What is hybrid warfare?

Hybrid warfare is a military strategy that blends conventional warfare, irregular warfare, and cyber warfare. For Russia, this includes combining military pressure with cyberattacks on critical infrastructure, political espionage, and large-scale disinformation campaigns to destabilize an adversary from within.

Who are the main Russian APT groups targeting Europe?

The most prominent groups include APT28 (Fancy Bear), linked to military intelligence and known for political hacking; Sandworm, also linked to military intelligence and responsible for destructive attacks like NotPetya; and APT29 (Cozy Bear), linked to foreign intelligence and known for stealthy espionage like the SolarWinds attack.

Why is Polish Prime Minister Tusk's warning so significant now?

His warning is significant due to Poland's geographic proximity to the conflict in Ukraine and its historical experience with Russian aggression. As a leading voice in NATO's eastern flank, Tusk's stark assessment reflects a growing sense of urgency that the war could escalate and that Europe's current level of preparedness is insufficient to deter further Russian ambitions.

What is the most immediate cyber threat to European citizens from this situation?

The most immediate and widespread threat to citizens is disinformation. State-sponsored campaigns are designed to erode trust in democratic institutions, amplify social divisions, and manipulate public opinion regarding the war in Ukraine and other key issues. Phishing campaigns aimed at stealing personal and financial data also remain a constant threat.

A 'pre-war era': Analyzing the cybersecurity implications of Poland's warning to Europe

The stark warning from Warsaw

In a series of candid interviews that reverberated across the continent, Polish Prime Minister Donald Tusk issued a chilling assessment of European security: "We are in a pre-war era." His warning, delivered in late March 2024, argued that a lack of unity and insufficient support for Ukraine is dangerously close to delivering Russian President Vladimir Putin his "dream scenario"—a weak, fragmented, and vulnerable Europe. While Tusk’s message was primarily a geopolitical and military call to action, for cybersecurity professionals, it underscores the digital front lines of this escalating confrontation. Russia’s hybrid warfare model intrinsically links kinetic military action with sophisticated cyber operations, meaning a politically divided Europe is also a digitally exposed one.

Tusk’s concern is not abstract. It is rooted in the reality of Russia’s full-scale invasion of Ukraine, a conflict where cyberattacks have been a constant and brutal feature. For years, state-sponsored hacking groups have used Ukraine as a testing ground for destructive malware and disruptive tactics. Now, as European resolve is tested, these same digital weapons are increasingly aimed at the nations supporting Kyiv. A failure to heed Tusk's warning doesn't just risk military disadvantage; it invites a wave of cyber aggression aimed at the core of European infrastructure and democracy.

Technical details: The digital toolkit of hybrid warfare

Putin’s “dream scenario” relies heavily on destabilizing adversaries from within, and cyberspace is the primary battlefield for this strategy. Russian state-sponsored actors, often referred to as Advanced Persistent Threats (APTs), employ a multi-faceted approach to achieve strategic goals. These are not random acts of digital vandalism; they are coordinated campaigns designed to gather intelligence, disrupt critical services, and sow societal discord.

Key actors in this domain include groups meticulously tracked by Western intelligence agencies:

APT28 (Fancy Bear/Strontium): Linked to Russia’s GRU military intelligence agency, this group is infamous for its aggressive espionage campaigns. Their 2015 breach of the German Bundestag and interference in the 2016 U.S. election serve as stark reminders of their capabilities in political disruption. Their methods often involve highly targeted spear-phishing campaigns to gain initial access to government and military networks.
Sandworm (Voodoo Bear): Also attributed to the GRU, Sandworm is known for its highly destructive attacks. This group was behind the 2017 NotPetya wiper malware attack, which initially targeted Ukrainian organizations but spread globally, causing an estimated $10 billion in damages. They have since deployed multiple strains of wiper malware against Ukrainian targets, demonstrating a clear intent to cause maximum disruption.
APT29 (Cozy Bear/Nobelium): Associated with Russia’s SVR foreign intelligence service, APT29 specializes in stealthy, long-term espionage. They were the architects of the sophisticated SolarWinds supply chain attack, which compromised thousands of organizations worldwide, including top-level U.S. government agencies.

