Playing With Fire

Are Russia's hybrid attacks the new European war?

By the EBU Investigative Journalism Network

Published on 12 March 2025

“We’ve prepared a first task for you”

Several months after joining a private hacking group in the social network Telegram, a reporter from the Belgian public service broadcaster VRT, part of the EBU Investigative Journalism Network, had finally earned enough trust from the hackers to merit a mission.

He gained access to the group, which uses hacking techniques to promote a pro-Russian agenda, by posing as a Russian sympathiser living in Brussels. He had to complete several interviews, similar to those of a job application, where he was asked about his views on Russia. For his first, low-risk operation, all he was asked to do was put 10 stickers up in the heart of Brussels, the city home to the EU and NATO headquarters. His reward: The equivalent of 50 USD in the group’s own crypto coin.

A week later, an anonymous white padded envelope arrived. Inside, a bundle of stickers from a Chinese company, with a comic-like drawing with a crude hand gesture and a slogan in red capital letters across the top and bottom of their square shape:
“F- - - NATO”

Parcel containing stickers sent by the Pro-Russian hacktivist group. For security reasons, we are not showing the original conversations or the image of the stickers, or naming the journalist or the specific hacking group. Photo by VRT

Parcel containing stickers sent by the Pro-Russian hacktivist group. For security reasons, we are not showing the original conversations or the image of the stickers, or naming the journalist or the specific hacking group. Photo by VRT

Soon other tasks, involving information-gathering on individuals and news organisations, were automatically posted in the Telegram chat through a bot, for one of the 8,500 members of the group to pick up and add to their “to-do” list with one click.

Recreation of the conversation with the hacktivist group.

Meanwhile, in a private chat group, hackers swapped “war stories” and bragged about their next targets. Someone asked for help in hacking a maintenance company for water treatment plants in Lithuania. A tutorial video appeared, showing the control systems of the company, to the sound of electronic music.

In Lithuania, the National Cyber Security Centre (NCSC) became aware of the threat. They made preemptive security recommendations to the company, they said. No cyber incident was eventually reported.

The same hacking group attacked the websites of Belgian municipalities in the run-up to the local elections in October 2024, and the public transport company De Lijn, among others, claiming these actions were in protest of Belgium's support for Ukraine. Russian-aligned hacktivist groups have been active over the years, but since the beginning of the Ukraine invasion, their number has increased dramatically. These include the Cyber Army of Russia Reborn, NoName057(16), XakNet or Z-Pentest, each with their own hacking specialty. Other groups are suspected to have closer ties to the Kremlin, like Sandworm Team (APT44), a group that has been linked to the Russian Main Intelligence Directorate (GRU).

In the shadows: Russia's hybrid war

Faced with a dwindling number of experienced intelligence agents on the ground, with many expelled after the start of the war in Ukraine, Russia is now resorting to low-level operatives recruited through Telegram or similar social networks to conduct dozens of attempted or successful attacks in Europe, according to court records and security sources. These “disposable agents” have carried out cyberattacks but also riskier actions that included massive fires, incendiary devices destined for cargo planes, vandalism, and influence campaigns targeting the heart of Europe’s democracies- its voters.

“The effect that they need is tension in our societies, to weaken the trust in the decisions of our governments and of course to weaken support to Ukraine”, said the Lithuanian Foreign Minister Kęstutis Budrys, blaming Russia for these operations. “They run so-called cheaper agents without multi-year training, the ones that they can recruit online or elsewhere, and they have a very fast and effective result on the ground.”

The cumulative effect of these operations by Russia in the continent is what Kaja Kallas, the High Representative of the European Union for Foreign Affairs and Security Policy calls “the war that is going on in the shadows. We use the term hybrid threats, or hybrid war, but what is important is to understand that these kinds of attacks against us are on the rise, and not just in those countries which are bordering Russia, but in the whole of Europe”, Kallas said.

