Russia’s Shadow War Against the West

The Issue

Russia is conducting an escalating and violent campaign of sabotage and subversion against European and U.S. targets in Europe led by Russian military intelligence (the GRU), according to a new CSIS database of Russian activity. The number of Russian attacks nearly tripled between 2023 and 2024. Russia’s primary targets have included transportation, government, critical infrastructure, and industry, and its main weapons and tactics have included explosives, blunt or edged instruments (such as anchors), and electronic attack. Despite the increase in Russian attacks, Western countries have not developed an effective strategy to counter these attacks.

Introduction

Russia is engaged in an aggressive campaign of subversion and sabotage against European and U.S. targets, which complement Russia’s brutal conventional war in Ukraine. The number of Russian attacks in Europe nearly tripled between 2023 and 2024, after quadrupling between 2022 and 2023. Russia’s military intelligence service, the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (or GRU), was likely responsible for many of these attacks, either directly by their own officers or indirectly through recruited agents. The GRU and other Russian intelligence agencies frequently recruited local assets to plan and execute sabotage and subversion missions. Other operations relied on Russia’s “shadow fleet,” commercial ships used to circumvent Western sanctions, for undersea attacks.

The data indicate that Russia poses a serious threat to the United States and Europe and that the Russian government, including President Vladimir Putin, cannot be trusted. Roughly 27 percent of the attacks were against transportation targets (such as trains, vehicles, and airplanes), another 27 percent were against government targets (such as military bases and officials), 21 percent were against critical infrastructure targets (such as pipelines, undersea fiber-optic cables, and the electricity grid), and 21 percent were against industry (such as defense companies). Many of these targets had links to Western aid to Ukraine, such as companies producing or shipping weapons and other matériel to Ukraine. Russia also used a variety of weapons and tactics. The most common (35 percent) involved explosives and incendiaries. Other weapons and tactics included blunt or edged instruments (27 percent), such as anchors used to cut undersea fiber-optic cables; electronic attack (15 percent); and the weaponization of illegal immigrants (8 percent).

The increase in attacks indicates that the West has failed to coerce Russia from stopping its campaign of sabotage and subversion. Russian attacks are not just a European problem, but a U.S. problem as well. The GRU and other organizations have conducted operations against U.S. targets, such as U.S. bases in Germany. The United States and European countries, including the European Union and NATO, have largely focused on defensive measures to counter Russian actions, such as sharing intelligence and strengthening resilience (including cyber defense). While these efforts are necessary, they are not sufficient. NATO countries should develop a calibrated offensive campaign against Russia that includes several components: escalating sanctions against Moscow; targeted offensive cyber operations against important Russian military and commercial targets; information and influence operations targeting the populations of Russia and its partners, such as Belarus; and more aggressive actions against assets valuable to Russia, such as its shadow fleet. In short, NATO should design a campaign to escalate the costs on Russia should the country continue such operations.

To better understand Russian actions, this brief asks several questions. What are Russian objectives in conducting these attacks? What are the main tactics and targets of Russian actions? And what should the United States and other Western countries do to better deter and counter Russian activity?

RelatedPost

Mapping Chinese AI Regulation with Matt Sheehan

April 2, 2025

10

Drones and AI on the Ukrainian Battlefield

April 2, 2025

10

How to Secure the Black Sea During a Russia-Ukrainian Ceasefire

April 1, 2025

10

Deterrence Under Pressure: Sustaining U.S.–ROK Cyber Cooperation Against North Korea

April 1, 2025

10

To answer these questions, the analysis utilizes several sources of data. Most importantly, it builds and analyzes a database of Russian destructive attacks and plots between January 2022 and March 2025, including date, location, target, weapon, and other information.¹ In addition, it supplements this database with an overview of historical Russian and Soviet activity. It also utilizes data from other sources, such as CSIS’s database of hundreds of cyber incidents since 2006. Finally, it uses information from interviews with U.S. and European government officials.

The rest of this brief is divided into five sections. The first provides an overview of actions below the threshold of conventional warfare, including their historical use by the Soviet Union and Russia. The second section assesses Russian motivations for conducting this type of warfare, including the benefits and drawbacks. The third examines the main Russian actors involved in planning and executing its shadow war, from the Kremlin to the GRU and local recruits. The fourth section analyzes the primary trends in Russia’s actions, including geographic location, targets, and weapons. And the fifth outlines policy implications for the United States and its allies.

