Russian sabotage operations in Europe

A series of covert attacks on European infrastructure and targets have taken place since the late 2010s, intensifying after 2022. Western governments and intelligence agencies allege that Russian military or intelligence services systematically organised acts of sabotage across Europe^[1][2] – including arson,^[3][4][5] assassination plans,^[6] attempted railway damage,^[7][8] vandalism and electronic interference such as GPS jamming^[9][10] – as part of a hybrid war aimed at destabilizing countries that support Ukraine during the Russia–Ukraine war. European officials report that the number of suspected Russian sabotage incidents surged in 2023–2024, targeting critical infrastructure including gas pipelines and communication cables^[11]).^[12][13] Officials say the sabotage campaign is largely coordinated by Russian intelligence (GRU) and executed by covert operatives or locally recruited perpetrators, with Russian authorities denying responsibility.^{[1][14][15][16]} The Russian government denied conducting sabotage in Europe and blamed other actors for the incidents.^[17] In 2025, NATO described the level of sabotage threats as "record high" and stated that it viewed the Russian campaign of subversion as a serious security challenge to Europe.^[6]

Background

Main article: Russian hybrid warfare

Russia has a history of covert operations and sabotage in Europe dating back to the Cold War,^[18] and its military doctrine has long emphasized targeting enemy infrastructure.^[2][19] In the 2010s, Russian operatives were implicated in isolated sabotage incidents, such as the 2014 Vrbětice ammunition depot explosions in the Czech Republic, which killed two people and were later attributed to agents of Russia's GRU (Unit 29155).^[15][20] According to Czech investigators, the GRU operatives (using the same cover identities later linked to the Skripal poisoning) coordinated the depot explosions, allegedly to disrupt arms supplies destined for Ukraine during the 2014 war in Donbas.^[21] The explosions led to a diplomatic rift, including mass expulsions of Russian diplomats from Prague and Moscow.^[22] After Russia's February 2022 full-scale invasion of Ukraine in February 2022, European governments began reporting a sharp increase in suspicious fires, infrastructure damage and other attacks, which they viewed as hybrid warfare.^{[1][12][23][24]} Many of these incidents were initially unexplained or treated as accidents, but came to be seen as possible acts of Russian sabotage as patterns emerged. By 2023, NATO and EU officials stated that Russia was waging a coordinated campaign of subversion and sabotage below the threshold of overt warfare, targeting Europe's critical infrastructure and civilian morale.^{[6][1][2][25]} The International Institute for Strategic Studies documented over 50 sabotage events in Europe from 2022 to mid-2025 that were likely linked to Russia.^[1][2] According to European security services, the sabotage campaign was deliberately done with low casualties and kept at a moderate level of destruction to reduce the risk of provoking a direct military response from NATO.^{[1][2][16][26]}

Types of sabotage and incidents

See also: Cyberwarfare by Russia

Energy and infrastructure

As of 2025, responsibility for the 26 September 2022 Nord Stream pipeline explosions was unclear. Some Western officials stated their suspicions of Russian involvement, stating that Moscow had the motive of damaging its own idle pipelines as a false-flag operation and to threaten Europe's energy supply. Russian authorities accused the U.S. or Ukraine of destroying Nord Stream. This incident showed the vulnerability of European infrastructure to seabed warfare. Following the sabotage, NATO increased patrols around critical pipelines.^[27] In the Nord Stream sabotage, sections of the Nord Stream 1 and 2 gas pipelines from Russia to Germany were destroyed.^[28] Seismic monitors detected powerful underwater blasts, and investigators from Sweden concluded that the pipelines had been sabotaged using explosives.^[29][30]

In 2023–2024, multiple undersea cables and pipelines in the Baltic Sea were severed or damaged, heightening suspicions of Russian sabotage. In October 2023, a subsea gas pipeline (the Balticconnector between Finland and Estonia) was ruptured concurrently with a data cable, in what Finland called a deliberate act, though investigations considered whether a vessel's dragged anchor caused the damage.^[31][32] in November 2024, two separate fibre-optic internet cables in the Baltic were severed within two days – one linking Finland to Germany and another linking Sweden to Lithuania's network. German and Finnish authorities described these as possible "intentional damage" to critical infrastructure. In late December 2024, an undersea power cable between Finland and Estonia (Estlink 2) was cut, along with several nearby telecom cables, causing blackouts and internet outages. Finland seized a Russian-owned ship suspected of involvement, and regional leaders stated that the pattern of frequent undersea infrastructure "accidents" since 2022 was unlikely to be coincidental. Since 2022, European telecom operators in the Nordic-Baltic region have reported numerous outages from unexplained cable cuts, and Western officials regularly cite Russia as the prime suspect.^{[33][34][35][36]}