Kaja Kallas, High Representative of the European Union for Foreign Affairs and Security Policy. Photo by VRT

Kaja Kallas, High Representative of the European Union for Foreign Affairs and Security Policy. Photo by VRT

The use of these new kinds of operative is one of the reasons why establishing attribution is difficult, but Czech Foreign Minister Jan Lipavský put a concrete number on Russian attacks on European countries in 2024. “500 suspicious incidents, of which 100 were attributed to the Russian Federation”, he said. “These various attacks, sabotage, cyberattacks, information operations, continue to take place and are increasing in intensity”.

Russian operations in Europe are becoming more frequent and more brazen, according to 20 government, intelligence and military officials and experts from 10 countries who spoke with reporters from public service newsrooms part of the EBU Investigative Journalism Network. “We see an increased Russian risk appetite," said NATO'S Deputy Assistant Secretary General for Innovation, Hybrid, and Cyber James Appathurai, “and when I say risk, I mean not risk to them; risk to us, risk to our economies, to the safety of our citizens.”

Rooted in Soviet military doctrine, hybrid warfare has a different strategic purpose than conventional war tactics. “Rather than destroying an enemy army or occupying a territory, it aims to influence the population to create chaos, confusion, and discredit government leaders”, says Colonel José Luis Calvo Albero, a member of the Spanish Army and former professor of Strategy and National Security at the US Army War School (USAWC) in Pennsylvania. “This climate of dissatisfaction then favours other types of actions, including military actions.” Recalling that “Putin was a member of the KGB, he knew this type of doctrine perfectly”, Calvo Albero pointed out that while Russians are “masters” in the art of hybrid warfare, they are not the only state using it in their intelligence operations.

Moscow has denied the allegations. Instead, turning the argument on itself, it often calls the war in Ukraine “the West’s hybrid war” on Russia, as the foreign affairs spokesperson Maria Zakharova recently repeated at a press conference in Moscow.

But how many of these attacks can be directly linked to Russia? And would these incidents be sufficient to trigger NATO's collective defence mechanism?

Methodology

Our reporting group spent five months looking into close to 80 incidents that took place since the start of 2024 in Europe and that were publicly linked to Russian-affiliated actors by authorities or news reports.

We excluded events where the links to Russia were made by unknown or unreliable sources, making the final count a conservative estimate. All of these qualify as “hybrid threats”, as they are generally described in military doctrine, although there is no single agreed definition of the term. “Traditional” espionage activities by trained intelligence officers were left out of the scope.

We found that more than 60 of them could be classified as suspected or confirmed Russian hybrid actions. We based our conclusions on a combination of conversations with civilian and military intelligence sources and our own OSINT (open source intelligence) research of news and security forces reports.

We concluded that 10 of these operations had proven links to Russia, interpreted as a legal verdict, confirmed claims of responsibility by Russian-linked actors, or the outcome of an official investigation.

We found 17 occasions where authorities filed legal charges related to Russian interference, with the cases still ongoing. 34 events considered suspicious are still officially under investigation. In 16 cases, initial reports of Russian attribution were disproved or attributed to different causes. The Russian government has denied involvement in many of the cases.

Events studied included attacks or plots to carry out sabotage on civilian, military and underwater infrastructure, vandalism, arson, cyberattacks, and influence operations including electoral interference. Some incidents were only known months after they happened, when an arrest or a security report brought them to light.

Mapping Russian Hybrid Operations in Europe

Vandalism

Estonia

Seven people were found guilty of smashing the windows of the cars of the Estonian interior minister and a journalist when they were parked outside their homes. The court found evidence that they were connected to people “acting in the interests and on behalf of the General Staff of the Armed Forces of the Russian Federation, or GRU”, preparing attacks on property in Estonia from October 2023. The state prosecution said that those implicated were offered 10,000 euros for the attack.

Nine investigations were opened in 2024 for attempted or successful vandalism attacks in Europe where a Russian link was reported.

