Russia Sabotage Operations in Europe

Background and Escalation

• Russian intelligence services have conducted covert operations in Europe for decades, but the scope and recklessness of these operations increased markedly after the full-scale invasion of Ukraine in February 2022; the strategic driver is straightforward: Russia cannot defeat Ukraine militarily if Western logistics chains continue to deliver ammunition, air defence missiles, artillery systems, and armoured vehicles at the pace observed in 2022–2025; disrupting those supply chains — even partially — has genuine operational value for Russia's war effort
• The 2018 Salisbury poisoning of Sergei Skripal represented a previous peak of GRU recklessness in Europe, carried out by GRU Unit 29155 against a defector in the United Kingdom; the subsequent expulsion of Russian intelligence officers and diplomatic fallout appeared briefly to restrain operations, but the wartime pressures after 2022 caused GRU to resume and accelerate covert action accepting higher operational exposure risk
• European security services — particularly Germany's BfV (domestic intelligence), BND (foreign intelligence), the UK's MI5, Poland's ABW, and the Baltic states' services — began warning publicly about the escalation of Russian sabotage activity from mid-2023 onwards; by 2024, multiple European governments were characterising the campaign as a deliberate Russian strategy rather than isolated incidents, resulting in coordinated expulsions of Russian intelligence officers under diplomatic cover and the arrest of networks of recruited European nationals serving as proxies
• The development of proxy networks is a key adaptation: using European citizens recruited through criminal networks, far-right organisations, or financial inducements rather than Russian-passport officers reduces the diplomatic exposure when operations are discovered; the use of easily deniable cutouts — individuals with no formal Russian government connection — is a deliberate choice that complicates attribution and prosecution

GRU Units Responsible

• GRU Unit 29155 — formally the 161st Special Purpose Officer Training Center — is the primary Russian military intelligence unit assessed to be responsible for assassination operations and high-risk direct action in Europe; Unit 29155 was identified and exposed by Bellingcat, The Insider, and partner investigative organisations in their investigation of the Salisbury poisoning and subsequent operations; the unit recruits officers with specialist backgrounds in chemistry, combat medicine, and unconventional warfare, and operates with a different mandate from standard GRU foreign intelligence collection units: its mission is direct action, not collection
• GRU Unit 54777 — the Psychological Operations unit, also known as "Omega" — is assessed to conduct influence operations and some sabotage activities; its activities overlap with the disinformation campaigns run by Russian Federal agencies but include covert action components beyond pure information operations
• FSB (Federal Security Service) foreign operations teams also operate in Europe with overlapping mandates — the FSB's "Service for Operational Information and International Relations" and associated counterintelligence units have European operational roles; jurisdictional competition between GRU and FSB for European operations has been observed in some exposed cases, with the two services occasionally running competing proxy networks in the same countries
• Russia's increasing use of criminal intermediaries — commissioned through dark-web channels, encrypted applications, or through the Russian criminal underworld that overlaps with intelligence services — has introduced a new category of actor: individuals who conduct sabotage for financial payment without being intelligence officers or formal agents; these "one-time" operators are deniable precisely because they lack any traceable formal relationship with Russian intelligence, though signals intelligence and financial tracking have still enabled their identification and arrest in several documented European cases

