Russia's unconventional warfare against Europe has intensified significantly, with hostile cyber operations and sabotage activities almost quadrupling in 2025. A new analysis from the International Institute for Strategic Studies (IISS) reveals a concerted campaign targeting critical infrastructure, aiming to destabilize governments and weaken support for Ukraine. This "shadow war" operates below the threshold of declared conflict yet inflicts substantial cumulative damage across the continent.[1]
For years, Russia has engaged in a covert conflict with Europe, employing deniable cyber intrusions, proxy actors, and hidden networks to obscure attribution. This strategy is designed to destabilize European governments, erode public support for Ukraine by imposing social and economic costs, and diminish the collective capacity of NATO and the European Union to counter Russian aggression. The campaign began to escalate following Russia’s full-scale invasion of Ukraine in 2022, accelerating further through 2024 and reaching a near-quadrupling in incidents during 2025.
According to IISS data, Russian shadow-warfare attacks have spanned the Baltic, the Nordic countries, Central Europe, the Balkans, and the Mediterranean, indicating a strategic intent rather than isolated incidents. These operations include the sabotage of transport and logistics hubs, attacks on energy and communications infrastructure, disruptions to undersea cables, alongside espionage, arson, vandalism, and GPS jamming. Many activities are conducted by proxy actors, including third-country nationals, meticulously calibrated to remain just below NATO’s Article 5 threshold while exerting continuous pressure.
Europe's critical infrastructure has become a susceptible target due to structural weaknesses that have accumulated over decades, aligning precisely with Russia's shadow war doctrine. A significant portion of this infrastructure relies on outdated technology, legacy systems, and obsolete software, none of which were designed to withstand sustained state-sponsored sabotage. This allows for low-cost disruptions to generate disproportionate and cascading effects across vital services. Between 80 and 90 per cent of critical infrastructure is privately owned. These assets, crucial to national security, are governed by principles optimized for efficiency and short-term returns rather than resilience. This often leads to fragmented accountability, with strategic risks frequently externalized until they are exploited.
Europe's reliance on undersea cables, which carry essential communications, data, and financial flows, further compounds its exposure. These cables lie largely unprotected on the ocean floor, making them challenging to defend, costly to repair, and ideal targets for disruptions that can be plausibly denied. Russia, having spent decades mapping these systems, possesses an intimate comprehension of these vulnerabilities and integrates them into a broader strategy of ambiguity and deniability.
Despite the clear escalation, European capitals have struggled to respond effectively to Russian sabotage operations. Challenges include reaching a unified response, coordinating action, developing effective deterrence measures, and imposing sufficient costs on the Kremlin. Russia exploits the divides between peacetime and conflict, law enforcement and military response, and public and private responsibility, confident that NATO’s legal thresholds and consensus-driven decision-making will hinder a unified response to what is an ongoing attack.
The critical question now is not whether the next incident will occur, but rather the extent of its impact on Europe. There is an urgent need for governments to treat critical infrastructure protection, attack attribution, and coordinated response as collective security obligations, rather than as fragmented national or private responsibilities.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.cybersecurityintelligence.com/blog/russian-hostile-cyber-operations-against-europe-quadruple-in-2025-9037.html
Comments