These included throwing molotov cocktails, defacing monuments commemorating the Holocaust and anti-Soviet leaders, and placing coffins with the inscription “French soldiers of Ukraine” by the Eiffel Tower in Paris ahead of the 2024 Olympics.

A weapon recovered by the Moldovan police (SIS). Photo by Moldovan police (SIS) via Facebook

A weapon recovered by the Moldovan police (SIS). Photo by Moldovan police (SIS) via Facebook

In October 2024 in Moldova, police released videos of a group of pro-Russian Moldovans being allegedly trained in violent tactics to cause civil unrest by “foreign instructors” connected to the Russian mercenary group Wagner, ahead of a referendum in the country on joining the European Union

Sabotage

Leipzig

In July 2024, a fire broke out in a container carrying parcels about to be placed on a DHL cargo flight at Germany’s Leipzig Airport. One of the packages, containing an incendiary device, originated in Lithuania. A two-hour delay meant the fire broke out while the aircraft was still on the ground. It was the first in a series of parcel fires that summer that also included a site near Warsaw, Poland, and another near Birmingham, UK.

In October 2024, Polish prosecutors said four people had been arrested in connection with the fires, as part of an investigation into "activities of foreign intelligence". The prosecutors said the fires were "test runs" for sabotage against flights to the US and Canada. Moscow denied the allegations.

Reports indicate a minimum of 23 instances of attempted or successful sabotage with suspected links to Russia. These included suspicious drone sightings over military bases and industrial parks, the removal during the night of border buoys at the Narva River between Estonia and Russia, and attempts to attack a bus depot in Prague.

In June 2024, unauthorized individuals gained access to the Hervanta water tower in Tampere, Finland. Photo by Yle

In June 2024, unauthorized individuals gained access to the Hervanta water tower in Tampere, Finland. Photo by Yle

Most are still under investigation, but some of the most potentially dangerous were not the work of Russian operatives, according to security sources. These included a train derailment in Sweden and the break-ins at water plants in Finland and Sweden that led to authorities’ recommendation to the population to boil their drinking water.

Arson

London

Six men were charged in connection with a blaze at a warehouse in Leyton that needed 60 firefighters to bring under control in March 2024. One of them later pleaded guilty in court to "conduct preparatory to endangering life for the benefit of a foreign power" - referring to Russia.

Another depot belonging to the same company, which is owned by a Ukrainian citizen, caught fire in the outskirts of Madrid days later, although no arrests were made in that case.

At least seven other fires or plots to commit arson were linked to Russia by government or other officials during 2024. Charges were brought forward against individuals in four of these cases, connecting them to “acts of sabotage on behalf of Russia”.

In late February 2025, a Ukrainian man was sentenced by a court in Poland to eight years in prison for planning acts of sabotage and arson on Russia’s behalf. According to the Polish Security Agency, after being recruited in Telegram he was offered 4,000 USD for setting fire to a paint factory in Wroclaw, a highly flammable objective situated close to an oil refinery housing 56 million litres of fuel.

When he was arrested, he was carrying bottles of lighter fluid, tutorial videos for handling explosives, and a manual for Ukrainians wishing to support the Russian invasion. Moscow denied involvement.

Underwater Infrastructure

Gulf of Finland

The Eagle S tanker was seized by Finnish authorities. Photo by Finnish Border Guard

The Eagle S tanker was seized by Finnish authorities. Photo by Finnish Border Guard

The Eagle S ship was suspected of damaging the Estlink 2 power cable, which links Finland and Estonia, as well as telecommunications lines in the Baltic Sea. The EU Commission commended the boarding of the vessel by Finnish authorities in December 2024, condemning "any deliberate destruction of Europe’s critical infrastructure” and calling the ship “part of Russia’s shadow fleet, which threatens security and the environment, while funding Russia’s war budget."

However, in early March 2025, Finnish authorities released the ship and some of its crew, while eight people remained under arrest for "aggravated criminal mischief and aggravated interference with communications." The case remains under investigation.

