to originate from unsuspicious networks.

Defensive capability on NATO’s Northern Flank has increased. Military facilities, major defence companies and central state structures have strengthened protective measures. Supply-chain controls, cyber hardening, cooperation with intelligence services, awareness training for key personnel and monitoring of suspicious procurement requests have been expanded. Charlotte von Essen explicitly places emphasis on stronger protective measures in business and society: supply-chain and export controls may be costly for companies; failure to conduct them can become significantly more expensive.

The critical vulnerability remains where civilian niche expertise meets limited security architecture. Small and medium-sized companies in precision engineering, metalworking, software development, sensors, optics, electronics, specialty chemicals and industrial control technology are particularly exposed. These companies hold defence-relevant knowledge but often do not reach the security level of major defence or technology corporations. Deficits persist in IT security, export-control screening, end-use verification, customer validation, detection of suspicious intermediaries and personnel awareness. Russian procurement networks focus precisely on this seam.

Western counterintelligence remains constrained by reaction time. Legal review, authorisation and oversight procedures secure the legal legitimacy of Western measures, but slow responses in the cyber domain, financial flows, covert investigations and export-control enforcement. Russian services act with high risk tolerance, opportunism and limited legal constraint. This creates a temporal asymmetry that shapes defence planning, resourcing and interagency coordination.

The Nordic-Baltic space is therefore not a peripheral area, but a Russian priority field below the threshold of open war. Moscow is compensating for technological deficits in its war economy through covert procurement and preparing access options against Western infrastructure. The defensive posture remains vulnerable where highly specialised civilian suppliers, digital weaknesses and fragmented authorities converge.

[DE]

Russland konzentriert seine nachrichtendienstliche Offensive im nordisch-baltischen Raum auf verdeckte Technologiebeschaffung, Cyberzugang, Zielaufklärung und Sabotagevorbereitung. Der Krieg gegen die Ukraine belastet russische Produktionsketten, während westliche Exportkontrollen den Zugriff auf Präzisions-, Sensor-, Steuerungs- und Fertigungstechnik begrenzen. Nordische Dienste wie Säpo, Supo, PST, PET und FE/DDIS bewerten Russland entsprechend als zentrale Bedrohung für Schweden, Finnland, Norwegen und Dänemark.

Der Schwerpunkt liegt an NATO-Nordflanke und Ostseeraum, wo Bündnisinfrastruktur, Hochtechnologie, Energieanlagen, maritime Räume, Rüstungsindustrie und arktische Operationsgebiete zusammenfallen. Die GRU beschafft rüstungsrelevante Güter und bereitet Cyber- sowie Sabotageoptionen vor. Der SVR sichert langfristige Zugänge in Politik, Forschung und Wirtschaft. Der FSB stabilisiert Tarn-, Finanz-, Cyber- und Proxy-Strukturen unterhalb der offenen Kriegsschwelle.

Besonders verwundbar bleiben kleine und mittlere Zulieferer aus Präzisionsmaschinenbau, Software, Sensorik, Optik, Elektronik und industrieller Steuerungstechnik. Sie besitzen rüstungsrelevantes Wissen, verfügen aber oft nicht über ausreichende Sicherheitsarchitektur. Westliche Abwehrfähigkeit ist gestiegen, bleibt jedoch durch rechtliche Verfahren, fragmentierte Zuständigkeiten und Reaktionszeit begrenzt. Der Raum bleibt ein russisches Schwerpunktfeld hybrider Operationen.

Glossary

APT28 / Forest Blizzard
A GRU-associated cyber threat actor linked to espionage, credential theft, infrastructure compromise and operations against governments, defence networks and critical infrastructure.

Attribution Shield
A method used to obscure state responsibility by routing operations through proxies, criminal actors, front companies or compromised infrastructure.

Baltic Sea Region
The strategic area around the Baltic Sea, including NATO members such as Sweden, Finland, Denmark, Germany, Poland and the Baltic states.

CNC Technology
Computer Numerical Control machinery used for precision manufacturing. It is relevant to defence production because it enables accurate metalworking and component fabrication.