Russian Shadow Wars: The Historical Context

Actions below the threshold of conventional warfare have long been an important component of statecraft.² U.S. military doctrine refers to these types of actions as “irregular warfare” or “irregular activities,” while European governments have frequently referred to these actions as “hybrid warfare” or “hybrid threats.”³ Others have used different terms to capture some or all of these actions, such as gray zone activity, political warfare, asymmetric conflict, unconventional warfare, and low-intensity conflict.⁴ These types of activities involve using tools of statecraft below the threshold of conventional warfare to shift the balance of power in their favor. Examples include:

• Information and influence operations, including psychological operations and propaganda.
• Offensive cyber operations and electronic warfare.
• Support to state and non-state partners, such as guerrillas and proxy forces.
• Covert and clandestine actions by intelligence and special operations forces, including sabotage and subversion.
• Economic coercion.⁵

Russia and the Soviet Union have a rich tradition of conducting this type of warfare. During the Cold War, the Soviet Union developed an aggressive campaign to influence populations across the globe in ways that aided Soviet interests and undermined the United States and its allies, which was best captured in the phrase “active measures” (or активные меры).⁶ Led by the KGB, the Soviet Union’s premier spy agency, active measures included several types of activities:

• Written and oral disinformation (or дезинформация), including “gray” (unattributed) and “black” (falsely attributed) propaganda.
• The use of agents of influence, including foreign academics and media assets.
• Clandestine radio stations.
• The use of foreign political parties and international front groups to pursue Soviet national security objectives.
• Support for international revolutionary and terrorist organizations, including national liberation movements.
• Political blackmail and kidnapping.
• Targeted assassinations, including the killing of defectors.⁷

Soviet active measures focused primarily on the United States, which it referred to as the main opponent or adversary (or главный противник), though the KGB and other Soviet agencies, such as the GRU, also focused on Western European and other countries in order to undermine U.S. influence and alliances. As one former Warsaw Pact intelligence operative noted:

Target No. 1 was the United States. . . . The objective was to hurt the United States wherever and whenever it was possible, to weaken the positions of the United States and Western Europe, to create new rifts within the NATO Alliance, to weaken the position of the United States in developing countries, to cause new rifts between the United States and developing countries, to disinform the United States and the Western allies about the military strength of the Soviet bloc countries.⁸

The documents collected by Vasili Mitrokhin, an archivist for the Soviet Union’s foreign intelligence service who defected to the West just as the Cold War ended, provide some of the most illuminating insights into Soviet active measures. As one KGB analysis explained, “The main value of all Active Measures lies in the fact that it is difficult to check the veracity of the information conveyed and to identify the real source. Their effectiveness is expressed as a coefficient of utility, when minimum expenditure and effort achieves maximum end results.”⁹ In addition to active measures, the Soviet Union and more recently Russia also used such strategies and tactics as denial and deception (or маскировка) and information confrontation (or информационное противоборство).¹⁰

Russian Strategy

Today, Russian active measures support the following types of foreign policy objectives:

• Influencing public opinion through psychological operations in Europe, the United States, and other countries to support Russian interests.
• Coercing governments, companies, or individuals to stop taking specific actions, particularly curbing military and other assistance to Ukraine.
• Deterring countries, companies, or individuals from taking specific actions, such as escalating the type and amount of military aid to Ukraine.
• Deterring Russian soldiers, government officials, and citizens from defecting to the West.
• Creating fissures between governments, especially between NATO allies.
• Undermining the democratic norms and values that underpin the West.

These types of operations have several benefits, which make them attractive to Russian leaders. First, they allow countries to conduct coercive activities against a state below a threshold that is likely to trigger a costly or risky conventional war. Countries generally do not respond to actions below the threshold of conventional warfare by declaring war on the perpetrator. For example, Article 5 of the North Atlantic Treaty states that an armed attack against one NATO member is considered an attack on all members. But NATO governments typically do not consider active measures “an armed attack” that requires collective self-defense.¹¹ This means that perpetrators, including Russia, know that they can conduct these activities without causing a conventional war. As a 2024 Norwegian intelligence assessment concluded, “Any act of sabotage would most likely be performed in a manner that would make it challenging to prove who was behind it. One important reason for this is that Russia wants to avoid any situation that could trigger Article 5 of the NATO Treaty regarding collective defense.”¹²

Second, these types of actions are relatively inexpensive for perpetrators. Unlike conventional war, they generally do not require vast sums of money and do not cause the perpetrator to suffer substantial casualties. Some of these actions—such as offensive cyber, electronic warfare (including GPS jamming), and influence operations—can also be done from a state’s own territory, a third country, or virtual networks.