There have been two other incidents since late 2023 involving damage to underwater infrastructure in the Baltic Sea. They are mostly related to the cutting of energy and communication cables by ships dragging their anchors for several miles across the seabed.

While some maritime experts have said it is highly unlikely that these damages were accidental, civilian and military intelligence sources say there is no proof yet of sabotage. The ships involved were part of the so-called “Russian shadow fleet”, the almost-derelict tankers that export Russian oil through the Baltic Sea under foreign flags to circumvent Western sanctions.

NATO Baltic Sentry mission. Photo by NATO

NATO Baltic Sentry mission. Photo by NATO

In January 2025, NATO launched the “Baltic Sentry” mission of frigates and maritime patrol aircraft, with the Secretary General saying that “ship captains must understand that potential threats to our infrastructure will have consequences”.

Influence

Voice of Europe

The European Parliament. Photo by European Parliament

The European Parliament. Photo by European Parliament

Belgian investigators raided the home and offices of a European Parliament staffer to investigate his involvement in spreading Russian propaganda ahead of the June 2024 European elections. Media identified the person as a former assistant to a German MEP from the far-right party AfD and later assistant to a Dutch MEP from the Eurosceptic and conservative party Forum for Democracy.

The searches related “to indications of Russian interference”, according to Belgium’s federal public prosecutor’s office, “whereby members of the European Parliament were approached and paid to promote Russian propaganda via the Voice of Europe news website".

The website was reportedly funded by pro-Kremlin tycoon Viktor Medvedchuk, who found refuge in Russia after leaving Ukraine, where he faces treason charges.

It is impossible to track all the instances of disinformation and influence campaigns created through websites and social media posts and amplified by pro-Russian bots or influencers with an agenda.

Expert sprays mattress against bedbugs in autumn 2023. The bedbug polemic was amplified by Russia, according to French authorities. Photo by FT

Expert sprays mattress against bedbugs in autumn 2023. The bedbug polemic was amplified by Russia, according to French authorities. Photo by FT

Examples range from hyping the bedbug scare in Paris ahead of the summer Olympics to the alleged backing of a pro-Kremlin candidate in the Romanian elections. The elections were later cancelled by the country’s top court citing Russian state meddling.

During the recent German election campaign, several operations linked to Russia were active in spreading false claims on hot topics like immigration, military conscription or defaming candidates who vowed to continue Germany’s support of Ukraine if elected.

Cyberattacks

Madrid

Three people were arrested in July 2024 in Madrid and two other Spanish cities, for their alleged “participation in DDoS (denial of service) attacks against public institutions and strategic sectors in Spain and other NATO countries”, according to the Spanish Civil Guard.

The attacks were organised by the hacktivist group NoName057(16), one of the most active criminal networks in cyberspace, which was born after the Russian invasion of Ukraine. They relied on “volunteer” operatives recruited in cyberspace, who employ the group’s own software and often brag online about the disruption caused.

Cyberattacks occur daily across Europe, according to cybersecurity experts. Among the most spectacular in the past 15 months are the leaking of confidential conversations by German military personnel and massive DDoS (denial-of-service) attacks on Nordic banks or Belgian and Dutch ports, as well as public institutions around the time of local elections.

The majority of these can be attributed to pro-Russian hacking groups which enjoy the protection of the Kremlin. However, other reported cyber incidents such as the jamming of GPS signals and commercial satellites, which have affected commercial flights in the Baltic area, are not direct attacks, according to experts and security sources. They are “collateral damage” of Russia’s efforts to interfere with Ukrainian drones and weapons in the context of the war in Ukraine.

