_Russia is conducting an escalating and violent campaign of sabotage and subversion against European and U.S. targets in Europe led by Russian military intelligence (the GRU), according to a new CSIS database of Russian activity. The number of Russian attacks nearly tripled between 2023 and 2024. Russia’s primary targets have included transportation, government, critical infrastructure, and industry, and its main weapons and tactics have included explosives, blunt or edged instruments (such as anchors), and electronic attack. Despite the increase in Russian attacks, Western countries have not developed an effective strategy to counter these attacks._
**Introduction**
----------------
Russia is engaged in an aggressive campaign of subversion and sabotage against European and U.S. targets, which complement Russia’s brutal conventional war in Ukraine. The number of Russian attacks in Europe nearly tripled between 2023 and 2024, after quadrupling between 2022 and 2023. Russia’s military intelligence service, the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (or GRU), was likely responsible for many of these attacks, either directly by their own officers or indirectly through recruited agents. The GRU and other Russian intelligence agencies frequently recruited local assets to plan and execute sabotage and subversion missions. Other operations relied on Russia’s “shadow fleet,” commercial ships used to circumvent Western sanctions, for undersea attacks.
The data indicate that Russia poses a serious threat to the United States and Europe and that the Russian government, including President Vladimir Putin, cannot be trusted. Roughly 27 percent of the attacks were against transportation targets (such as trains, vehicles, and airplanes), another 27 percent were against government targets (such as military bases and officials), 21 percent were against critical infrastructure targets (such as pipelines, undersea fiber-optic cables, and the electricity grid), and 21 percent were against industry (such as defense companies). Many of these targets had links to Western aid to Ukraine, such as companies producing or shipping weapons and other matériel to Ukraine. Russia also used a variety of weapons and tactics. The most common (35 percent) involved explosives and incendiaries. Other weapons and tactics included blunt or edged instruments (27 percent), such as anchors used to cut undersea fiber-optic cables; electronic attack (15 percent); and the weaponization of illegal immigrants (8 percent).
The increase in attacks indicates that the West has failed to coerce Russia from stopping its campaign of sabotage and subversion. Russian attacks are not just a European problem, but a U.S. problem as well. The GRU and other organizations have conducted operations against U.S. targets, such as U.S. bases in Germany. The United States and European countries, including the European Union and NATO, have largely focused on _defensive_ measures to counter Russian actions, such as sharing intelligence and strengthening resilience (including cyber defense). While these efforts are necessary, they are not sufficient. NATO countries should develop a calibrated _offensive_ campaign against Russia that includes several components: escalating sanctions against Moscow; targeted offensive cyber operations against important Russian military and commercial targets; information and influence operations targeting the populations of Russia and its partners, such as Belarus; and more aggressive actions against assets valuable to Russia, such as its shadow fleet. In short, NATO should design a campaign to escalate the costs on Russia should the country continue such operations.
To better understand Russian actions, this brief asks several questions. What are Russian objectives in conducting these attacks? What are the main tactics and targets of Russian actions? And what should the United States and other Western countries do to better deter and counter Russian activity?
To answer these questions, the analysis utilizes several sources of data. Most importantly, it builds and analyzes a database of Russian destructive attacks and plots between January 2022 and March 2025, including date, location, target, weapon, and other information.1 In addition, it supplements this database with an overview of historical Russian and Soviet activity. It also utilizes data from other sources, such as CSIS’s database of hundreds of cyber incidents since 2006. Finally, it uses information from interviews with U.S. and European government officials.
The rest of this brief is divided into five sections. The first provides an overview of actions below the threshold of conventional warfare, including their historical use by the Soviet Union and Russia. The second section assesses Russian motivations for conducting this type of warfare, including the benefits and drawbacks. The third examines the main Russian actors involved in planning and executing its shadow war, from the Kremlin to the GRU and local recruits. The fourth section analyzes the primary trends in Russia’s actions, including geographic location, targets, and weapons. And the fifth outlines policy implications for the United States and its allies.
**Russian Shadow Wars: The Historical Context**
-----------------------------------------------
Actions below the threshold of conventional warfare have long been an important component of statecraft.2 U.S. military doctrine refers to these types of actions as “irregular warfare” or “irregular activities,” while European governments have frequently referred to these actions as “hybrid warfare” or “hybrid threats.”3 Others have used different terms to capture some or all of these actions, such as gray zone activity, political warfare, asymmetric conflict, unconventional warfare, and low-intensity conflict.4 These types of activities involve using tools of statecraft below the threshold of conventional warfare to shift the balance of power in their favor. Examples include:
* Information and influence operations, including psychological operations and propaganda.