Covert Procurement
The clandestine acquisition of restricted goods, technology, components or software through front companies, intermediaries, third countries or falsified end-use declarations.

Credential Theft
The theft of usernames, passwords, authentication tokens or access keys used to enter protected networks or systems.

Critical Infrastructure
Systems and facilities essential for state, economic and societal functioning, including energy, transport, communications, ports, water supply, health systems and digital networks.

Cyber Access
Initial or persistent entry into a digital system, network or device, often used for espionage, reconnaissance, disruption or later sabotage preparation.

Dual-Use Goods
Products, components, software or technology that can be used for both civilian and military purposes, including sensors, electronics, machine tools and navigation systems.

End-Use Verification
The process of checking who will ultimately receive and use exported goods, especially where sanctions, export controls or military applications are relevant.

Export Controls
Legal restrictions on the transfer of sensitive goods, technologies, software or services to specific countries, entities or end users.

FE / DDIS
Forsvarets Efterretningstjeneste, Denmark’s military intelligence service. Internationally, it is often referred to as DDIS.

Front Company
A company used to conceal the real client, end user, state sponsor or purpose behind a procurement, financial or intelligence operation.

FSB
Russia’s Federal Security Service. It is primarily a domestic security service but also supports foreign-facing operations, counterintelligence, cyber activity and proxy structures.

GRU
The Main Directorate of the General Staff of the Russian Armed Forces. It is Russia’s military intelligence service and is associated with aggressive cyber, procurement, sabotage and target-intelligence operations.

HUMINT
Human Intelligence. Intelligence gathered through human sources, recruitment, contact handling, personal access, observation or covert relationships.

Hybrid Warfare
The coordinated use of military, intelligence, cyber, economic, informational and proxy instruments below or alongside conventional warfare.

Illegals
Covert intelligence officers operating without official diplomatic cover, often under false identities and long-term civilian cover.

Initial Access
The first successful entry into a target network, system or device, often used as the starting point for deeper exploitation.

JAS 39 Gripen
A Swedish multirole fighter aircraft. Its technology, supply chains and related components are of high intelligence and defence-industrial value.

Kola Peninsula
A strategically important Russian region in the High North hosting major naval, nuclear and military infrastructure.

KRITIS
German abbreviation for critical infrastructure. It refers to essential systems such as energy, transport, communications, health, water and digital services.

NATO Northern Flank
NATO’s northern strategic area, including the Nordic region, the High North, the Baltic Sea approaches and adjacent Arctic operating spaces.

Optoelectronic Components
Components that combine optical and electronic functions, often used in sensors, targeting systems, imaging, guidance and surveillance technologies.

PET
Politiets Efterretningstjeneste, Denmark’s domestic security and intelligence service.

Persistence
The ability of an attacker to maintain access to a compromised system or network over time, even after partial detection or defensive measures.

Proxy Actor
A person, group, company or criminal network used by a state to conduct operations while obscuring direct state involvement.

PST
Politiets sikkerhetstjeneste, Norway’s police security service responsible for counterintelligence, counterterrorism and national security threats.

Sabotage Preparation
Reconnaissance, access generation, logistics, target selection or technical pre-positioning conducted before a potential disruptive or destructive operation.

Säpo
Säkerhetspolisen, Sweden’s security service responsible for counterintelligence, counterterrorism, protective security and threats to national security.

SOHO Routers
Small Office/Home Office routers. Poorly secured devices can be compromised and used to anonymise cyber operations or route malicious traffic.

Supo
Suojelupoliisi, the Finnish Security and Intelligence Service responsible for counterintelligence, counterterrorism and national security intelligence.

SVR
Russia’s Foreign Intelligence Service. It focuses on strategic intelligence collection, political access, scientific and technological intelligence, and long-term source cultivation.

Target Intelligence
Information collected on potential targets, including infrastructure, personnel, networks, facilities, vulnerabilities and operational dependencies.