The Boundaries of Collective Defence

NATO Defence Ministers meeting in Brussels in February 2025. Photo by NATO

NATO Defence Ministers meeting in Brussels in February 2025. Photo by NATO

"The problem with defence is that when you need it, it's too late to make the investments."
Kaja Kallas, EU High Representative for Foreign Affairs and Security Policy

To build up their case on the magnitude of the attacks across its member states, NATO has started its own tracking mechanism. “It's really important that we do have numbers because we need to avoid a boiling frog situation where we just get used to more and more and more”, said Deputy Assistant Secretary General James Appathurai. He declined sharing the database of incidents with us, describing it as classified intelligence. It’s not inconceivable, Appathurai said, that “a hybrid attack or cumulative attacks reach a level where NATO's countries decide it has reached the level of armed attack, and they can invoke Article 5. That's our policy. Can that happen? Sure.”

NATO’s Article 5 is the cornerstone of a military alliance that describes itself as born in 1949 to counter Soviet expansion in Europe, and it obligates its members to come to the defence of each other in such “action as it deems necessary, including the use of armed force”.

In recent weeks, US President Donald Trump and his “America First” policy have all but put into question this solidarity principle. The European Union has responded to Trump’s disengagement from European security by announcing plans to free up to 800 billion euros of financing, asking countries to reallocate national budget resources to shore up their own defence spending. “That means some very painful decisions for the countries’ governments”, said EU top diplomat Kallas. “But we need to do that, because the problem with defence is that when you need it, it's too late to make the investments. Russia is spending more than 9% of its GDP on military. They will want to use it. And we have to be prepared.”

The EU has not spelled out how they plan to use these funds against hybrid attacks, but the tools necessary to fight hybrid war will require some innovative thinking past the conventional use of weapons and deterrence mechanisms. “All of our countries need to have a wartime mindset because the target of these hybrid attacks is not our soldiers”, said NATO's Appathurai. “It's our energy infrastructure. It's private citizens, it's companies, it's railroads, it's our mind”.

The nature of hybrid war gives Russia an advantage, where they can take credit for actions they have not organized and enjoy the destabilising effect they have in society. Even when reported events are later shown, after months of investigations, to have no connection with the Kremlin, it’s too late to roll back the feeling of hopelessness and chaos they are designed to create.

“The threat is serious”, said Swedish Foreign Minister Maria Malmer Stenergard. “It aims at dividing us, at creating anxiety among the population in order to achieve their short-term goal, which is to decrease our support for Ukraine, but also their long-term goal, which is to divide our societies and create opportunities for Russia to impose their world order on us”.

Baltic Power Play

The icy waters of the Baltic Sea have been the scenario of some heated exchanges in recent times, where authorities suspected the destruction by Russia-linked ships of 11 energy and telecommunications submarine cables linking seven of the nine countries with a Baltic coastline.

Finnish commandos dropped from helicopters in the middle of the night in December 2024 to take over a tanker transporting Russian oil and suspected of causing an outage to power and internet cables linking Finland and Estonia. A month before, a Chinese ship carrying Russian fertiliser was suspected of cutting a telecommunications cable connecting Lithuania and Sweden.

In both cases, the ships dropped their anchors and dragged them across the seabed for 100 kilometres or more, which caused the damage to the cables, according to investigators. Some European leaders were quick to point the finger at the Russian state, but no proof has been found that these were intentional actions. “For the moment our intelligence services still lack hard intelligence to prove that there was a state actor behind those activities”, said Lithuanian Foreign Minister Kęstutis Budrys.

Latvian Navy investigated the cable incident using underwater robot at 50 meters. Photo by LTV

Latvian Navy investigated the cable incident using underwater robot at 50 meters. Photo by LTV

While none of these ships were sailing under Russian flag, they belong to what is known as the “Russian shadow fleet”, a group of ramshackle vessels used by Russia to export its oil and other goods under third party flags, circumventing Western sanctions.

Damage to the almost 1.5 million kilometres of subsea cables is commonplace, with an average of 150 to 200 incidents per year, according to the International Cable Protection Committee. Up to 80% of damage is caused by fishing and shipping accidents.

But even if the Russian “shadow fleet” is composed of old ships in bad condition, some experts say the circumstances of these events make an accident hard to believe. “No seafarer will accidentally drop an anchor”, said Michiel Hijmans, a maritime border security expert and retired commodore of the Royal Netherlands Navy, “it can always happen that there's a malfunction, but it will never drag an anchor for hundreds of kilometres over the bottom of the sea.”

