Russian Covert Action in Northern Europe: A 6-month Outlook


    Since the suspected sabotage on the Nord Stream 1 & 2 pipelines on September 26th, there are indications of increased suspected Russian covert action in Northern Europe. Europe is facing a severe energy deficit following Russia’s invasion of Ukraine. Norway is now the leading gas supplier in the region as gas supplies from Russia to Europe are cut. Following the Russian strategy of energy warfare, a raised threat level is prevalent.

    The presence of Russian assets in Europe is a well-known phenomenon, as are covert operations and plausible deniability. After Vladimir Putin’s call for partial mobilisation on September 21st, many Russian men left the country, entering Europe. There are indications of a correlation between Russian migration and suspected covert operations targeting critical energy infrastructure in Northern Europe. However, the intent of recent activities is still being determined.

    KJ-1 It is highly likely that Russian-linked espionage activity in Northern Europe will increase in the next 6 months.

    • In July, British MI6 chief Richard Moore claimed efforts to interrupt Russian spies expelled 400 intelligence officers [source]. However, following Russian migration to Europe, there are indications of Russia reorganising its spy networks in Europe [source].
    • On February 15th, Latvia’s State Security Service (SSB) detained a Belarusian citizen accused of espionage [source].
    • On September 28th, unusual drone activity was observed close to the TotalEnergies oil field in the Danish North Sea [source].
    • Norwegian officials detained at least 7 Russian citizens after flying drones and photographing sensitive locations [source].
    • On October 5th, Norwegian armed forces tracked a Russian vessel reportedly suspected of espionage [source].
    • On October 19th, a drone spotted above the Bergen Airport led to a 2-hour shutdown [source].
    • On October 25th, Norwegian authorities arrested a Brazilian researcher suspected of espionage for Russia [source].
    • On November 22nd, Swedish police arrested 2 suspected Russian spies in a predawn raid in the Stockholm area [source].
    The Swedish Police National Task Force arrested 2 suspected spies on November 22nd. Image: Svante Rinalder. Credit: swedish_operators.

    KJ-2 It is highly likely that suspected sabotage activities causing power disturbances in Northern Europe will increase in the next 6 months.

    • Since roughly 2015, Russia has developed a network of sophisticated state-governed Advanced Persistent Threat (APT) and ransomware groups capable of conducting kinetic cyber-attacks on critical infrastructure. Among them are the GRU-linked Fancy Bear and Sandworm and the FSB-linked Berserk and Venomous Bear [source].
    • On April 20th, Western authorities warned about increased Russian cyber operations targeting critical infrastructure [source].
    • The third quarter of 2022 has seen a surge in cyberattacks targeting energy infrastructure [source].
    • On October 8th, deliberate cable sabotage in Germany caused significant disruption to the national railway network [source].
    • On October 10th, the Danish island of Bornholm experienced a power outage when a transformer feeding the island with electricity from Sweden was shut down [source].
    • On October 18th, 2 separate incidents damaged the SHEFA-2 undersea cable providing the Shetland Islands with an internet connection. However, there are no official suspicions of deliberate sabotage [source].
    • On October 18th, workers detected cracks on the Finnish nuclear reactor Olkiluoto 3. Thus, the damage will delay the reactor’s planned startup from December 14th until December 27th [source].
    • On October 20th, 3 fibre optic cables were cut in Marseille, France, leading to widespread internet connectivity problems in Europe [source].
    • On October 20th, Norway warned of potentially imminent Russian cyberattacks targeting critical energy infrastructure [source].

    KJ-3 It is likely that Russian hostile cyber operations targeting Northern European civilians will intensify in the next 6 months.

    • Evidence shows that 74 percent of all revenues from ransomware attacks in 2021 went to Russia-linked hackers [source].
    • European intelligence estimates that at least 20 Russian cyber criminal groups with capabilities exceed most states. Several have links to the Kremlin [source].
    • One of these is the Conti Ransomware Group, regarded as one of the world’s most notorious cybercrime collectives [sourcesource].
    • In 2021 ransomware attacks targeting companies in Norway, Sweden, Finland, Denmark and Lithuania spiked [source].
    • The cyber threat level in the Nordics has increased following Sweden and Finland’s NATO application [source].
    • On August 10th, a Russian hacker group claimed responsibility for 2 attacks targeting Finnish networks [source].
    • In September, Ukraine Security Service dismantled a Russian hacker group guilty of stealing the personal accounts of 30 million individuals across Europe [source].

    Intelligence Cut-Off Date: November 29, 2022

    Oscar Rosengren
    Oscar Rosengren
    Oscar Rosengren is a student at the Swedish Defence University in Stockholm. His main focus area is the Sahel Region and West Africa. Specific interests are asymmetric threats, mainly terrorism, covert action, and cyber threats.

    Table of contents


    Get the weekly email from Grey Dynamics that makes reading intel articles and reports actually enjoyable. Join our mailing list to stay in the loop for free!

    Related contents

    Learn to create professional videos and have fun in the process of creating videos.
    Video Review And Collaboration.
    Get Started
    Subscribe to our Free Newsletter!