EMET NEWS PRESS

Western security agencies and think tanks have assessed the GRU since 2024 as a central actor in Russian sabotage and subversion activity in Europe. The intended operational effect is the disruption of military supply chains, critical infrastructure and logistical support for Ukraine. The CSIS report “Russia’s Shadow War Against the West” from March 2025 documents a marked increase in confirmed operations or operations attributed to Russia with high probability: from 3 incidents in 2022 to 12 in 2023 and 34 in 2024. The documented cases focused 27 percent on transport and logistics targets, 27 percent on government and military facilities, 21 percent on critical infrastructure and 21 percent on defence-industrial assets.

These international case figures represent a different data layer from national crime and suspicion-based statistics. In Germany, the Federal Criminal Police Office recorded 321 suspected cases of sabotage and serious crime against critical infrastructure and defence logistics in 2025. This category covers incidents with different possible backgrounds, including potential state direction, politically motivated crime, economic sabotage and unresolved cases. The figure should therefore be assessed as an indicator of security-service burden, not as evidence of 321 Russian operations. For threat assessment, the relevant layers are distinct: confirmed acts of sabotage, national suspicion-based data, political attribution, intelligence assessments and forensically established hostile responsibility.

A higher concentration of operations assessed as possibly Russian-influenced or Russian-directed has been recorded in Poland and the Baltic states. The focus includes repeated railway sabotage, arson attacks on logistics sites such as Marywilska near Warsaw and damage to undersea cables in the Baltic Sea. Attribution confidence remains case-dependent. While individual governments have publicly identified Russian intelligence direction, other incidents remain within the range of substantiated suspicion. Operational assessment therefore requires a clear distinction between plausibility, political attribution and established responsibility.

Operational direction is attributed in several Western analyses with high probability to GRU Unit 29155, assigned to the Service for Special Activities under Major General Andrei Averyanov. Since 2024, this structure has been associated with a more decentralised proxy model. Financially motivated actors from the post-Soviet space, criminal milieus or precarious social environments are reportedly recruited for individual tasks. Recruitment and handling are assessed to occur through Telegram channels, encrypted communication services and dark-web structures. Typical assignments include arson attacks, mechanical damage, surveillance, target marking and logistical preparation. Reports of low four-figure dollar payments and cryptocurrency transfers indicate a low-threshold, hard-to-trace operational model. Its operational strength does not lie in the high tactical quality of individual actors, but in mass, replaceability, low entry barriers and plausible deniability.

In addition to physical attacks, security reporting identifies a supporting cyber and reconnaissance component. This component can facilitate target selection, preparation and the effect of physical sabotage. The term “Hack & Burn” describes the linkage between digital reconnaissance, data theft and subsequent physical action. Here too, attribution is only robust in combination. The use of specific malware families or reconnaissance tools does not, by itself, prove unified GRU direction. Tools such as Nmap, MASSCAN or Shodan are widely available and are also used by non-state actors. Reliable hostile attribution emerges only through the convergence of technical indicators, operational patterns, communication traces, financial flows and additional intelligence.

These proxy structures form part of a Russian effects strategy below the threshold of open warfare. The primary objective is not necessarily the immediate physical destruction of major target complexes, but delay, disruption, resource absorption and cost imposition. The effect is generated less by high-visibility individual incidents than by the accumulation of hard-to-attribute events. These incidents tie up investigative, protective and command capacities, create political decision pressure and increase security costs for critical-infrastructure operators. The strategic utility lies in the asymmetric cost ratio: limited means on the attacker’s side, high protection and response expenditure on the European side.

NATO, the EU and national security authorities have significantly strengthened their protective posture since 2024. Measures include maritime surveillance initiatives such as Baltic Sentry since January 2025, national programmes such as Poland’s Operation Horizon and closer coordination among intelligence services, police, military authorities and critical-infrastructure operators. Measuring effect remains difficult. Maritime sabotage is made harder by presence, sensor coverage and shared situational awareness. For land-based proxy attacks, publicly available comparative data for 2025 and 2026 remain fragmentary. Claims of either a significant or only marginal decline are therefore only sustainable on the basis of robust time-series evidence.

The threat remains operationally relevant. The continuing intensity of suspected sabotage and influence activity, the professionalisation of digital recruitment channels and the targeting of European support for Ukraine increase pressure on production, transport and logistics sites. Particularly exposed are defence companies, suppliers, railway infrastructure, port facilities, ammunition logistics and energy or communications nodes. For European security authorities, this creates a persistent threat-management problem: counterintelligence, cyber defence, criminal investigation, site protection and military threat assessment must be integrated more closely, without prematurely converting suspicion-based cases into established hostile attribution.