Documented Incidents 2022–2026

• Germany (2023–2025): Multiple cases of Russian-linked arson and sabotage across Germany, including an attempted attack on a logistics facility in Bavaria handling equipment destined for Ukraine, arrests of several individuals who were paid via cryptocurrency to conduct reconnaissance of military infrastructure and conduct "test" fires; a particularly significant case involved two German-Russian dual nationals arrested in 2024 for planning attacks on US military logistics in Germany in coordination with concealed GRU direction
• United Kingdom (2023–2024): UK authorities disrupted multiple GRU-linked operations including an arson attack on a commercial property in London connected to an individual with ties to Ukraine relief efforts; MI5 Director General Ken McCallum publicly stated in 2024 that Russian intelligence was running a "sustained campaign of sabotage" in the UK; a Ukrainian national arrested in the UK was subsequently assessed to have been recruited under duress by Russian intelligence while family members remained in occupied Ukrainian territory
• Poland (2023–2025): Poland, as the primary transit country for Western military assistance to Ukraine, has been a particularly intensive target; Polish ABW arrested multiple individuals across 2023–2025 for sabotage-related reconnaissance and preparation — individuals conducting detailed photographic and video surveillance of rail junctions, ammunition storage facilities, and military convoy routes; one arrested individual had documented ties to a Polish far-right network that Russian intelligence exploited
• Baltic States (2023–2025): Estonia, Latvia, and Lithuania — all NATO members with significant exposure to Russian influence operations — have arrested Russian intelligence assets and expelled diplomatic personnel believed to be intelligence officers; the Baltic states' threat assessment explicitly names GRU Unit 29155 operations as targeting their territory, with particular concern about operations designed to create incidents that Russia can use for propaganda or to test NATO Article 5 resolve
• Sweden (2024): An arson attack on construction equipment belonging to a Swedish Defence Material Administration supplier caused significant damage; Swedish SÄPO (security police) assessed Russian intelligence involvement and the incident triggered an emergency review of protection measures around Swedish defence industry contractors
• Czech Republic (2024–2025): Czech counter-intelligence uncovered a GRU network that had conducted preliminary reconnaissance of Czech ammunition production facilities and logistics routes; Czech authorities publicly attributed the network to GRU and coordinated expulsions of Russian diplomats in response

Primary Target Categories

• Arms and ammunition transfer logistics: the primary strategic target of Russian sabotage operations is the supply chain from Western production and storage facilities to Ukraine's border; this chain includes railway junctions handling oversize military cargo, ammunition storage sites, vehicle staging areas, and the border crossing points through which equipment enters Ukraine; disrupting any segment of this chain — even temporarily — has military value for Russia by creating delivery delays and diverting Western attention to protection rather than production
• Defence industry facilities: European defence manufacturers have dramatically expanded production capacity since 2022 to meet Ukrainian and NATO member demand; artillery ammunition factories in Germany, the Czech Republic, Slovakia, and Poland; drone component manufacturers; and electronics firms producing critical components for Western weapons systems are assessed targets; incidents of unexplained fires and equipment failures at defence industry sites — while often having innocent explanations — receive heightened scrutiny from security services
• Critical civilian infrastructure: railway networks, energy infrastructure, telecommunications nodes, and port facilities in countries bordering Ukraine are assessed as targets; the dual-use nature of civilian infrastructure means that sabotage creates both direct military supply disruption and civilian disruption costs that may erode political will to support Ukraine; the disruption-to-deniability ratio of attacking civilian infrastructure is favourable from Russia's perspective
• Individuals and organisations: Russian intelligence has conducted acquisition operations against defence industry employees, government officials with access to Ukraine-related programmes, and diaspora organisations raising funds or equipment for Ukraine; physical threats against individuals — including death threats received by senior officials in multiple European countries — are assessed to have Russian intelligence links in several documented cases; the assassination attempt on the CEO of German arms manufacturer Rheinmetall (thwarted by German authorities in 2024) represents the most high-profile example