Faced with a vulnerable yet essential infrastructure, and complicated maritime and insurance laws at play in the overlapping Economic Exclusive Zones (EEZs) in the Baltic, NATO deployed in January “Baltic Sentry”, a surveillance operation involving frigates and maritime patrol aircraft. The aim of the mission is to identify suspicious activities and “deter potential acts of sabotage or other hostile actions that could disrupt critical infrastructure”.

Governments are also studying changes to maritime and insurance laws targeting the murky structures of the "shadow fleet" but obtaining international consensus to approve new frameworks for such a busy commercial waterway will be a challenge. “They [the Russians] will push until they're stopped”, said Ben Hodges, former Commanding General of US Army Europe. “They know that we will be reluctant to do something about a ship that drags an anchor across the ocean or the bottom of the Baltic Sea if it's not 100% sure, like in a criminal trial, that they did it. Or if it's a ship that's flagged to some African country. These are all things that they do to avoid attribution. And they see that we are struggling with how to stop that.”

Winning Hearts and Minds

“Germany plans to import 1,9 million Kenyan workers: A new migration crisis on the horizon?“, reads the post with false information on the X platform (formerly known as Twitter). As of early March 2025, this post showed 5.8 million views. Published two months before a general election where immigration dominated the political debate, the post claims that 750,000 Kenyans would be given “the opportunity for accelerated naturalisation”.

The post was the work of the group “Storm 1516”, according to the Germany-based Center for Monitoring, Analysis and Strategy (CeMAS), which studies digital authoritarianism and online disinformation. A known actor in this field, the group has been linked to the spreading of conspiracy theories on election integrity during the last US presidential election. CeMAS strongly suspects that behind Storm 1516 is the Foundation to Battle Injustice, an organisation created by the late Yevgeny Prigozhin, who also headed the Russian Wagner mercenary group and the notorious troll factory Internet Research Agency.

The same group created and amplified posts claiming that Germany would reintroduce the conscription of up to 500,000 soldiers for a “military mission in Eastern Europe by May 2025”, made allegations of child abuse against Vice Chancellor Robert Habeck, CDU candidate Friedrich Merz and EU Commission President Ursula Von der Leyen, and said the Green Party and Ukrainian officials were involved in art theft and corruption in Berlin.

There were other disinformation operations during the run-up to the recent German election. Posts by the so-called “Doppelganger” campaign were aimed at “stoking economic fears, trying to amplify polarising topics”, says Julia Smirnova, senior researcher at CeMAS. “They support the far-right party AfD and to a lesser extent the BSW party, both known for their pro-Kremlin positions. In addition to this, Doppelganger tries to discredit established parties, particularly the Greens, but also the CDU.”

The Doppelganger campaign has also been active in other European countries since shortly after the Russian invasion of Ukraine in 2022. “They try to undermine support for Ukraine in Europe, to discredit Ukrainian leadership, to spread false information about Ukrainian refugees”, says Smirnova, who points out that the origin of this campaign can be clearly traced back to Russia. The US Department of Justice published internal documents by a Russian public relations company, Social Design Agency, which according to Smirnova “show that the Doppelganger campaign is run by a Russian PR company, in coordination with the Kremlin. This is a clear state-sponsored campaign.”

CeMAS documented more than 600 original posts in German from mid-December 2024 to mid-January 2025, with each reposted several hundreds of times. It resulted in 2.8 million views, although a large portion of these views could have been produced by bots. The impact is boosted when “real” influencers pick up the content and repost it in their official channels. This occurred when AfD candidates and local branches disseminated via their official accounts false content suggesting that the Green Party and Ukrainian officials were recruiting migrants and young people in Germany to commit crimes subsequently attributed to the AfD.

