A shadow war on European soil
A stark warning is echoing through the halls of European intelligence agencies: Russia has intensified its campaign of targeting political opponents, dissidents, and journalists across the continent. According to multiple security officials, these are not isolated incidents but part of a broader, more aggressive strategy that blends covert physical operations with sophisticated cyber warfare. This escalation represents a significant threat to national sovereignty and the safety of individuals who have sought refuge in Europe.
The concern is rooted in a history of state-sponsored violence. The 2006 assassination of former FSB officer Alexander Litvinenko in London using radioactive polonium-210 and the 2018 poisoning of Sergei and Yulia Skripal with the Novichok nerve agent in Salisbury serve as grim reminders of the Kremlin's operational reach. However, recent events suggest a shift from high-profile, sporadic attacks to a more sustained and diverse campaign of intimidation, sabotage, and assassination plots.
In late 2023 and early 2024, intelligence services from Germany, the UK, and Sweden issued alerts about this renewed Russian aggression. These warnings were substantiated by a series of arrests and thwarted plots. In April 2024, German authorities detained two individuals suspected of planning sabotage attacks on military infrastructure intended to disrupt aid to Ukraine. A month later, another arrest warrant was issued for a Russian-German national accused of plotting to kill a Chechen dissident. These actions signal a clear intent to conduct hostile operations directly on NATO territory.
Technical details: The cyber-physical nexus
Modern state-sponsored assassination plots are rarely just physical endeavors. They are complex operations underpinned by a deep integration of cyber capabilities, a concept often referred to as the cyber-physical nexus. Russian intelligence services, particularly the GRU and FSB, leverage digital tools for every stage of an operation.
Phase 1: Surveillance and reconnaissance
Before any physical action is taken, extensive digital surveillance is conducted to build a comprehensive profile of the target. This involves:
- Phishing and Malware: State-sponsored hacking groups like APT28 (also known as Fancy Bear) use spear-phishing emails to deploy malware onto the devices of targets and their associates. This provides access to emails, calendars, contact lists, and real-time location data.
- Network Exploitation: Attackers compromise home or office Wi-Fi networks to monitor all unencrypted traffic, gathering intelligence on routines and communications.
- Social Media Monitoring: Public and private social media accounts are scrutinized to understand a target's social circles, habits, and travel plans.
By piecing together this digital puzzle, operators can predict a target's movements and identify vulnerabilities for a physical approach with minimal risk of exposure.
Phase 2: Planning and logistics
Once a target is profiled, cyber tools facilitate the planning and logistical support for the physical team. This includes using secure, encrypted communication channels to coordinate actions without being detected by Western intelligence agencies. Operatives may use compromised servers as dead drops for information or employ sophisticated techniques to create false digital identities for travel and lodging. Furthermore, disruptive cyberattacks can be used as a diversion or to support the primary mission. The recent allegations by the Czech prime minister that Russia was behind attempts to hack the country's railway systems illustrate how attacks on critical infrastructure can serve a broader hybrid warfare strategy, potentially to disrupt military logistics or create chaos that an intelligence operation could exploit.
Phase 3: Execution and obfuscation
Following a physical attack, the cyber domain becomes the primary battlespace for controlling the narrative. Pro-Kremlin disinformation networks are activated to spread conflicting stories, promote conspiracy theories, and discredit official investigations. The goal is to create enough confusion to sow doubt and provide plausible deniability. This was a key tactic following the Skripal poisoning, where Russian state media pushed dozens of contradictory explanations for the event.
Impact assessment: A threat beyond the individual
The impact of this campaign extends far beyond the individuals directly targeted. The primary victims are, of course, the Russian dissidents, journalists, and activists living in fear for their lives. This creates a powerful chilling effect, discouraging dissent both at home and abroad.
For European nations, these operations are a direct violation of their sovereignty. Allowing a foreign power to conduct extrajudicial killings on their soil undermines the rule of law and the security of all residents. The use of chemical and radioactive agents in public spaces, as seen in Salisbury, also poses a grave and indiscriminate risk to public health.
Geopolitically, these actions fuel instability and escalate tensions between Russia and the West. They force European governments to expend significant resources on counterintelligence, enhance security measures, and engage in difficult diplomatic standoffs, including sanctions and the expulsion of diplomats. This sustained campaign of hybrid aggression erodes trust and makes international cooperation on other critical issues nearly impossible.
How to protect yourself
While countering state-sponsored threats is primarily the responsibility of national security agencies, high-risk individuals and organizations can take steps to improve their security posture.
For high-risk individuals (dissidents, journalists, activists):
- Practice advanced digital hygiene: Use strong, unique passwords for all accounts, enable multi-factor authentication (MFA), and be extremely cautious of unsolicited emails or messages. Assume you are a target of phishing campaigns.
- Secure your communications: Utilize end-to-end encrypted messaging apps like Signal for sensitive conversations. When accessing the internet, especially on untrusted networks, encrypting your connection with a reputable VPN service is a fundamental step to protect your data from interception.
- Maintain operational security (OPSEC): Be mindful of your physical surroundings. Vary your routines, be cautious about sharing your location on social media, and have a plan for seeking help if you feel you are being followed or monitored.
- Report suspicious activity: Immediately report any threats, suspected surveillance, or strange digital activity to local law enforcement and relevant support organizations.
For organizations and the public:
- Enhance cybersecurity defenses: Businesses, especially those in critical sectors, should invest in modern security solutions, conduct regular employee training on threat detection, and have a clear incident response plan.
- Promote media literacy: The most effective defense against disinformation is a well-informed public. Learn to identify the hallmarks of propaganda, such as the use of emotionally charged language, unverifiable sources, and the promotion of conspiracy theories. Cross-reference information with credible, independent news sources before sharing.
The warnings from Europe's intelligence community are not abstract geopolitical maneuvering. They describe a clear and present danger, a shadow war where the front line can be any city street and the weapons range from nerve agents to malware. Recognizing the deep link between the cyber and physical realms is the first step toward building a more effective defense.