Third, these types of actions are often deniable, and targeted governments are frequently cautious—sometimes overly cautious—about attributing them due to fear of escalation. Since they may not be directly perpetrated by a government operative, countries can—and generally do—deny responsibility. Governments have frequently used a number of entities as cut-outs, such as local recruits, including criminal organizations or diaspora populations, non-governmental organizations, and companies. Russia has also used commercial vessels, such as the oil tanker Eagle S, which sailed under the flag of the Cook Islands, for sabotage operations.¹³

Despite these benefits, however, actions below the threshold of conventional warfare have limitations. To begin with, they often have a limited impact. For example, it is difficult to conquer a country using irregular or hybrid means.¹⁴ In addition, local assets recruited to conduct covert actions may not be professional operatives with extensive training in strategic sabotage and tradecraft beyond what their case officers can teach them, undermining the effectiveness of these operations. As the head of MI5, Ken McCallum remarked about Russian actions in Europe, “Russia’s use of proxies further reduces the professionalism of their operations, and—absent diplomatic immunity—increases our disruptive options.”¹⁵ MI6 chief Richard Moore similarly noted that Russia is “having to do it through criminal elements” in Europe, which has some costs. “Criminals do stuff for cash,” he noted. “They’re not reliable. They’re not particularly professional. . . . I think Russian intelligence services has gone a bit feral, frankly, in some of their behavior.”¹⁶

Outsourcing actions to non-state or quasi-state actors creates a classic principal-agent problem.¹⁷ If a group’s or actor’s goals are not closely aligned with that of its patron, the potential for agency loss is high and local recruits could go rogue. These types of actions can also trigger a response from the targeted government or governments, even if it is not a conventional war. Examples include economic sanctions, expulsion of government officials, the arrest and imprisonment of perpetrators, or even irregular and hybrid actions in response. Finally, these types of actions can backfire and cause a rally-around-the-flag effect in the targeted country by increasing resolve among the affected population, strengthening opposition to the sponsor’s policies, and driving up military spending, as well as increasing interest in balancing alliances.
 

Russian Actors

Russian covert operations against the West are part of its foreign policy, and decisionmaking for them is centralized in the Kremlin and led by an experienced hand in covert action, President Vladimir Putin. As an operative in the KGB, Putin served in the station (or резидентура) in Dresden, East Germany, and helped spearhead active measures against West Germany.¹⁸ He later became head of the Federal Security Service (FSB), a successor to the KGB involved in countering foreign intelligence services, combating organized crime, and ensuring economic and financial security. Putin has long supported strategies and tactics below the threshold of conventional warfare.

Within the Kremlin, there have been several reforms regarding the organization and implementation of active measures. Around 2022, Russian Presidential First Deputy Chief of Staff Sergey Kiriyenko established the Committees of Special Influence, which is responsible for assigning Russian special services with specific tasks in target countries. In addition, activities such as violent provocations are authorized by a committee of the National Security Council under the guidance of its secretary, Sergei Shoigu.¹⁹

The main Russian organization involved in active measures is the GRU, headed by Admiral Igor Kostyukov. In addition, Andrei Averyanov, deputy head of the GRU, is likely responsible for overseeing all active measures other than those targeting Ukrainian territory. Averyanov established the Service for Special Activities, which includes three main entities: Unit 29155, Unit 54654, and a headquarters and planning department for coordinating the Service for Special Activities.²⁰

GRU Unit 29155 is the most well known of these entities. It is also referred to as the 161 Intelligence Specialists Training Centre (Центр подготовки специалистов специального назначения), or 161 Centre. Soviet leaders established the unit in 1963 and brought together human intelligence and special operations personnel. Today, some evidence suggests that the 161 Centre is organized into a headquarters unit, three training units, an operational planning unit, three operational units, a financial and logistical unit, and a supply unit. It deploys personnel to Europe and other locations for active intelligence under partial legalization. For Russia’s special services, “legalization” involves the establishment of a cover identity that allows an individual to conduct covert activity in a target country or countries. Depending on the duration of the activity, Russia divides legalization into “full” and “partial” categories. Full legalization generally means that an operator stays in place for an indefinite period of time, while partial legalization assumes a short-term stay and basic levels of scrutiny by the target government’s intelligence or law enforcement services.²¹

GRU Unit 29155 was linked to the March 2018 nerve agent poisoning in the United Kingdom of Sergei Skripal, a former GRU officer that had worked for British intelligence and then defected, along with his daughter. The unit was also likely behind the September 2020 poisoning of Russian opposition politician Aleksei Navalny; a campaign to provide money to Taliban-linked militants in Afghanistan to target foreign forces, including potentially U.S. troops; a failed coup attempt in Montenegro in 2016; and the poisoning of Bulgarian arms dealer Emilian Gebrev, his son, and his business manager in 2015.²²