Technology Procurement Network
A structured system of intermediaries, suppliers, shell companies and logistics routes used to acquire restricted technology or components.

Temporal Asymmetry
A structural timing advantage in which one side can act faster because it operates with fewer legal, procedural or evidentiary constraints.

References:

Säkerhetspolisen (Säpo) — The threat against Sweden is constantly changing
sakerhetspolisen.se/ovriga-sidor/other-languages/english-engelska/press-room/news/news/2026-03-18-the-threat-against-sweden-is-constantly-changing.html
Used for: Russia as the greatest threat to Sweden; deteriorating security environment; increased Russian risk tolerance; sabotage threat linked to Western support for Ukraine; Russian need for knowledge, technology and products; sanctions circumvention; statement by Charlotte von Essen on supply-chain and export-control vigilance.

Säkerhetspolisen (Säpo) — The elevated terrorist threat level remains due to the serious security situation
sakerhetspolisen.se/ovriga-sidor/other-languages/english-engelska/press-room/news/news/2026-01-09-the-elevated-terrorist-threat-level-remains-due-to-the-serious-security-situation.html
Used for: broader Swedish security context; Russian intelligence activities, influence operations and technology procurement; Russia’s sabotage threat targeting Western support activities for Ukraine; increased Russian opportunism outside the Ukraine conflict zone.

Säkerhetspolisen (Säpo) — The Swedish Security Service 2025–2026
sakerhetspolisen.se/download/18.6d8b207419df2497fd955/1778075300407/SP_Lägesbild%20ENG_Anpassad.pdf
Used for: annual situational assessment; Russian security-threatening activity; protective security, espionage, technology procurement and sabotage-related threat context.

Säkerhetspolisen (Säpo) — The Swedish Security Service 2024–2025
sakerhetspolisen.se/download/18.735e45f81966926b8381f6/1746455132395/SP_Årsbok_ENG_2025_Anpassad.pdf
Used for: continuity of Swedish threat assessment; Russian intelligence pressure; national security threat environment; protective-security context.

Suojelupoliisi (Supo) — Overview of state espionage and influencing 2026
supo.fi/en/overview-of-state-espionage-and-influencing-2026
Used for: Russia as the principal intelligence threat to Finland; Russian interest in foreign policy, NATO-related developments, border policy, critical infrastructure and military infrastructure; proxy actors; cyber operations; compromised consumer routers as anonymisation infrastructure; supply-chain procurement risks.

Suojelupoliisi (Supo) — Russian superpower ambitions will remain also after the war
supo.fi/en/-/russian-superpower-ambitions-will-remain-also-after-the-war
Used for: Juha Martelius-linked Finnish assessment; Russian intelligence capability after the war; long-term Russian ambitions; continued threat to Finland and Europe; post-war intelligence posture.

Suojelupoliisi (Supo) — How to recruit a saboteur
supo.fi/en/how-to-recruit-a-saboteur
Used for: Russian proxy sabotage; GRU-linked sabotage patterns; recruitment of proxy actors; sabotage and vandalism below the threshold of open war; methodological shift from classical 

intelligence work to remote recruitment and disposable actors.

Politiets sikkerhetstjeneste (PST) — National Threat Assessment 2026
pst.no/wp-content/uploads/2026/02/National-Threat-Assessment-2026.pdf
Used for: Norwegian threat environment; Russian intelligence threat; activity against military targets, Allied exercises, support for Ukraine, the High North and critical infrastructure; Norwegian counterintelligence context.

Politiets sikkerhetstjeneste (PST) — National Threat Assessment 2025
pst.no/wp-content/uploads/2026/01/National-Threat-Assessment-2025.pdf
Used for: continuity of Norwegian assessment; espionage, sabotage, hybrid threats and intelligence targeting; critical infrastructure and High North context.

Politiets sikkerhetstjeneste (PST) — National Threat Assessment 2024
pst.no/wp-content/uploads/2026/01/National-Threat-Assessment-2024.pdf
Used for: background on Norwegian domestic security threats; Russian and foreign intelligence activity; sabotage, espionage and hybrid-threat framework.