Methods and Tradecraft

• Incendiary devices: a recurring method is the deployment of simple incendiary devices — chemical timers, postal packages containing incendiary materials, or remotely triggered devices — against logistics and storage facilities; these devices are selected for plausible deniability (warehouse fires are not inherently suspicious), ease of assembly by non-specialist proxies, and the limited specialist knowledge required for proxy recruitment; multiple European countries have issued specific security advisories about suspicious packages and chemical incendiary devices
• Proxy recruitment via criminal networks: Russian intelligence has demonstrably used criminal intermediaries — particularly in East European criminal networks with pre-existing smuggling and money-laundering infrastructure — as buffers between GRU officers and operational actors; the typical chain involves a GRU handler directing an organised crime intermediary who then recruits local criminal-background individuals for specific tasks; the criminal cutout typically does not know the ultimate sponsor is Russian intelligence, having received only a financial offer for specific reconnaissance or sabotage tasks
• Social media recruitment: several arrested individuals in Germany and other countries described initial contact through social media platforms — often starting with an approach that presented itself as market research, logistics analysis work, or photography contracts before revealing the true nature of the tasks; the digital recruitment funnel exploits economic vulnerability without requiring potential recruits to understand they are being recruited for a foreign intelligence service
• Disinformation amplification: physical sabotage operations are often followed by Russian state media and social media amplification designed to exaggerate the impact and create maximum fear effect among European populations; a warehouse fire that causes limited actual damage becomes — in Russian information operations — evidence of deep penetration of European security; the information operation goal is as important as the physical effect

European Counter-Intelligence Responses

• Coordinated intelligence sharing: the EU's intelligence agency INTCEN and NATO's intelligence fusion mechanisms have been used to share assessments about Russian sabotage operations across member states; bilateral intelligence sharing between services with the highest exposure (Germany, Poland, Baltic states, UK) has intensified; joint assessment teams have been established to ensure that incidents classified as criminal in one country are connected to patterns identified in others
• Diplomatic expulsions: European countries have conducted multiple rounds of diplomatic expulsions specifically naming Russian intelligence officers operating under cover since 2022; these expulsions — sometimes coordinated across multiple countries simultaneously — are designed to degrade GRU's officer complement in Europe; the expulsions are publicly acknowledged, unlike the quiet expulsions that characterised Cold War intelligence management, explicitly as a deterrence signal
• Legal framework development: several European countries have amended or are amending national security legislation to close gaps that Russian hybrid operations exploit; Germany amended its espionage law in 2024 to explicitly cover proxy-mediated sabotage; EU-level discussions about common definitions of hybrid warfare acts and appropriate responses have accelerated; the question of whether sabotage conducted by non-state proxies on behalf of a foreign state constitutes an act of war requiring Article 5 invocation has been the subject of serious NATO legal analysis
• Physical security enhancements: NATO members and EU states have significantly enhanced physical security around defence-related logistics, storage, and industry; access control improvements, surveillance system expansions at critical rail junctions and storage facilities, and security vetting reviews for personnel with access to sensitive supply chain information have all been implemented; the scale of the security investment required represents a genuine cost of Russian hybrid warfare even when no successful operations occur

Strategic Assessment

• Operational effectiveness: the documented Russian sabotage operations in Europe have achieved limited operational success in terms of actual supply chain disruption; no major arms shipment to Ukraine has been physically intercepted or destroyed by a European sabotage operation; the primary operational effect has been to consume Western security resources in protection and counter-intelligence activity rather than direct military impact; this diversion of attention and resources is itself a success for Russia's strategic information operations even when physical sabotage fails
• Escalatory risk: the increasing recklessness of GRU operations — including assassination attempts against senior defence industry figures — represents an escalatory trend that European intelligence services assessing as potentially approaching the threshold where Article 5 collective defence provisions become relevant; NATO has quietly developed internal guidance on what level of physical sabotage by a state actor against a member state would constitute an armed attack under Article 5; Russia's apparent assessment that it can conduct this campaign without triggering a collective NATO response has emboldened continued operations
• Long-term strategic significance: if Russian sabotage operations continue or escalate after the end of the current phase of combat in Ukraine, they will represent a permanent feature of the European security environment rather than a wartime anomaly; the intelligence services and physical security architecture being built in response to Russian hybrid operations will be necessary for the foreseeable future; Europe's transition from a "post-Cold War peace dividend" security posture to genuine wartime alert against Russian hybrid operations is one of the strategic consequences of Putin's decision to invade Ukraine

Frequently Asked Questions