GRU Unit 54654 is designed to build a network of illegal operatives operating under full legalization. The unit recruits individuals with prior military service or other backgrounds—including foreign students studying at Russian universities. It also recruits contractors through front companies, keeps their names and personally identifiable information out of government records, and embeds its officers in Russian ministries unrelated to defense or in private companies.²³

There are other GRU organizations involved in subversive activities—particularly cyber operations—such as GRU Unit 26165 (also referred to as Fancy Bear) and GRU Unit 74455 (also referred to as Sandworm).²⁴ The United States and European Union have sanctioned a wide range of GRU operatives for their involvement in clandestine activity. For example, the European Union sanctioned Nikolay Alexandrovich Korchagin, Vitaly Shevchenko, and Yuriy Fedorovich Denisov from GRU Unit 29155 for their involvement in cyberattacks against Estonia.²⁵ The United States also sanctioned GRU officer Valery Korovin for his involvement in influence operations targeting the 2024 U.S. presidential election.²⁶

Russia’s Foreign Intelligence Service (SVR), the Main Directorate for Deep Sea Research (GUGI), and the FSB have also been involved in active measures in Europe, the United States, and other countries. SVR cyber units, such as Nobelium (also known as Advanced Persistent Threat 29, the Dukes, Cozy Bear, and Midnight Blizzard), have conducted a wide range of cyberattacks against U.S. and European targets.²⁷ As Microsoft assessed in one attack, their cyber analysts identified “Russian threat actor Midnight Blizzard sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors.”²⁸ The SVR’s Nobelium unit was involved in the massive data breach of SolarWinds, a company based in Austin, Texas, that made network monitoring software. The SolarWinds supply chain attack gave Russia the ability to spy on and disrupt more than 18,000 computer systems across the globe, including in the U.S. Departments of Commerce, State, Defense, and the Treasury.²⁹

GUGI is a secretive Russian agency belonging to the Russian Ministry of Defense that operates submarines and vessels that can engage in sabotage, such as cutting undersea fiber-optic cables, collecting intelligence, and conducting other operations.³⁰ There are currently 16 cables running under the Atlantic that connect the United States with mainland Europe. They are primarily operated by such companies as Google, Microsoft, France’s Alcatel Submarine Networks, and China’s Huawei Marine Networks. Submarine cables are critical for global communication and account for roughly 95 percent of all transatlantic data traffic. These cables are vulnerable to subversion and sabotage, even from the anchors on ships.³¹ When ships drag anchors on the bottom of the seabed, it can either completely sever cables or cause partial damage that over time leads to deterioration—and ultimate failure—of the cable.³² As a result, Russia does not even need to use GUGI’s specialized equipment to disrupt these cables.

Finally, Russia uses a wide range of non-state or quasi-state actors to conduct active measures. The significant expulsion of Russian spies from Europe since 2022 has, in part, forced Moscow to rely on other networks, though governments have long used non-state or quasi-state entities for actions below the threshold of conventional warfare. One example is criminal organizations.⁴⁵ As Ken McCallum, head of MI5, explained, “The more eye-catching shift this year has been Russian state actors turning to proxies for their dirty work, including private intelligence operatives and criminals from both the UK and third countries.”⁴⁶ In addition, the GRU and other Russian organizations have frequently relied on local recruits, sometimes referred to as “disposable agents.”⁴⁷ In some cases, Russia has recruited these individuals on Telegram channels, through chat functions of popular online games, or through other online locations.⁴⁸ The GRU and other organizations have recruited Russian-speaking, and on some occasions technologically savvy, young men between 20 and 30 years old. Some may be ideologically motivated and support Russia, while others may simply do it for the money.⁴⁹

Russia has also used commercial ships, including its “shadow fleet,” to conduct active measures such as sabotage.⁵⁰ The shadow fleet emerged as a way for Russia to circumvent Western-imposed sanctions on Russian oil transported by sea. To skirt the restrictions, the Kremlin invested billions of dollars in a fleet of tankers whose ownership is difficult to trace to Russia. Many sail under the flags of other nations—such as Gabon, Liberia, the Marshall Islands, and Panama—and sell to buyers in countries like China and India.⁵¹ According to one assessment, approximately 70 percent of Russia’s oil is being transported by so-called shadow tankers.⁵² Russia has used other civilian vessels for intelligence collection and sabotage, including its vast commercial fishing fleet and marine research ships. Some of the ships are relatively modern, longer than 300 feet, and equipped with sonar and other technology that allows them to scan the seabed. Such vessels have mapped critical subsea infrastructure around Europe and identified potential targets.⁵³ 
 

