The Landscape of Hybrid Threats

Executive Summary

Since the full-scale invasion of Ukraine in 2022, the Russian Federation has increasingly operationalized hybrid warfare, integrating sabotage, cyber operations, disinformation, and legal subversion into a grey-zone campaign targeting NATO member states. Intelligence fusion centres across the Alliance report over 219 hybrid incidents since 2014—with 86% occurring after February 2022. Nearly half were recorded in 2024 alone, underscoring a strategic pivot toward sustained sub-threshold disruption. Primary targets include high-value NATO contributors such as Poland, Germany, Finland, Norway, the United Kingdom, and the Baltic states. These countries are central to sanctions enforcement, military logistics, and NATO's forward deterrence posture, rendering them critical nodes in Russia's multi-domain destabilization strategy.

Russian Hybrid Campaign Objectives and Methodologies

The Kremlin seeks to erode transatlantic unity, fracture European political cohesion, and prolong confrontation without breaching Article 5 thresholds. Operational objectives include the disruption of economic systems, the erosion of public trust in institutions, and the generation of policy paralysis. Russian operators maintain continuous pressure while avoiding overt military escalation by leveraging reflexive control, maskirovka, and plausible deniability. Recent assessments highlight deliberate targeting of energy resilience and information integrity. Russian-affiliated actors have conducted infrastructure probing, GPS interference, underwater reconnaissance, and cyber-physical attacks on industrial control systems (ICS), particularly in the aviation, maritime, and energy sectors. These activities blur conventional lines of conflict and create persistent low-intensity disruption across multiple domains.

Maritime Hybrid Threats and Strategic Use of the Shadow Fleet

Russia's sanctions circumvention strategy is anchored by its "shadow fleet"—a network exceeding 200 oil tankers operating under opaque shell ownership structures. To evade scrutiny, these vessels exhibit spoofed AIS signals, falsified registries, and flag state manipulation. As hybrid assets, they pose both economic and operational threats. In January 2025, the Eventin, a Panama-flagged tanker carrying nearly 100,000 tons of Russian oil, experienced a steering failure near Germany's Rügen Island—one of Europe's most sensitive maritime corridors. The German Central Command for Maritime Emergencies (CMME) dispatched Bremen Fighter and Arkona, successfully stabilizing the vessel and preventing ecological fallout. While attribution remains inconclusive, AIS anomalies mirrored GRU reconnaissance patterns. UK authorities subsequently sanctioned the Eventin, citing links to Sovcomflot shell entities. In response, NATO integrated shadow fleet tracking and interdiction drills into BALTOPS 2025, elevating these assets from sanctions violators to potential maritime hybrid vectors.

Sabotage of Critical Infrastructure: Maritime and Land-Based Convergence

Russia's hybrid playbook increasingly converges physical and cyber operations across maritime and terrestrial targets. Subsea attacks such as the Estlink-2 interconnector sabotage now mirror land-based sabotage and cyber disruptions. In May 2024, Polish and Lithuanian intelligence services dismantled a GRU-linked sabotage network planning arson attacks on a paint factory in Wrocław and an IKEA retail hub in Vilnius. Concurrent cyber-espionage campaigns targeted defence logistics firms and public infrastructure networks.

In late 2024, France and Czechia reported coordinated attacks on telecom masts and energy substations. In France, fibre-optic lines and electrical cabinets were deliberately destroyed, disrupting services in metropolitan zones. Forensic analysis traced encrypted comms and crypto-linked financing to Russian-affiliated proxies. Czech investigators identified a parallel attack profile, implicating actors in earlier train signal sabotage that caused mass transit delays. These layered assaults follow Russia's hybrid doctrine: kinetic disruption, digital penetration, and narrative manipulation to obscure attribution and magnify strategic ambiguity.