Russian cyber units, often in coordination with physical sabotage efforts, targeted critical systems such as power plants since at least mid-2010s.^{[37][38][39][40][41]}

Railway and transportation networks

European rail and transport infrastructure has been targeted. On 8 October 2022, unknown saboteurs severed two Deutsche Bahn fibre-optic cables in Germany, crippling the train signaling network in the north of the country and halting all long-distance and freight rail traffic for about three hours. German officials stated that striking redundant communication cables simultaneously showed that the sabotage required good knowledge of the system, and some raised suspicions of Russian involvement.^[23] A second act of cable sabotage occurred in Germany in December 2022, when cables were cut near the city of Essen, briefly disrupting a regional rail line.^[42]

Railway sabotage occurred in Poland, a key transit country for NATO military aid to Ukraine. In August 2023, attackers used a simple radio signal hack to trigger emergency stop commands on railway frequencies, halting about 20 trains in north-west Poland. The hackers broadcast a rogue signal, interspersed with the Russian anthem, exploiting an unsecured rail communication system. Polish officials viewed the sabotage as "state-sponsored".^[43][44] The incident followed the arrest of a Russian spy ring in Poland earlier in 2023 that had allegedly been plotting sabotage of rail lines and arms transports. Polish prosecutors later announced that more than a dozen people, reportedly working for Russian intelligence, were charged with preparing acts of sabotage against Polish transport infrastructure and were found with hidden cameras monitoring railway lines used for Ukraine-bound shipments.^[7][8] NATO officials have acknowledged instances of train derailment attempts and other transit sabotage as part of the broader campaign to disrupt logistics.^[6]

Arson attacks and urban sabotage

See also: Incendiary incidents in Europe 2024

In the mid-2020s, a wave of arson and bomb hoaxes hit commercial or symbolic targets around Europe, in particular in Poland and Lithuania. On 8 May 2024, an IKEA store in Vilnius was set ablaze after closing hours. There were no injuries. Lithuanian prosecutors describe it as an act of "terrorism" by GRU. Two Ukrainian nationals were charged as the local perpetrators. One was arrested in Lithuania and the other in Poland. Investigators found they had been promised €10,000 by Russian handlers to carry out bombing or fire attacks at shopping centres in Lithuania and Latvia.^[45]

On 11 May 2024, a massive fire destroyed the Marywilska 44 shopping centre in Warsaw, a market with over 1,000 shops, during the night, with no casualties. Polish investigators found that the blaze was the result of arson coordinated by Russian secret services: conspirators for hire had been paid to set the mall on fire. In 2025, evidence showed that the fire had been ordered by a GRU officer in Russia. Several people suspected to be locally recruited intermediaries in the Marywilska arson were arrested in Poland and Lithuania.^[14][4][5]

Lithuanian and Polish authorities considered it likely that the same Russian-linked network was behind both the Ikea fire and the Warsaw mall arson. In response, in May 2025 Poland expelled Russian diplomats and ordered the closure of Russia's consulate in Kraków.^[45]

Several incendiary attacks were recorded in Western Europe in the mid 2020s. In the United Kingdom, an arson plot targeted a factory and warehouse complex owned by a Ukrainian businessman in east London. On 20 March 2024, the facility, which had been involved in supplying protective gear to Ukraine, was set on fire, causing extensive damage. British police arrested a group of suspects and announced that the ringleader had been recruited online and directed by people linked to the Russian mercenary Wagner Group to carry out the arson.^[46][47][48] France experienced intimidation incidents in 2024 rather than outright attacks. In May, unknown vandals defaced a Holocaust memorial in Paris with pro-Russian graffiti. On 1 June 2024, early morning visitors to the Champ de Mars in Paris found five wooden coffins draped in French flags arranged at the foot of the Eiffel Tower. Each coffin was painted with the words "French soldiers in Ukraine". French authorities treated it as a hostile propaganda stunt. Three men, one of whom had ties to a pro-Russian extremist group, were arrested and charged with threatening national security. French intelligence suggested possible links between the two events as part of a Russian campaign of psychological pressure in France.^[49][50][51] The Russian government officially denied any connection to the Eiffel Tower coffins, dismissing it as a "provocation".^[50][52]