Russian Actions

Russia has conducted a wide range of active measures in Europe. This section is divided into four areas: (1) overall trends, (2) targets, (3) weapons, and (4) geographic area. It relies on several data sources. The first is a CSIS database of Russian subversive actions between January 2022 and March 2025, including date, location, target, weapon type, and other information. The data cover Russian attacks and plots that had (or were intended to have) physical effects, such as weapons and tactics using explosives, other incendiaries, firearms, and anchors for cutting undersea fiber-optic cables. Attribution is always difficult for active measures. To be included in the database, CSIS identified at least three credible sources for the direct or indirect involvement of the Russian government, interviewed government and non-government experts, and asked several experts to review the data and analysis. In addition, CSIS assessed the level of confidence for each incident.⁵⁴

The CSIS database excluded several types of activities. For example, most Russian cyber operations were excluded. It is virtually impossible to build a comprehensive unclassified database of cyber operations, since cyberattacks do not necessarily have a physical effect (such as a warehouse blowing up, an individual assassinated, or a cable cut) and the targets (such as foreign government agencies and companies) have numerous incentives not to publicly acknowledge the attacks. In addition, Russia and other state actors frequently perpetrate cyber operations to collect intelligence, not necessarily to impose a cost on a foreign state or other entity. However, the CSIS database did include those incidents where Russian cyber or electronic warfare attacks had an observable physical effect. These types of attacks are designed to disrupt critical infrastructure, such as power grids, water systems, and transportation networks that can lead to power outages, disruptions, or physical harm.

The CSIS database also excluded Russian disinformation campaigns, such as election interference and efforts to sow discord or otherwise influence the populations or governments in Europe, the United States, and other locations. Much like cyberattacks, it is virtually impossible to build a comprehensive unclassified database of information or influence campaigns since attacks frequently do not have a physical effect and the targets have numerous incentives not to publicly acknowledge the attacks. Nevertheless, Moscow has developed an aggressive campaign to interfere with democratic elections in individual countries and European Parliament elections, co-opt politicians for elite capture, and spread disinformation.⁵⁵ As noted previously in this analysis, the Soviet Union and such organizations as the KGB have a rich history of disinformation campaigns and other active measures.

Overall Trends in Attacks

The most significant finding from the data is that the number of Russian attacks in Europe nearly tripled between 2023 (12 attacks) and 2024 (34 attacks), after quadrupling between 2022 (3 attacks) and 2023. As noted in more detail below, Russian agencies orchestrated attacks in 2024 against a wide range of targets, from critical infrastructure to transportation targets, using a variety of weapons and tactics, from explosives to blunt or edged weapons such as anchors.

What factors caused this dramatic increase? While it is difficult to know with certainty, there are likely several factors.

First, it appears that Russia made a strategic decision to escalate its shadow war in Europe in response to U.S. and European aid to Ukraine. Many of the targets were linked to Ukraine in some capacity. Examples range from a Russian military defector assassinated in Spain to a series of companies—such as BAE Systems, Rheinmetall, German Diehl Group, and EMCO—that produce weapons for Ukraine. As a Norwegian intelligence assessment concluded, one of the primary Russian targets in Norway includes “actors involved in arms donations and the training of Ukrainian personnel. They are especially at risk of being targeted because arms deliveries could have a direct impact on the battlefield in Ukraine.”⁵⁶ There were also no recorded incidents against several countries that did not provide significant aid to Ukraine, such as Hungary and Serbia, which suggests that Moscow was deliberate in where it conducted attacks—as well as where it did not conduct attacks.

Second, Russia may have increased its attack tempo because there were few, if any, costs for its actions. Russian leaders knew they could get away with attacks—including an escalation in attacks—without paying a major price.

Targets

Russia’s most frequent targets in Europe were in the transportation sector (27 percent), such as trains and airplanes (including through GPS jamming), and against government targets (27 percent), such as government officials, military bases, and border crossings. Russia also conducted attacks on critical infrastructure (21 percent), such as pipelines and undersea fiber-optic cables, and industry (21 percent), such as defense companies.

Maritime, land, and air transportation targets were a major focus of Russian active measures. Germany experienced a railway cable-cutting attack in 2022. In addition, Russia conducted multiple attacks against Poland’s rail system.⁵⁷ Russia also targeted airplanes through electronic attack.