AI-Driven Disinformation and Converging Strategic Narratives

Russian influence campaigns have escalated with generative AI tools enabling mass-scale disinformation. Deepfakes of Western leaders, AI-generated protest footage, and synthetic voice impersonations proliferated across Telegram, TikTok, and low-moderation platforms. Core narratives in 2024 focused on anti-immigration sentiment, energy security panic, and EU climate backlash—synchronized with election cycles. Convergence with Chinese grey-zone tactics became apparent in the November 2024 undersea cable incident involving a Chinese-flagged vessel departing from a Russian port. This signals operational alignment in disrupting Western infrastructure and information integrity.

Forecast: Ten Likely Hybrid Escalation Pathways

1. Sabotage of cargo aircraft logistics using incendiary or jamming payloads at transatlantic hubs.

2. Cyber-kinetic disruption of ICS governing power plants, dams, and municipal water systems.

3. Subsea energy cable severing in the North Sea and Norwegian continental shelf.

4. SCADA manipulation of water treatment infrastructure to induce contamination.

5. Political destabilization in European elections via coordinated cyber and media operations.

6. Arson and signal sabotage along NATO rail corridors in Poland, Slovakia, and eastern Germany.

7. Targeted transformer fires and grid node breaches with parallel cyber attacks.

8. GNSS spoofing near military and dual-use airports to degrade air control systems.

9. Cyber-physical compromise of defence warehousing and automated resupply chains.

10. False-flag provocations exploiting migrant movements to escalate border friction.

Strategic Countermeasures

Intelligence agencies emphasize the urgent need for proactive and multi-domain defence measures to deter and disrupt Russian hybrid campaigns. A critical priority is expanding the EU-NATO hybrid fusion framework to include integrated subsea and terrestrial ISR overlays, enabling early detection of both maritime and land-based threats. In parallel, AI-driven disinformation mitigation nodes must be operationalized within NATO StratCom and national CERT teams to counter the rising tide of synthetic media and narrative manipulation.

Coordinated response capability remains essential. This includes institutionalizing cross-border sabotage response protocols, which can rapidly activate CBRN-capable intervention units in the event of physical infrastructure attacks. To address persistent capability gaps, the NATO Hybrid Warfare Training Centre must be fully funded and equipped with specialized modules addressing infrastructure protection, legal warfare, and space-cyber convergence scenarios.

Finally, legal deterrence must match operational risk. This requires the enforcement of sovereign sanctions regimes targeting vessel registries, offshore insurers, and financial networks involved in facilitating crypto-obscured hybrid threat operations. Together, these measures form a layered counter-hybrid architecture necessary to maintain strategic stability and protect critical infrastructure across the European theatre.

Conclusion

Russia's hybrid architecture is increasingly systematized, blending kinetic disruption, digital infiltration, and strategic deception. Shifting from proxy irregulars to state-integrated asymmetric assets necessitates a doctrine-to-capability realignment across Europe. A decisive response demands cross-domain intelligence fusion, anticipatory resilience planning, and targeted counter-hybrid operations. NATO and the EU must treat infrastructure sabotage, maritime manipulation, and synthetic media as integrated theatres of modern conflict.

Conclusion and Strategic Recommendations

Russia's hybrid warfare architecture has evolved into a systematic campaign of state-integrated subversion—blending kinetic disruption, cyber infiltration, and strategic deception to erode European cohesion and resilience. The shift from irregular proxy activity to coordinated, state-backed asymmetric operations marks a fundamental transformation in the threat landscape. In response, NATO and EU security architectures must undergo a doctrine-to-capability realignment, embracing infrastructure sabotage, maritime manipulation, and synthetic information operations that now constitute interconnected theatres of conflict. A decisive response must be intelligence-led, anticipatory, and cross-domain. European security agencies must accelerate the fusion of technical, operational, and strategic intelligence while reinforcing resilience across critical infrastructure and information ecosystems. As Moscow continues to refine its hybrid toolkit, the Allied response must move from reactive hardening to proactive disruption—leveraging AI-enhanced detection, integrated counter-sabotage doctrine, and legal-strategic deterrence to outpace the evolving threat. The integrity of European institutions, economies, and democratic processes depends on it.