Other smaller-scale incidents attributed by Western officials to the sabotage campaign include vandalism or threats against politicians. In early 2023, Estonia's interior minister had his car windows smashed and a Molotov cocktail thrown at his property on the same night that a prominent investigative journalist's car was similarly vandalized. Estonia's security service attributed responsibility to Russian agents seeking to intimidate Ukraine supporters.^[53] In Germany, officials reported instances of suspected sabotage or spying around Bundeswehr bases involved in training Ukrainian soldiers, including unexplained small drones appearing over training ranges.^[23] On 26 June 2025, several Rheinmetall military trucks were set on fire at Erfurt and three of them destroyed in a suspected sabotage attack launched by Russian operatives.^[54]

Electronic interference (GPS and communications)

On the day of Russia's invasion of Ukraine a cyberattack took place against the satellite internet system of American communications company Viasat which affected their KA-SAT network and triggered outages across central and eastern Europe (the Viasat hack). In May that year the European Union, the United States, and the United Kingdom condemned the attack as a Russian operation.^[55]

Russian sabotage includes GPS jamming and spoofing across Northern and Eastern Europe. Since 2022, Nordic and Baltic states lodged reports of strong interference with satellite navigation signals near their borders that affected civilian airliners, ships, and drones over broad areas.^[9] Finland's civil aviation authority stated that incidents of GPS outage attributable to jamming from across the Russian border significantly increased in frequency since the 2022 full-scale Russian invasion of Ukraine.^[56][57] In one high-profile case in April 2023, Finland's national airline Finnair had to suspend flights to the city of Tartu, Estonia, after multiple passenger planes experienced loss of GPS during approach, presumably due to Russian electronic interference in the region.^[9] Military exercises and civilian air traffic in the far northern areas of Norway and Sweden were repeatedly impaired by cross-border jamming signals originating from Kola Peninsula, where several Russian military bases are located.^[9][10]

In September 2025, an aircraft carrying European Commission President Ursula von der Leyen was suspected to have experienced GPS jamming while flying through Bulgarian airspace. NATO officials blamed the jamming on Russian electronic warfare units.^[9][58] Bulgarian authorities disputed the claim of GPS jamming.^[59] NATO Secretary-General Mark Rutte stated that the suspected GPS interference was part of a wider pattern that "could have 'potentially disastrous effects'".^[9]

Russian authorities stated that GPS interference is a legitimate defensive measure to protect its territory in order to confuse potential Ukrainian drones. Baltic officials disagreed, stating that the jamming events occurred far from the Russian border.^[9]

Other types of sabotage

European governments have faced waves of hoax bomb threats and cyber-sabotage tied to Russia. Throughout 2022–2023, numerous schools, airports, and public buildings in Poland, the Czech Republic and Italy received coordinated false bomb threat emails or phone calls traced to pro-Russian actors,^[60][61] leading to evacuations and economic losses. Poland became one of the primary cyberattack targets, with many of the attacks originating from Russia.^[62][63]

Attribution and Russian tactics

European security agencies attribute the sabotage campaign primarily to units of the Russian military intelligence agency GRU, in particular GRU Unit 29155, specialised in sabotage and other clandestine operations in Europe.^[15][20] Investigations in Poland, Lithuania, Czechia, Germany, and the UK, with Europol support, showed a pattern according to which the perpetrators are usually not Russian nationals or official operatives, but rather hired proxies recruited from third countries, including immigrants, petty criminals, or individuals with cybercrime (cracking) skills. The recruitment is typically via encrypted online platforms, and recruitees are often unaware that they are effectively working for the Russian state. The recruitees are paid in cryptocurrencies or via untraceable methods, and instructed to carry out tasks such as starting fires, planting dummy bombs, or cutting cables. According to European intelligence officials, the Russian officers directing this campaign remain on Russian or Belarusian territory and communicate through layers of cutouts to maintain plausible deniability.^{[1][2][16][37][64]}