Critical infrastructure attacks were also a focus of Russian operations, including undersea cables and pipelines. Finnish investigators assessed that the Newnew Polar Bear, a Chinese-registered ship operated by a Russian crew, damaged two subsea data cables and a gas pipeline in the Baltic Sea with its anchor. The ship was trailed by the Sevmorput, a nuclear-powered merchant ship owned by the Russian government.⁵⁸ In addition, the Eagle S, an oil tanker, apparently dragged its anchor and damaged a cable in the Gulf of Finland.⁵⁹ The Vezhen, a Maltese-flagged ship, damaged an undersea fiber-optic cable linking Latvia and Sweden. Armed police parachutists from Sweden promptly boarded the ship.⁶⁰ Finally, the Chinese ship Yi Peng 3, which had a Russian captain, cut an undersea cable on its journey through the Baltic Sea.⁶¹

The use of some Chinese cargo ships, with Russian crew, is noteworthy because China has also engaged in attacks against Taiwan’s undersea fiber-optic cables.⁶² Taiwan has approximately 14 international underwater submarine cables and 10 domestic ones, as well as limited satellite access in low Earth orbit, making it vulnerable to a subversive campaign. In January 2025, for example, a Chinese-owned vessel cut an undersea fiber-optic cable near Taiwan’s Keelung Harbor.⁶³ While it is unclear to what degree Russia and China have cooperated and shared lessons, both countries have adopted a similar tactic (the use of commercial vessels) against similar targets (undersea cables and pipelines).

Private industry, especially the defense industry, was also a common target of Russian activity. The two largest European donors of military aid to Ukraine—Germany and the United Kingdom—experienced attacks on numerous defense manufacturing plants.⁶⁴ In May 2024, for example, a major fire broke out at a Diehl Group factory in Berlin, which manufactures IRIS-T surface-to-air missiles used in Ukraine.⁶⁵ A month earlier, there was an explosion at a weapons manufacturing site in South Wales belonging to BAE Systems, the United Kingdom’s largest arms manufacturer, which has supplied ammunition, weapons, and other defense equipment to Ukraine.⁶⁶

Russian sabotage occurred in other countries as well. There was an explosion linked to Russian services at a warehouse in Spain that stored communications equipment bound for Ukraine.⁶⁷ Less than a year earlier, explosions went off in the ammunition warehouses of the Bulgarian arms manufacturer and trader EMCO, only days after Bulgaria announced it would officially join the coalition to supply shells to Ukraine.⁶⁸

Russia also targeted several types of individuals that cut across government and industry sectors: corporate executives, including ones involved in supplying weapons and other matériel to Ukraine; journalists that investigated Russian activity; Russian defectors to the West, including a Russian soldier; and Ukrainian officials. Several were assassination plots that failed: one in Poland targeting Ukrainian President Volodymyr Zelensky; one in Austria against Bulgarian investigative journalist and director of the Bellingcat investigative reporting group Christo Grozev; and one in Germany targeting Armin Papperger, the chief executive officer of Rheinmetall, a large producer of artillery and tanks that had sent shells to Ukraine.⁶⁹ The assassination plot against Papperger was one of the first instances in which Russia attempted to take lethal action against a Western citizen who had no previous connection to Moscow.⁷⁰

There were several other attacks against individuals. One was the assassination in Spain of Maksim Kuzminov, a Russian helicopter pilot who defected from Russia in August 2023. Another was the 2024 assault in Lithuania on Leonid Volkov, a Russian citizen and former close aide of now-deceased Russian opposition leader Alexei Navalny. The assailants, who Lithuanian intelligence assessed were likely “Russian organized,” broke Volkov’s arm but failed to kill him.⁷¹ Another incident involved the vandalization of a car belonging to Estonian Minister of the Interior Lauri Läänemets.⁷²

In addition, German prosecutors charged three Russian-German nationals—Dieter Schmidt, Alexander J., and Alex D.—with acting as secret service agents for Russia and plotting bombing and arson attacks against U.S. military bases in Germany. Dieter Schmidt also allegedly participated in other sabotage operations, including taking pictures of military installations with an aim to endanger national security.⁷³ The U.S. bases had connections to Ukraine. At the U.S. base in Grafenwoehr, Germany, Ukrainian troops were being trained to operate M1 Abrams tanks.⁷⁴

Tactics and Weapons

The most frequent type of weapon used in Russia’s shadow war were explosives or incendiaries (35 percent), including bombs; blunt or edged instruments (27 percent), such as anchors; and electronic attack (15 percent). The next most common were the weaponization of illegal immigrants (8 percent) and the use of firearms (2 percent). Russia’s use of weapons that kill, injure, or destroy property suggests that Moscow seeks to send a clear message to deter or coerce behavior, such as sending weapons to Ukraine. But the attacks had few casualties, indicating that Russia wants to keep the costs low and maximize deniability. The low level of violence has also allowed Moscow to escalate if necessary.

