top of page

Intel Brief: Russian sabotage activities in Europe


Date: 23/05/2024

Where: European continent

Who’s involved

  • Poland, Lithuania, Estonia, Latvia, Germany, UK and other European countries

  • Russian secret services, Russian military intelligence, Russian-affiliated cyber actors (Fancy Bear, Cozy Bear and others), European citizens

What happened?

  • On 20/05/2024, Polish authorities arrested nine people, including Belarusian citizens, in connection with acts of sabotage committed in the country on the order of Russian services. The acts included beatings, arson and attempted arson, both in Poland and Lithuania. According to the authorities their plans might have also affected Latvia and possibly Sweden. 

  • At the beginning of May 2024 the German federal government lashed out at the Kremlin for an espionage campaign which targeted emails belonging to the Social Democratic Party, the party of German Chancellor Scholz, and defense and aerospace firms. The campaign was conducted in 2022 and 2023 by Fancy Bear, an cybercriminal actor strongly tied to Russia which also targeted Polish and Czech institutions and political parties. Espionage campaigns have also been conducted by Cozy Bear, which is also affiliated with the Russian Foreign Intelligence Service. Cozy Bear conducted phishing campaigns in 2024 to collect intelligence against German political parties but also European diplomatic entities, including in Latvia and Czech Republic. 

  • On 29/04/2024, Finnair announced the suspension of all its flights to Tartu, Estonia, until 02/06 to GPS interference in the area of the airport, which is situated around 40 km from the border with Russia. On 25 and 26 April Finnair airplanes had to divert back to Finland as GPS interference prevented landing in Tartu. Different approach methods were implemented in cooperation with the airport to avoid reliance on GPS systems. 

  • On 18/04/2024, two German-Russian nationals were arrested in Germany for planning sabotage attacks, including bombings and arson attacks against infrastructure and US military bases in the country, to undermine weapons and aid delivery to Ukraine. A few weeks earlier the Czech Republic’s transport minister warned that Russia was trying to interfere with the European railways network, especially with cyberattacks, in order to destabilize critical infrastructure. Attacks were more frequently targeting railway companies in the Baltic states. Another group was discovered in March of the previous year in Poland, which was collecting intelligence on railways and transport routes along the border with Ukraine to disrupt European aid to Ukraine. These are only the latest incidents that have been part of a widespread campaign conducted at the same time of military operations in Ukraine. 

  • At the beginning of April 2024, after independently conducting an investigation, Der Spiegel reported that the two main members of the German far-right party Alternative für Deutschland accepted payments from media portal Voice of Europe, which had been used by Russia to spread pro-Kremlin propaganda in Europe.

  • On 03/03/2024, state-controlled media Russia Today leaked a recording of a telephone conversation between four German military officers discussing the provision of aid to Ukraine, including potentially the much debated Taurus missiles and possible targets for their use. The delivery of Taurus missiles at the time was the subject of a very heated debate as German authorities were very cautious due to the possibility of using them to target Russian territory. 

  • On 20/02/2024, Estonian authorities arrested ten people suspected of sabotage to create fear in the country on the orders of Russian intelligence agencies. The group carried out various activities, including attacks against politicians and journalist properties and possibly against memorials. 



  • Since the beginning of the Russian invasion of Ukraine in 2022 and the subsequent European support of Kyiv, Russia has increased malicious activities in the continent to hamper Western efforts to help Ukraine. Disruptive activity has targeted especially those countries who have been particularly vocal and active against Russia, including many Eastern European and Baltic countries but also Germany and the United Kingdom. While in the past the Kremlin rarely carried out covert activities in European countries, Russian operations are now more ambitious, more frequent and in some cases even more open. European countries haven’t been able to bring about significant consequences for Russian disruptive actions, although they have stepped up preventive measures in order to stop plans from actualizing. 

  • Russian subversive activities have employed different strategies, as it has become harder for Russian agents to infiltrate European territory with the current travel restrictions. Russian agents often partner up with local organized crime networks and other local actors

  • Countries hosting delivery lines for military aid to Ukraine have been experiencing sabotage plots against their railways and transportation routes to slow down weapons shipments, which are vital for Ukraine to oppose Russian advances in the eastern part of the country. On the other hand, countries like Germany, where certain weapon shipments have been more controversial, have experienced increased propaganda operations through subtle means, like the leaking of the phone conversation on the possible shipment of Taurus missiles. These moves were intended to put pressure on governments and sway the public opinion to decrease support for weapon shipments to Ukraine. Propaganda campaigns have been aided by prominent pro-Russian parties in many countries, mostly in the far right, especially with European elections approaching. These elections will be important as the composition of the next European Parliament and, as a consequence, the next European leadership will be able to influence the course of EU policy for the next few years. 

  • Due to physical travel restrictions and sanctions, cyberspace has gained importance for Russian destabilizing efforts. Russian secret services are now relying on a network of actors, such as Cozy Bear and Fancy Bear, to collect political and military intelligence. The information collected has often been leaked strategically to depict European institutions and governments negatively and turn public opinion against them. These cyber threat actors are also able to attack critical infrastructure, including transport-related infrastructure. For example, they’ve shown their ability to take down telecommunication networks but also to remotely control machinery at foreign water facilities. 

  • Aviation has also been affected by Russian operations in the Baltics and over the Black Sea. Northern European countries bordering with Russia have experienced a surge in GPS jamming since the start of the war, which also affected emergency aircrafts and land vehicles. Reports about interference along the Norwegian-Russian border are coming in almost every day since the start of 2024. While GPS jamming does not pose a severe danger per se, it can be extremely disruptive in emergency situations.


While Russia always had the capabilities to conduct covert operations on European territory, operations have recently become bolder, more public and more sophisticated. As Ukraine’s efforts to stop Russian advancements in its territory get increasingly dependent on Western military aid, Russia has stepped up its attempts to stop shipments of military aid, both through damage to critical infrastructure and propaganda campaigns aimed at reducing public support for Ukraine. On the other hand, European countries have expanded their counter-intelligence efforts, resulting in more and more malicious plots being stopped from taking place. Nonetheless, current events show an increased and more overt malicious activity in the continent that will likely remain as long as hostilities continue. 


202405 Russian espionage_sabotage Intel Brief
Download PDF • 1.01MB



bottom of page