The campaign attributed to the GRU is decentralized. Rather than a single large operation, it consists of dozens of low-level attacks across different countries, making it hard to conclusively attribute each event. Based on evidence including surveillance of financial flows, decrypted communications, and captured agents' testimonies, several governments publicly accused Russian authorities of the campagin. During 2023–24, Polish and Lithuanian authorities openly accused the GRU of specific sabotage acts, the UK proscribed the Wagner Group as a terrorist organization, and NATO began sharing intelligence on what it called "Russia's shadow warfare" in member states.^{[1][2][14][45][65]} Intelligence assessments view the objectives of the campaign as primarily psychological and political: to spread a sense of insecurity among the European public, to strain governments with emergency responses, and to signal that Russia can retaliate unconventionally against countries arming Ukraine.^[1][2][66]

Most confirmed sabotage incidents avoided large-scale casualties or irreversible damage to strategic assets that could be seen as an overt act of war. Some plots suggested potential escalation: in mid-2024, Western intelligence reportedly foiled a Russian plan to send letter bombs or explosive parcels to targets in the United States via Europe. If the plans had been executed, it could have caused civilian airliner disasters – a step that alarmed Western officials. US authorities unofficially warned Russian authorities against such high-casualty terror attacks, and the plot was aborted.^[16] A similar plan was suspected in mid-2025. Investigations found packages containing incendiaries routed via EU hubs and the UK. Officials suspected a Russian-led test of air-cargo routes. Arrests and extraditions were made in several states.^[67][68]

NATO officials stated that the foiled plan to assassinate the CEO of Rheinmetall in 2024 was part of a broader sabotage campaign.^{[6][69][70][71][72]}

European responses

European states and NATO took countermeasures against the sabotage campaign, including increased surveillance and arrests of suspected saboteurs. Polish authorities detained several suspects during 2022–2023 and laid formal charges against 30 Russian, Belarusian, and Ukrainian nationals in connection with planned acts of espionage or sabotage on Polish territory.^[7][73] In Czechia, authorities banned or shut down local russophile extremist groups and disinformation outlets that were suspected of abetting sabotage or violent plots. Russian handlers were suspected of involvement.^[74]

Diplomatic expulsions were used prior to, and as a response to, the campagin. In March 2022, several EU countries expelled dozens of Russian diplomats, several suspected as being intelligence officers, suspecting that a sabotage campaign might be conducted. Expulsions continued during 2023–25. After uncovering the Warsaw shopping mall arson, Polish authorities expelled 45 Russian officials and closed the Russian consulate in Kraków. Bulgaria and the Baltic states reduced Russian diplomatic presence, citing security concerns.^[75][76] NATO created a Critical Undersea Infrastructure Cell in 2023 to improve monitoring and protection of pipelines and cables, and began coordinating allied navies to patrol the North Sea and the Baltic Sea, seen as at-risk maritime zones.^[77] The European Union launched initiatives to bolster infrastructure resilience, including stress-testing energy networks and increasing intelligence-sharing about hybrid threats.^[78] Throughout 2023 and 2024, several European countries raised their domestic threat levels in response to sabotage risks. Norway, put its oil and gas sector on high alert and deployed soldiers to guard energy installations after unidentified drone sightings and the discovery of tracking devices near offshore platforms, suspected to be Russian information collection preparing for sabotage.^[79]

European security officials stated that completely stopping the sabotage campaign would be difficult. European governments tried to deter the campaign by stating that major destructive attacks, especially those causing loss of life, would trigger strong responses. NATO Deputy Secretary-General Mircea Geoană stated in 2024 that allies have "communicated red lines" to Russian authorities regarding sabotage, implying that certain aggressive actions, such as those causing civilian deaths or crippling vital infrastructure, could provoke a direct confrontation.^[26] At a June 2023 NATO summit in Vilnius, member states agreed to treat certain hybrid attacks (in particular, cyberattacks) on infrastructure with the same seriousness as an armed attack, potentially invoking Article 5 collective defense on a case-by-case basis.^[80]

Documentation

As of 2025, investigations and court cases related to Russian sabotage were ongoing across Europe. Many incidents remained officially unsolved. Open source documentation on the campaign includes court verdicts in Poland and the UK and intelligence reports in the Baltics. Most of the evidence attributes responsibility to Russian authorities.^{[2][16][81][82]}

See also

• 2024 Baltic Sea submarine cable disruptions
• Diplomatic expulsions during the Russo-Ukrainian War
• Incendiary incidents in Europe 2024
• Russian disinformation
• Russian hybrid warfare
• Russian interference in the 2024 United States elections
• Russian shadow fleet
• Russia–European Union relations
• Severing of the Svalbard undersea cable
• Transnational repression by Russia
• Violations of non-combatant airspaces during the Russian invasion of Ukraine