One of the most innovative weapons in Russian attacks was the use of electric massagers implanted with a magnesium-based flammable substance that exploded at DHL logistics hubs in Leipzig, Germany; Birmingham, England; and Jablonow, Poland. These plots may have been a test run to figure out how to get such incendiary devices aboard planes.⁷⁵ Polish prosecutor Katarzyna Calow-Jaszewska concluded that Russia’s goal was to “test the transfer channel for such parcels, which were ultimately to be sent to the United States of America and Canada.”⁷⁶ German police who tested models of the incendiary devices noted that that once the magnesium ignited, it would have been difficult to extinguish with the firefighting systems on most airplanes.⁷⁷ Fires also targeted warehouses and other targets across Europe, from the United Kingdom to Poland.⁷⁸

Russian agencies utilized electronic attack and cyber operations with physical effects against transportation targets. Estonia, Finland, Lithuania, Norway, and Poland all reported specific incidents of deliberate GPS signal jamming from Russia, which led to navigation errors, flight deviations, and communication breakdowns—endangering the lives of those on board.⁷⁹ Several countries, such as Poland, also reported cyberattacks against transportation targets, such as rail lines. More broadly, Russian-linked actors conducted hundreds of cyberattacks against targets in Europe, the United States, and other regions to collect intelligence, deface websites, orchestrate a denial of service, and occasionally conduct sabotage, according to a broader CSIS database of cyber incidents between 2006 and 2025 where losses were greater than a million dollars.⁸⁰

Finally, Russia and Belarus weaponized illegal immigrants against several border countries, such as Finland, Latvia, Lithuania, Norway, and Poland. In 2021, Belarusian leader Alexander Lukashenko threatened to “flood” the European Union with “drugs and migrants,” and then his government sent thousands of migrants from Iraq and other countries to the borders of Latvia, Lithuania, and Poland in 2021 and 2022.⁸¹ In November 2023, Finland closed its border with Russia following a surge of border crossings instigated by Russia; 900 third-country nationals arrived in Finland without valid documentation in November alone. In the summer of 2024, Poland experienced a surge to nearly 400 illegal border crossings a day. These border crises were likely orchestrated to pressure state institutions, drain resources, and fuel anti-migrant rhetoric exploited by far-right parties across Europe.⁸²

Geographic Area

Russia conducted attacks throughout Europe, as indicated in Figure 4. However, the attacks were largely concentrated in NATO’s eastern flank, such as Estonia, Finland, Latvia, Lithuania, and Poland, as well as waters like the Baltic Sea. In addition, Russia targeted countries that supplied weapons or other matériel to Ukraine or sheltered Russian defectors, such as Bulgaria, France, Germany, Spain, and the United Kingdom. There were no recorded attacks against countries with closer relations with Russia, such as Hungary or Serbia. Russia also did not conduct attacks against several other European states, such Greece, Portugal, Romania, and Switzerland.⁸³

Going on Offense

Russian active measures are not just a European problem, but a U.S. problem as well. The GRU and other organizations have plotted attacks against U.S. bases in Europe, including in Germany, and mapped undersea transatlantic fiberoptic cables that connect the United States and Europe. In addition, Russian military and intelligence agencies have also conducted offensive cyberattacks, disinformation, and other active measures against the United States both at home and abroad.

Russia’s escalation of its shadow war indicates a Western failure to impose sufficient costs on Moscow. Some European leaders have refrained from attributing attacks to Moscow because they fear further escalation.⁸⁴ The United States and European countries have largely focused on defensive measures to deter or counter Russian actions. Examples include:

• Increasing intelligence sharing among Western military, intelligence, and law enforcement agencies.⁸⁵ In February 2023, for instance, NATO created an Undersea Infrastructure Coordination Cell to assess vulnerabilities and coordinate efforts between NATO governments and the private sector.
• Heightening patrols and surveillance. NATO established the Baltic Sentry operation to protect underwater cables and pipelines by enhancing the alliance’s surface, sub-surface, and air presence in strategic locations. The operation involved frigates, maritime patrol aircraft, submarine satellites, remotely operated vehicles, drones, and other surveillance assets.⁸⁶
• Strengthening national resilience by hardening critical infrastructure, including protecting oil and gas pipelines, warehouses, and cyber networks. For example, the European Union and NATO established an EU-NATO Task Force on Resilience of Critical Infrastructure.⁸⁷ Several countries, such as Finland, Sweden, the Baltic states, and Poland, have also adopted measures to strengthen resilience.