* Offensive cyber operations and electronic warfare.
* Support to state and non-state partners, such as guerrillas and proxy forces.
* Covert and clandestine actions by intelligence and special operations forces, including sabotage and subversion.
* Economic coercion.5
Russia and the Soviet Union have a rich tradition of conducting this type of warfare. During the Cold War, the Soviet Union developed an aggressive campaign to influence populations across the globe in ways that aided Soviet interests and undermined the United States and its allies, which was best captured in the phrase “active measures” (or активные меры).6 Led by the KGB, the Soviet Union’s premier spy agency, active measures included several types of activities:
* Written and oral disinformation (or дезинформация), including “gray” (unattributed) and “black” (falsely attributed) propaganda.
* The use of agents of influence, including foreign academics and media assets.
* Clandestine radio stations.
* The use of foreign political parties and international front groups to pursue Soviet national security objectives.
* Support for international revolutionary and terrorist organizations, including national liberation movements.
* Political blackmail and kidnapping.
* Targeted assassinations, including the killing of defectors.7
Soviet active measures focused primarily on the United States, which it referred to as the main opponent or adversary (or главный противник), though the KGB and other Soviet agencies, such as the GRU, also focused on Western European and other countries in order to undermine U.S. influence and alliances. As one former Warsaw Pact intelligence operative noted:
Target No. 1 was the United States. . . . The objective was to hurt the United States wherever and whenever it was possible, to weaken the positions of the United States and Western Europe, to create new rifts within the NATO Alliance, to weaken the position of the United States in developing countries, to cause new rifts between the United States and developing countries, to disinform the United States and the Western allies about the military strength of the Soviet bloc countries.8
The documents collected by Vasili Mitrokhin, an archivist for the Soviet Union’s foreign intelligence service who defected to the West just as the Cold War ended, provide some of the most illuminating insights into Soviet active measures. As one KGB analysis explained, “The main value of all Active Measures lies in the fact that it is difficult to check the veracity of the information conveyed and to identify the real source. Their effectiveness is expressed as a coefficient of utility, when minimum expenditure and effort achieves maximum end results.”9 In addition to active measures, the Soviet Union and more recently Russia also used such strategies and tactics as denial and deception (or маскировка) and information confrontation (or информационное противоборство).10
**Russian Strategy**
--------------------
Today, Russian active measures support the following types of foreign policy objectives:
* Influencing public opinion through psychological operations in Europe, the United States, and other countries to support Russian interests.
* Coercing governments, companies, or individuals to stop taking specific actions, particularly curbing military and other assistance to Ukraine.
* Deterring countries, companies, or individuals from taking specific actions, such as escalating the type and amount of military aid to Ukraine.
* Deterring Russian soldiers, government officials, and citizens from defecting to the West.
* Creating fissures between governments, especially between NATO allies.
* Undermining the democratic norms and values that underpin the West.
These types of operations have several benefits, which make them attractive to Russian leaders. First, they allow countries to conduct coercive activities against a state below a threshold that is likely to trigger a costly or risky conventional war. Countries generally do not respond to actions below the threshold of conventional warfare by declaring war on the perpetrator. For example, Article 5 of the North Atlantic Treaty states that an armed attack against one NATO member is considered an attack on all members. But NATO governments typically do not consider active measures “an armed attack” that requires collective self-defense.11 This means that perpetrators, including Russia, know that they can conduct these activities without causing a conventional war. As a 2024 Norwegian intelligence assessment concluded, “Any act of sabotage would most likely be performed in a manner that would make it challenging to prove who was behind it. One important reason for this is that Russia wants to avoid any situation that could trigger Article 5 of the NATO Treaty regarding collective defense.”12
Second, these types of actions are relatively inexpensive for perpetrators. Unlike conventional war, they generally do not require vast sums of money and do not cause the perpetrator to suffer substantial casualties. Some of these actions—such as offensive cyber, electronic warfare (including GPS jamming), and influence operations—can also be done from a state’s own territory, a third country, or virtual networks.
Third, these types of actions are often deniable, and targeted governments are frequently cautious—sometimes overly cautious—about attributing them due to fear of escalation. Since they may not be directly perpetrated by a government operative, countries can—and generally do—deny responsibility. Governments have frequently used a number of entities as cut-outs, such as local recruits, including criminal organizations or diaspora populations, non-governmental organizations, and companies. Russia has also used commercial vessels, such as the oil tanker _Eagle S_, which sailed under the flag of the Cook Islands, for sabotage operations.13