Europe | Outlook for Russian cyber operations

• We anticipate that European countries will struggle to respond to Russian cyber and disinformation operations in the coming months and years

Russian state hacking groups are highly likely to target organisations in Europe in the coming years. Clients have recently asked us what the changing US-Russia relationship – including in cyberspace – means for Europe. This follows media reports in recent weeks that suggest that the US is reducing its efforts to counter Russian hybrid warfare threats, including cyberattacks and disinformation.

In our analysis, shrinking US support and collaboration with Europe will probably result in fewer mechanisms for cyber deterrence in Europe. As part of its broader attempt to reduce reliance on the US, Europe seems to be trying to improve its cyber capabilities. Still, this is unlikely to have a significant impact immediately. Russia and Russia-linked actors are already mounting frequent cyber operations across the continent.

Implications of apparent changes in US priorities

There have been recent indications that the US is deprioritising cyber operations against Russia. Most recently, Reuters on 19 March reported that several US agencies have ‘halted work’ on countering Russian hybrid warfare, including cyber operations. It was not clear whether this was in response to specific guidance regarding Russia. But this seems to reflect a wider US softening of its stance towards Russia (as well as cuts to US federal cybersecurity staff).

This is likely to have implications for Europe in the coming months and years. Anonymous officials told Reuters that regular meetings between the National Security Council and European security officials have not taken place, and that the level of information sharing between them is unclear. Referring to the impacts of a week-long pause in US intelligence sharing with Ukraine, the former head of US Cyber Command said last month that Ukraine and the rest of the Five Eyes would be ‘capable, but not completely’ of providing cyber threat intelligence without the US, according to a cybersecurity news outlet.

Russia still trying to undermine European unity

Russia is highly likely to pose a pressing cyber threat to European organisations in the coming years. Russia remains intent on influencing the political landscape there in its favour, including by encouraging pro-Russia political views. This goes beyond European support for Ukraine; it has long sought to influence election outcomes across the continent (and beyond) through disinformation. Upcoming elections, such as in Romania and Poland in May, are likely to be targeted by such efforts. And the President of Moldova said on 25 March that Russia is ‘preparing new interference’ for the parliamentary poll there due by 26 October.

Further Russian campaigns will probably involve promoting pro-Russia or right-wing political candidates and seeking to undermine EU and NATO unity. Multiple governments have blamed Russia for mounting disinformation campaigns and cyber operations around their elections in recent years. In December, the authorities in Romania annulled the first round of its presidential election after they said that Russia had influenced the vote in favour of a pro-Russia candidate. And Russia has tended to prioritise campaigns in countries bordering Russia.

Russia to prioritise espionage and influence operations

To fulfill its objectives, Russia uses cyber operations and influence campaigns, as well as broader hybrid warfare strategies. Russia has tended to prioritise intelligence-gathering and influence operations in Europe in recent years. This has included espionage campaigns targeting governments, as well as defence, energy and shipping firms. These operations support Moscow’s goals of obtaining political and military intelligence and accessing critical infrastructure networks for future malware attacks.

Russia is likely to pose a heightened threat to European organisations around elections or in response to perceived provocations, such as imposing new sanctions. The UK has previously warned of ‘increasingly frequent and sophisticated’ cyber threats from Russian hackers following Ukraine’s use of UK-made missiles against Russia. And Russia intensified its cyberattacks on Ukraine just before it invaded the country in February 2022.

Links between Russia and cybercriminal groups provide it with an easy way to mount cyber operations while maintaining plausible deniability. This includes using cybercriminal groups and malware tools to mount attacks in Europe and Ukraine. A Google report from February said that Russian intelligence services are themselves increasingly using cybercrime tools to mount attacks.

Still, Russia is unlikely to carry out cyber operations that would have a direct physical outcome on critical infrastructure, such as by remotely manipulating industrial control systems. It seemingly has the capabilities to do so; last year, it disrupted heating and hot water access to over 600 buildings in Lviv, western Ukraine. But such operations are technically difficult. We doubt it would seek operations of this scale in Europe – Russia has tended to prioritise intelligence-gathering and influence operations there in recent years. Its most disruptive cyberattacks have been in Ukraine, and during the earlier stages of the war, based on publicly reported incidents.

Europe likely to struggle to respond

It is unclear how much the US is still collaborating with European agencies. But any decrease in intelligence sharing is likely to harm the preparedness of European countries. Cybersecurity outlet Recorded Future recently said that US and European sources it spoke to said that ‘cybersecurity agencies on the continent lack the technical attribution capabilities of their counterparts in the United States’. Indeed, the US has invested more in highly technically skilled offensive and defensive cyber programmes compared with European states and the EU.

In response to this, and amid the ongoing threat from Russia, countries in Europe are likely to seek to boost their cyber capabilities. There are broader efforts in Europe to reduce reliance on the US, such as through a new EU defence spending plan. It identifies cyber and electronic warfare as a priority area, and encourages the development of offensive cyber capabilities ‘as credible deterrence’. This will probably take time to develop, however, especially given an apparent decline in cohesion within Europe. This is due to existing divisions, likely further exacerbated by pro-Russian influence campaigns.

The levels of national cyber resilience capabilities vary widely across Europe. States such as Estonia, France and Germany will probably be better equipped to deal with Russian cyber operations in the coming years. This is especially the case for countries with a history of countering Russian destabilisation, such as Estonia. Countries such as Bosnia, Kosovo, and Montenegro have less well-developed cyber resilience measures, in our analysis. And offensive cyber capabilities probably vary significantly within Europe and the EU, with the UK, Germany and the Netherlands the probable frontrunners.