In addition, there have been some actions designed to impose costs on Russia. Examples include:

• Closing Russian consulates, such as the one in Poznan, Poland.⁸⁸
• Expelling Russian government officials, including over 750 diplomats and intelligence officials between February 2022 and October 2024.⁸⁹
• Denying diplomatic visa applications to potential Russian spies.⁹⁰
• Arresting and prosecuting perpetrators of attacks, such as Dylan Earl for allegedly sabotaging Ukrainian businesses in east London, Alexander Suranovas (also known as Igor Prudnikov) for his apparent involvement in the DHL bombing plot, Dieter Schmidt and his colleagues for plotting bombing and arson attacks against U.S. bases in Germany, alleged GRU operative Mikhail Mikushin (also known José Assis Giammaria) who was arrested by Norway for subversive activities, and Siergey S. for his apparent involvement in arson attacks in Poland.⁹¹
• Closing borders, such as the decision by Finland in November 2023 to close its 830-mile (1,340-kilometer) border with Russia in part because of Russia’s weaponization of illegal immigrants.
• Imposing limited sanctions on individuals, companies, and other perpetrators of active measures. For example, the European Union sanctioned Nikolay Alexandrovich Korchagin, Vitaly Shevchenko, and Yuriy Fedorovich Denisov—operatives in GRU Unit 29155—for their alleged involvement in cyberattacks targeting Estonia.⁹²

Defense is necessary, but not sufficient. These actions are not particularly costly for Russia and are unlikely to coerce Moscow into ending, or even reducing, its active measures. Western countries have decided not to impose more significant costs for several reasons. First, some leaders have worried that a more robust response would cause further Russian escalation. As one analysis concluded, “Western leaders are reluctant to call for a larger military response to these attacks, which could trigger uncontained escalation.”⁹³ Second, some have opposed a more robust response because they argue that the West is not “at war” with Russia. As one assessment summarized, “the West may be limited in the kinds of counteroperations it can launch in the face of continued acts of Russian sabotage. For one thing, the United States and its allies cannot easily respond in kind, because they are not officially at war with Russia.”⁹⁴

Unlike authoritarian countries such as Russia, this logic assumes that democratic countries cannot—or should not—conduct forceful actions against Russia because they are not involved in a declared war. Yet these concerns are largely fallacious, and they reflect a mindset of self-deterrence. Russia, not Europe or the United States, chose to escalate a shadow war in Europe. In fact, a failure to respond will likely increase the likelihood of a protracted Russian campaign.

Instead, NATO should complement these defensive measures with a calibrated offensive campaign that focuses on several elements. These actions could be integrated into broader negotiations on a peace deal with Ukraine, in which the United States or European countries threaten—either implicitly or explicitly—offensive measures if Russia continues its sabotage campaign.

First, NATO should develop and communicate a clearer strategy that involves ramping up sanctions to stop Moscow’s shadow war in Europe. This approach might include increasing secondary sanctions against countries that import Russian goods, including oil and gas, as well as sanctioning additional entities and individuals involved in illegal Russian exports.

Second is an increase in NATO covert and overt actions. For example, Russia’s shadow fleet, which is illegally shipping oil and gas to overseas markets, is vulnerable to seizure. Russia also has oil and gas pipelines that are vulnerable to sabotage.

Third is conducting targeted offensive cyber operations against important Russian military and commercial targets, including the networks of Russia’s energy sector that are vital to Russia’s economy. There was some reporting that U.S. Cyber Command briefly halted offensive cyber opera­tions against Russia in an effort to draw President Putin into talks on Ukraine, though some Pentagon officials denied these reports.⁹⁵ Offensive cyber operations against Russia remain an important stick that can be used if Russian sabo­tage and subversion continues.

Fourth, NATO countries should conduct a more aggressive offensive information campaign targeting the populations of Russia and its partners, such as Belarus, devised to counter state-run media.

An offensive campaign should be designed to signal to Moscow that continued active measures in Europe will be costly. In short, a successful Western campaign needs to be coercive to change Moscow’s behavior, and the pain has to appear contingent on Russian behavior. But a strategy that does not include raising the costs on Moscow is likely to fail.

Seth G. Jones is president of the Defense and Security Department at the Center for Strategic and International Studies in Washington, D.C.

The author wishes to thank Katherine Trauger, Iselin Brady, and Riley McCabe for their help in building the database and for other research assistance during the research, writing, and production phases. Thanks also to Daniel Byman and Philip Wasielewski for their reviews of the document and outstanding comments.

This brief was made possible through general funding to CSIS.

Please consult the PDF for references.