EMET NEWS PRESS

The quantitative trajectory of these attacks indicates an exponential escalation. Data compiled by the Center for Strategic and International Studies (CSIS) records an increase from 3 incidents in 2022 to 12 in 2023, reaching 34 registered sabotage acts in 2024—marking a near-tripling year-over-year. Concurrently, the International Institute for Strategic Studies (IISS) documented over 50 confirmed or suspected incidents by mid-2025, representing a near-quadrupling compared to the previous year. This statistical discrepancy is methodologically explained by differing tracking parameters: while CSIS focuses strictly on physical sabotage, the IISS incorporates a broader spectrum of hybrid threats into its assessments.

The GRU's tactical targeting is evenly distributed across vital strategic sectors. Transport infrastructure—including rail networks, logistics vehicles, and aviation—and government or military installations each account for 27 percent of all attacks. An additional 21 percent target critical national infrastructure (CNI), such as pipelines, power grids, and undersea cables, while the remaining 21 percent focus on industry, particularly defense manufacturing and its supply chains. Regarding tactics, incendiary and explosive devices dominate at 35 percent, involving magnesium igniters and improvised firebombs. Physical kinetic actions using blunt or sharp objects comprise 27 percent, followed by electronic warfare disruptions, such as GPS jamming, at 15 percent. The remaining 23 percent of tactical operations consist of disruptive cyberattacks and coordinated disinformation campaigns.

Geographically, the operational focus remains concentrated on NATO’s eastern flank, demonstrating a functional division of labor within the Baltic states. Estonia records the highest density of vandalism and cyber incidents; Lithuania is primarily targeted for incendiary and logistics sabotage; while Latvia serves as a focal point for espionage and cognitive operations. Specific judicially documented GRU operations include an arson attack on an IKEA distribution center in Vilnius (May 2024), targeted vandalism against the vehicles of Estonian politicians and journalists (December 2023), the desecration of Soviet-era monuments, the deployment of incendiary parcels, and coordinated bomb threats. In the maritime domain and across the northern flank, this threat manifests as widespread GPS jamming in the Baltic Sea, damage to the Estlink-2 and C-Lion1 undersea cables, and cyber operations targeting Polish, Danish, and Norwegian energy and heating plants between 2024 and 2025.

To execute these operations under plausible deniability, the GRU utilizes an asymmetric proxy network. Recruitment primarily targets Ukrainian or Moldovan nationals as well as organized crime networks, with operators compensated between 5,000 and 11,000 EUR per assignment. This mechanism systematically exploits migration flows and financial vulnerabilities. For European host nations, this practice presents a severe domestic security risk, straining social integration and complicating counter-espionage and intelligence surveillance. Intelligence attribution, however, remains robust across more than 150 investigated incidents since 2022, sustained by forensic evidence of explosive residues, cryptocurrency tracking via Tether (USDT), communication data, and electronic pattern analysis. Security services in Poland, Germany, the United Kingdom, and the Baltic states directly attribute these operations to identified GRU officers. In an assessment delivered on May 27, 2026, GCHQ Director Anne Keast-Butler confirmed daily scaling hybrid activity targeting democratic processes, supply chains, and critical infrastructure.

The NATO defense strategy is governed by the 2015 Hybrid Threat Strategy, anchored on the three pillars of preparation, deterrence, and defense. To meet the evolving threat landscape, severe hybrid acts have, since 2016, been designated as potential triggers for an Article 5 collective defense response on a case-by-case basis. Core defensive components include the reinforcement of the seven Baseline Resilience Requirements across member states, alongside the Critical Undersea Infrastructure Coordination Cell and the joint NATO-EU Task Force established in 2023. In the maritime domain, Operation Baltic Sentry (launched January 2025) has intensified NATO’s presence in the Baltic Sea through the deployment of frigates, maritime patrol aircraft (MPA), mine countermeasures vessels, and uncrewed underwater and surface vehicles (UUVs/USVs). Furthermore, Counter Hybrid Support Teams provide direct forensic and attribution assistance to affected nations. Collectively, the Alliance is executing a doctrinal shift toward an anticipatory posture, emphasizing forward defense on the eastern flank and calibrated counter-measures—including offensive cyber operations, economic sanctions, and strategic naming-and-shaming—to maximize operational costs for the adversary.

[DE] 

Russische Hybridangriffe in Europa werden strategisch durch den Militärnachrichtendienst GRU gesteuert. Die Kampagne kombiniert physische Sabotage, Cyberoperationen und elektronische Kriegsführung, um Logistikketten und kritische Infrastrukturen zu beschädigen.

Die Intensität eskaliert exponentiell: CSIS registrierte einen Anstieg von 3 Vorfällen 2022 auf 34 im Jahr 2024. Das IISS dokumentierte bis Mitte 2025 über 50 Vorfälle, da es ein breiteres hybrides Spektrum erfasst. Die Ziele verteilen sich zu je 27 Prozent auf Transport und Militär sowie zu je 21 Prozent auf Rüstungsindustrie und kritische Infrastruktur. Bei den Taktiken dominieren Brand- und Sprengmittel (35 Prozent), gefolgt von Cyberoperationen (23 Prozent) und GPS-Jamming (15 Prozent).

Schwerpunkt ist die NATO-Ostflanke. Der GRU nutzt im Baltikum eine funktionale Arbeitsteilung und rekrutiert kriminelle Proxys aus Fluchtbewegungen. Die westliche Attribuierung an den GRU ist über Krypto-Finanzströme gesichert. Die NATO reagiert mit einem Doktrinenwechsel hin zur Vorwärtsverteidigung. Schwere Hybridangriffe können Artikel 5 auslösen; die Operation Baltic Sentry sichert die Ostsee aktiv ab.

References:

Center for Strategic and International Studies (CSIS): Russia’s Shadow War Against the West, Bericht, März 2025.

International Institute for Strategic Studies (IISS): Scale of Russian Sabotage Operations, Datenanalyse, August 2025.

Royal United Services Institute (RUSI): Responding to Russian Sabotage Financing, Fachpublikation, Januar 2026.

Recorded Future: Russian Hybrid Threats Report, Technischer Lagebericht, Juni 2025.

North Atlantic Treaty Organization (NATO): Countering Hybrid Threats Doctrine, Offizielles Strategiedokument, Januar 2026.

Government Communications Headquarters (GCHQ): Grundsatzrede und Lagebeurteilung durch Direktorin Anne Keast-Butler, 27. Mai 2026.

Justizbehörden der Baltischen Staaten: Ermittlungsberichte und Kriminalstatistiken der Generalstaatsanwaltschaften Estlands und Litauens zu Sabotage- und Vandalismusfällen, 2024–2026.