Post claiming that the German government agreed to bring in 1.9 million Kenyan workers. Screengrab from X

Post claiming that 500.000 men will be conscripted and mobilized in Eastern Europe. Screengrab from X

Post alleging that a young girl accused the German Green Party’s candidate, Robert Habeck, of sexual assault. Screengrab from X

Post claiming that Green Party’s candidate, Robert Habeck, and culture minister Claudia Roth are complicit in art theft. Screengrab from X

A post alleged that Green Party and Ukrainian officials are recruiting migrants and young people in Germany to commit crimes in a smear campaign against AfD. This was reshared by a member of the parliament from the party. Screengrab from Facebook

Cyberspace: The Emerging Frontline

While clear attribution to Russia remains even more elusive in the intricate networks of cyberspace, some security services say the level of financing and organization reveals the power and budget of a state actor behind these apparently diffuse internet guerrillas. “If we evaluate purely technically by the tools used, the way cyberattacks are carried out, it points to the same perpetrators who are acting in Ukraine, and they are the Russian services”, says Varis Teivans, Deputy Head of the Latvian Cyber Incidents Response Institution. “And the scale is really sometimes surprisingly large, where Russia registers fictitious or shell companies in Europe to look like IT service providers. They may even offer services on their website, but it is a cover for these Russian cyber operations.” Other experts point out that even if these groups are not directly financed or commanded by the Kremlin, they continue to enjoy safe haven from extradition or international prosecution in Russia, which they in turn compensate by carrying out attacks against countries which are supporting Ukraine in the war.

“You can have an attack in your own pocket, in your own computer”, says Stéphane Duguin, CEO of the Geneva-based Cyber Peace Institute, which tracked cyberoperations and cyberattacks for two years after the Russian invasion of Ukraine. They identified more than 3,000 campaigns of attack by more than 120 threat actors, targeting 50 countries. “Even if the attack is not so sophisticated or impactful, the fact that it can be at speed, at scale, is part of the impact”, Duguin said, adding that the advent of Artificial Intelligence will only make these operations easier and more accessible to everyone.

“We've seen pro-Russian affiliates putting online shopping lists and tutorials into how to make cyber-attacks effective against Ukraine”, says Duguin. “They put out resources for everyone to participate in the warfare. And then you have people waking up in the morning: ‘What am I going to do today, watch Netflix or conduct a cyberattack?'- It's kind of a low-level choice.”

Photo by Clint Patterson on Unsplash

The Long Game

While a direct military confrontation with Russia is unlikely, hybrid attacks will continue to happen in Europe, NATO said.

“Russia isn't just focused on Ukraine. We're holding them back from their ambitions of reestablishing their control in Europe, and they don't like it,” said NATO's Appathurai. “I’m absolutely convinced, we are all convinced that these hybrid attacks will continue after the war in Ukraine is over, because they can't attack us militarily and they don't intend to. They are frustrated and want to carry out their ambitions in other ways. So we need to buckle down for a long-term problem with Russia, which will include hybrid attacks in our countries.”

Reporting by Indre Makaraityté (LRT), Luc Van Bakel (VRT), Marko Hietikko (Yle), Anna Pihl (ERR), Matiss Arnicans (LTV), Oskar Jönsson (SVT), Peter Keizer (KRO-NCRV Pointer), Adéla Paclíková (CT), Pilar Requena (RTVE), Jenny Hauser (EBU), Maria Flannery (EBU), Eoghan Sweeney (EBU), Lili Rutai (EBU) and Belén López Garrido (EBU) for the EBU Investigative Journalism Network.
Web and graphic design by Derek Bowler (EBU)
Project Management Belén López Garrido (EBU), with the collaboration of Coco Gubbels (EBU)
Cover video by Miejski Reporter, showing the fire at the Marywilska shopping center near Warsaw on May 2024. The case is under investigation, and was linked to Russian activity by Prime Minister Donald Tusk.
This story was published on 12 March 2025

A report by the EBU Investigative Journalism Network, available to EBU members for republication. For conditions, please contact ein@eurovision.net