The following analysis examines the structure, tactics, recruitment pathways and escalation risks of these networks on the basis of open sources and systematic cross-checking of national and international security reporting. The focus is the robust assessment of the hybrid operations space: situational suspicion, operational plausibility and established attribution remain separate layers of analysis.

[DE]

Westliche Sicherheitsbehörden und Thinktanks bewerten die GRU seit 2024 als zentralen Akteur russischer Sabotage- und Subversionsaktivitäten in Europa. Ziel dieser Aktivitäten ist die Störung militärischer Lieferketten, kritischer Infrastruktur und logistischer Unterstützung für die Ukraine. Der CSIS-Bericht „Russia’s Shadow War Against the West“ dokumentiert einen Anstieg bestätigter oder mit hoher Wahrscheinlichkeit Russland zugeschriebener Operationen von 3 Fällen im Jahr 2022 auf 12 im Jahr 2023 und 34 im Jahr 2024. Die Schwerpunkte lagen auf Transport- und Logistikzielen, Regierungs- und Militäreinrichtungen, kritischer Infrastruktur sowie rüstungsindustriellen Anlagen.

Der Text betont die notwendige Trennung unterschiedlicher Datenebenen. Internationale Fallzahlen sind nicht direkt mit nationalen Verdachtsstatistiken vergleichbar. Die vom BKA für 2025 registrierten 321 Verdachtsfälle gegen kritische Infrastruktur und Rüstungslogistik gelten daher nicht als Nachweis russischer Operationen, sondern als sicherheitsbehördliche Belastungsanzeige. Entscheidend bleibt die Unterscheidung zwischen bestätigten Sabotageakten, Verdachtslagen, politischer Attribution, nachrichtendienstlicher Bewertung und forensisch gesicherter Feindzuweisung.

Besonders Polen und die baltischen Staaten weisen eine erhöhte Konzentration mutmaßlich russisch beeinflusster oder gesteuerter Operationen auf. Im Fokus stehen Eisenbahnsabotagen, Brandanschläge auf Logistikstandorte und Schäden an Unterseekabeln. Die operative Steuerung wird in mehreren westlichen Analysen mit hoher Wahrscheinlichkeit der GRU-Einheit 29155 zugeschrieben. Diese soll verstärkt auf dezentrale Proxy-Strukturen setzen, die über digitale Kanäle rekrutiert und für Brandanschläge, Beschädigungen, Beobachtung oder Zielmarkierung eingesetzt werden.

Das Modell entfaltet Wirkung durch Austauschbarkeit, niedrige Zugangsschwellen, plausible Abstreitbarkeit und asymmetrische Kosten. NATO, EU und nationale Behörden haben Schutzmaßnahmen ausgebaut, etwa durch Baltic Sentry und Operation Horizon. Die Wirkung bleibt jedoch nur begrenzt messbar. Insgesamt beschreibt der Text eine dauerhafte hybride Bedrohungslage, bei der Lageverdacht, operative Plausibilität und gesicherte Attribution strikt getrennt bleiben müssen.

Glossary

GRU
Russia’s military intelligence service, formally part of the Russian General Staff. It is frequently linked by Western security agencies to espionage, cyber operations, sabotage and covert influence activity.

Unit 29155
A GRU unit associated in Western reporting with covert operations, sabotage, destabilisation activity and targeted actions abroad. Attribution to this unit usually depends on intelligence assessments, operational patterns and supporting evidence.

Hybrid Operations Space
The operational environment in which military, intelligence, cyber, criminal, political and economic instruments are combined below the threshold of open warfare.

Sabotage
Deliberate action intended to damage, disrupt or degrade infrastructure, logistics, production capacity or operational readiness.

Subversion
Covert or indirect activity designed to weaken political, social, military or institutional stability from within.

Proxy Structure
A network of intermediaries or recruited actors used to carry out operations while obscuring the direct involvement of the directing state or organisation.

Plausible Deniability
The ability of a state or actor to deny responsibility for an operation because the evidence does not directly or conclusively prove its involvement.

Attribution
The process of assigning responsibility for an incident or operation to a specific actor, state, intelligence service or network.

Attribution Confidence
The assessed degree of certainty behind a responsibility claim. It may range from suspicion to high probability or confirmed responsibility.

Forensic Attribution
Attribution based on technical, physical, digital or investigative evidence that can support a reliable finding of responsibility.

Political Attribution
A public statement by a government or authority assigning responsibility to an actor, often based on intelligence, strategic assessment or classified information.

Intelligence Assessment
A structured evaluation by security or intelligence services based on available evidence, classified sources, patterns of activity and probability judgments.

