Russia is likely to continue hostile operations in Europe this year. The aim of these appears to be to pressure Europe into scaling down its support for Ukraine.
This assessment was issued to clients of Dragonfly’s Security Intelligence & Analysis Service (SIAS) on 7 February 2023.
- We assess that Czechia, Germany, the Netherlands, Norway, Spain and the UK are very likely to be highest on Russia’s list of targets for hostile operations in 2023
- These would most likely involve physical and cyber sabotage, mail campaigns, bomb hoaxes, or social influence operations
- We assess that such actions are very likely to be low-impact, and not lead to military conflict
Russia is likely to continue hostile operations in Europe this year. The aim of these appears to be to pressure Europe into scaling down its support for Ukraine. There have already been several incidents over the past year that the Western authorities suspect have links to Russia, including letter bombs in Spain and gas pipeline explosions in the North Sea. Future actions will probably include physical and cyber sabotage, mail campaigns, bomb hoaxes, and social influence operations.
Several clients have asked in recent weeks which countries are most likely to be targeted in future operations. Czechia, Germany, the Netherlands, Norway, Spain and the UK are at the highest risk, in our assessment. This is based on key indicators that raise a country’s profile as a possible target. These include the extent of aid provision to Ukraine, if any, and evidence of operations by Russian foreign military intelligence (GRU) agents.
Not a question of conflict
Russia is highly likely to try to avoid a direct conflict with NATO. We also assess that it will try to avoid triggering formal Article 4 discussions on a possible collective defence response. This is particularly while its military progress in Ukraine remains hampered and costly. NATO has said that high-impact incidents targeting a member state’s critical infrastructure would lead to a ‘united and determined response’. But the Nord Stream explosions did not trigger Article 4 or 5, which suggests there are many actions – including low-impact attacks – that Moscow can take while avoiding NATO retaliation.
The timing of Russia’s hostile actions in Europe seems to be retaliatory and reactive. Over the past year, incidents that the Western authorities have attributed to Russia came after sanctions on Russia or aid packages to Ukraine. These operations seem intended as retaliation against Europe’s response to Russia’s war in Ukraine, and to weaken Europe’s resolve on material and political support. Such actions are also in line with Russia’s long-term strategy in Europe of attempting to undermine regional unity. Similar European actions, particularly those that are highly publicised, are likely to raise the risk of disruptive action.
In light of this action-reaction dynamic, Czechia, Germany, the Netherlands, Norway, Spain and the UK are at the highest risk. These countries scored highest in our model examining five indicators that, in our assessment, raise a country’s profile as a target for possible Russian actions of this type. These indicators are, in no particular order:
- NATO membership or advanced efforts to join NATO (Finland and Sweden)
- Aid to Ukraine (whether a country has provided some form of aid, or no aid at all)
- Offensive capability of aid to Ukraine (heavy offensive weapons, high volumes of ammunition, major funding)
- Listed by Russia under ‘unfriendly states’
- Presence of GRU (Russian military intelligence agency) agents, and these conducting operations in-country
Plenty of possible tricks
There is a range of hostile actions Russia is likely to take in 2023. These provide it with deniability to avoid major retaliation. These would probably target strategic locations such as embassies, government offices, military installations, critical infrastructure, airports, or strategic manufacturers. This is based on Russia’s objectives and operations last year. Actions include, but are not limited to:
- Physical or cyber sabotage operations targeting non-operational or non-critical infrastructure
- ‘Messaging’ events, such as letter bombs, or parts of animals or other threatening items sent via mail
- Bomb hoaxes
- Social operations that inflame public tensions, such as by artificially inflating support or engagement with movements on social media, interfering with elections, or leaking sensitive information surrounding controversial events or public figures
Countries in which Russia already has some established capability to mount these actions score higher in our risk model. Examples include any Russia-linked history of:
- Long-standing reconnaissance or influence operations (the 2016 Montenegro coup plot, or Russian diplomats being expelled from Greece in 2018 for attempted blackmail of Greek officials)
- Poisonings (Sergei and Yulia Skripal in the UK in 2018, businessman Emiliyan Gebrev in Bulgaria in 2015)
- Sabotage attacks (explosions at Czech arms factory in 2014, Nord Stream explosions in the North Sea in 2022)
- Successful infiltrations of sensitive or critical sectors, or in social circles (the Finnish authorities in 2018 blocked Russian property purchases, with intelligence services reportedly concerned Russian individuals were buying up land in ‘politically sensitive’ areas)
- Cyber attacks involving physically-present Russian agents (Netherlands in 2018, where GRU agents set up equipment in a hotel car park to monitor a global chemical weapons watchdog base)
Agents already positioned close geographically, and in some cases, strategically to a sector, individual or location they plan to target provides them with a better opportunity to do so.
Image: Czech president-elect Petr Pavel (R) said on February 2 there should be ‘no limits’ on military aid to war-ravaged Ukraine, urging allies to show more courage. Photo by MICHAL CIZEK/AFP via Getty Images