These groups leverage a predictable but effective set of tactics, techniques, and procedures (TTPs). Initial access is often gained by exploiting known software vulnerabilities or through meticulously crafted phishing emails. Once inside a network, they move laterally, escalating privileges and exfiltrating data. For disruptive campaigns, they deploy custom malware, from Distributed Denial-of-Service (DDoS) attacks that knock essential services offline to destructive wipers that permanently erase data from critical systems. According to a report from the EU Agency for Cybersecurity (ENISA), government and public administration sectors remain the most targeted by state-sponsored actors. (Source: ENISA)

Beyond direct network intrusions, Russia’s strategy heavily incorporates information operations. Disinformation campaigns spread through social media bots, fake news websites, and state-controlled media aim to polarize societies, erode trust in democratic institutions, and manipulate public opinion on issues like aid to Ukraine. This psychological warfare is a critical component of weakening European unity from the inside out.

Impact assessment: A continent under digital siege

The targets of this hybrid warfare are not limited to military installations. The impact is felt across every sector of European society, making Tusk’s warning relevant to every citizen, business, and government body.

Governments and Defense: European ministries of defense, foreign affairs, and intelligence agencies are under constant threat of espionage. Successful breaches can expose sensitive diplomatic communications, military plans, and intelligence sources, directly undermining national and collective security.
Critical National Infrastructure (CNI): The energy, transportation, healthcare, and financial sectors are prime targets for disruptive attacks. A successful attack on a power grid, as seen in Ukraine in 2015 and 2016, could cause widespread blackouts and civil unrest. An attack on the financial system could trigger economic panic. The 2022 sabotage of the Nord Stream pipelines, while not definitively attributed, highlighted the physical vulnerability of such infrastructure to state-level aggression.
The European Economy: Beyond direct attacks on CNI, intellectual property theft from European technology and manufacturing firms weakens economic competitiveness. The cost of remediation, increased cybersecurity spending, and reputational damage from breaches places a significant strain on businesses.
European Citizens and Democracy: Disinformation campaigns polarize public debate and can influence election outcomes. By eroding trust in media and government, these operations weaken the social fabric that underpins democratic societies. This creates the internal chaos and division that is central to Putin's strategic objectives.

The severity of this threat is magnified by any lack of coordination. When European nations fail to share threat intelligence promptly or adopt unified defensive postures, they create seams that Russian APTs are skilled at exploiting. A divided Europe is a playground for these actors.

How to protect yourself

Countering a nation-state threat requires a multi-layered, society-wide approach. Action is needed at the governmental, corporate, and individual levels.

For Governments and CNI Operators:

A coordinated European response is paramount. This includes strengthening the mandate and resources of bodies like ENISA to facilitate real-time threat intelligence sharing across all member states. Public-private partnerships are essential for protecting CNI, as most infrastructure is privately owned. Governments must mandate baseline security standards for critical operators and conduct regular, cross-border resilience exercises to test defenses against simulated state-level attacks.

For Businesses:

Organizations can no longer afford to treat cybersecurity as a simple IT issue. It is a core business risk. Essential defensive measures include:

Implementing Multi-Factor Authentication (MFA): This single step can block the vast majority of account compromise attempts.
Vigilant Patch Management: Russian actors frequently exploit known, unpatched vulnerabilities. A rigorous and timely patching schedule is a critical defense.
Employee Training: Your staff is your first line of defense. Regular training to identify phishing and social engineering attempts is non-negotiable.
Incident Response Planning: Have a well-documented and tested plan for what to do when a breach occurs. This minimizes damage and ensures a swift recovery.
Secure Communications: For sensitive business operations, ensuring data is protected in transit and at rest with strong encryption is a fundamental requirement.

For Individuals:

Citizens have a role to play in building societal resilience. Practice good digital hygiene by using strong, unique passwords for all important accounts and enabling MFA wherever possible. Be skeptical of unsolicited emails and messages, especially those creating a sense of urgency. To counter disinformation, cultivate strong media literacy skills: question the source of information, look for multiple perspectives, and be wary of emotionally charged content designed to provoke a reaction. Using personal privacy tools like a VPN service can also help protect your online activity from snooping on untrusted networks.

Donald Tusk’s declaration that Europe is in a “pre-war era” is a summons to prepare for a conflict that is already being waged in the digital domain. A strong, united, and cyber-resilient Europe is the most effective deterrent to the aggression he describes. Ignoring the digital front lines is no longer an option.