Suspicion-Based Statistics
Data that record suspected incidents rather than confirmed cases. Such figures may include unresolved, non-state, criminal or politically motivated events.

Critical Infrastructure
Systems and facilities essential to the functioning of society and the economy, including energy, transport, communications, water supply, health services and logistics.

Defence Logistics
The movement, storage, supply and maintenance of military equipment, ammunition, spare parts and other resources required for defence operations.

Supply Chain Disruption
The interruption or degradation of production, transport, delivery or maintenance networks.

Target Marking
The identification, observation or preparation of a target for later attack, surveillance or sabotage.

Reconnaissance
The collection of information about a target, system, site or network before a possible operation.

Hack & Burn
A term describing the combination of cyber reconnaissance or data theft with subsequent physical sabotage or destructive action.

Malware
Malicious software designed to damage, infiltrate, disrupt or gain unauthorised access to computer systems.

Wiper Malware
A type of malware designed to destroy, erase or render data and systems unusable.

Nmap
A widely used network scanning tool that can identify hosts, services and vulnerabilities. Its use alone does not prove state involvement.

MASSCAN
A high-speed internet-scale scanning tool used to identify exposed systems and services across large networks.

Shodan
A search engine for internet-connected devices and services, often used for reconnaissance of exposed digital infrastructure.

Telegram Recruitment
The use of Telegram channels or groups to identify, contact or direct individuals for operational tasks, including surveillance, vandalism or sabotage.

Cryptocurrency Payments
Digital payments, often used to reduce traceability and avoid conventional financial channels.

Operational Plausibility
The assessment that a suspected actor could realistically have conducted or directed an operation based on capability, intent, pattern and opportunity.

Hostile Responsibility
Established responsibility of a hostile actor for an incident or operation.

Below the Threshold of Open Warfare
Activity designed to produce strategic effects without triggering a conventional military response or formal state of war.

Effects Strategy
An operational approach focused on producing specific outcomes such as disruption, delay, fear, cost imposition or resource absorption.

Resource Absorption
The forced diversion of personnel, money, time and institutional capacity toward protection, investigation and response.

Cost Imposition
A strategy that forces an opponent to spend disproportionate resources in response to relatively low-cost hostile activity.

Security-Service Burden Indicator
A figure or trend showing the pressure placed on police, intelligence, military or infrastructure-protection bodies, without necessarily proving a specific hostile actor.

Protective Posture
The overall readiness and configuration of security measures used to protect infrastructure, personnel, supply chains or operational assets.

Situational Awareness
A shared understanding of the current operational environment, including threats, incidents, vulnerabilities and response options.

Baltic Sentry
A NATO maritime security initiative launched to strengthen surveillance and protection of critical infrastructure in the Baltic Sea region.

Operation Horizon
A Polish national security operation intended to strengthen protection of critical transport, logistics and infrastructure targets.

Time-Series Evidence
Data collected over a defined period that allows analysts to identify trends, increases, decreases or changes in operational activity.

Threat Management
The coordinated process of identifying, assessing, prioritising and mitigating security threats.

Counterintelligence
Measures used to detect, prevent and counter espionage, sabotage and hostile intelligence activity.

Cyber Defence
Technical, organisational and operational measures used to protect digital systems against intrusion, disruption, theft or manipulation.

Site Protection
Physical and procedural security measures used to protect facilities, infrastructure nodes, production sites or logistics hubs.

Established Attribution
A level of attribution supported by sufficient evidence to move beyond suspicion or plausibility toward a reliable responsibility assessment.

References:

Center for Strategic and International Studies (CSIS) – Analysis "Russia’s Shadow War Against the West" (March 2025) 

www.csis.org/analysis/russias-shadow-war-against-west

Federal Criminal Police Office (BKA) – Situation reports and crime statistics on suspected sabotage cases in Germany www.bka.de

European Union (EU) and NATO – Information on the maritime surveillance operation "Operation Baltic Sentry" 

www.nato.int

Polish Ministry of National Defence / Polish Armed Forces – Information on the infrastructure protection measure "Operation Horizon" 

www.gov.pl/web/national-defence

G7 Nations / The European Centre of Excellence for Countering Hybrid Threats (Hybrid CoE) – Reports on Russian FIMI and sabotage operations in Europe

 www.hybridcoe.fi

European Union Agency for Cybersecurity (ENISA) / Cyber Security Authorities – Technical analyses on WhisperGate, Raspberry Robin, and SaintBot malware

 www.enisa.europa.eu

European Union Agency for Law Enforcement Cooperation (Europol) – Reports on cross-border criminal proxy networks in Europe 

www.europol.europa.eu