Forsvarets Efterretningstjeneste (FE/DDIS) — Assessment of the hybrid threat against Denmark
fe-ddis.dk/globalassets/fe/dokumenter/2025/trusselsvurderinger/-assessment-of-the-hybrid-threat-against-denmark-.pdf
Used for: Russian hybrid activity against Denmark and NATO; sabotage, cyber activity, destabilisation, uncertainty generation and pressure on Alliance cohesion; Danish military intelligence assessment.

Forsvarets Efterretningstjeneste (FE/DDIS) — Intelligence Outlook 2025
fe-ddis.dk/globalassets/fe/dokumenter/2025/-fe-intelligenceoutlook-25-.pdf
Used for: Russia’s conflict posture toward NATO; hybrid attacks, sabotage and destructive cyber activity; Danish strategic threat environment.

Politiets Efterretningstjeneste (PET) — Sabotage
pet.dk/en/threats-to-denmark/sabotage
Used for: physical sabotage as part of the hybrid threat; increased Russian willingness to take risks; increased threat of physical sabotage in Denmark.

Reuters — Two held in Sweden over suspected deliveries of hi-tech gear to Russia
reuters.com/world/two-held-sweden-over-suspected-deliveries-hi-tech-gear-russia-2026-05-11
Used for: May 2026 Swedish case; two detained suspects; suspected support for Russia’s procurement of advanced engineering products; possible use in Russia’s war against Ukraine; involvement of Swedish security authorities.

Reuters — High risk of sabotage against Danish armed forces, intelligence service says
reuters.com/world/europe/high-risk-sabotage-against-danish-armed-forces-intelligence-service-says-2025-10-03
Used for: Thomas Ahrenkiel statement; high sabotage risk against Danish Armed Forces; Danish military intelligence assessment; drone incursions and hybrid pressure against Denmark and the West.

Reuters — Denmark raises threat level for destructive cyber attacks to 3 on 5-level scale
reuters.com/technology/cybersecurity/denmark-raises-threat-level-destructive-cyber-attacks-3-5-level-scale-2024-06-04
Used for: Danish cyber threat escalation; destructive cyber-attack risk; Russia’s willingness to challenge NATO countries through sabotage, influence operations and cyber attacks.

The Guardian — Denmark says Russia was behind two “destructive and disruptive” cyber-attacks
theguardian.com/world/2025/dec/18/denmark-says-russia-was-behind-two-destructive-and-disruptive-cyber-attacks
Used for: Danish attribution of cyber activity to Russia-linked actors; destructive and disruptive cyber operations; water utility incident; DDoS attacks; hybrid-war framing by Danish authorities.

The Guardian — Danish intelligence accuses US of using economic power to “assert its will” over allies
theguardian.com/world/2025/dec/12/danish-intelligence-accuse-the-us-of-using-economic-power-to-assert-will-over-allies
Used only for: contextual reference to FE/DDIS strategic assessment and Danish view of a more unstable security environment. Not used as a core source for Russian operational claims.

S&P Global Commodity Insights — Norway warns of Russian sabotage threat to energy infrastructure in 2025
spglobal.com/energy/en/news-research/latest-news/electric-power/020525-norway-warns-of-russian-sabotage-threat-to-energy-infrastructure-in-2025
Used for: Norwegian warning on energy infrastructure; Russian sabotage threat; relevance of Norway as European energy supplier.

The Record — Norway intelligence discloses Salt Typhoon attacks
therecord.media/norawy-intelligence-discloses-salt-typhoon-attacks
Used only for: supplementary reporting on Norwegian intelligence and cyber-threat context. Not used as a primary source for the main Russian sabotage thesis.

Business Insider — A NATO ally says Russia “physically pointed” weaponry at its warships and helicopters in strategic waters
businessinsider.com/denmark-said-russia-pointed-weaponry-at-its-helicopters-naval-ships-2025-10
Used only for: supplementary context on Danish straits, Russian military signalling and hybrid pressure around maritime access routes. Not used as a primary intelligence source.