Russia’s Gray Zone Warfare Campaign In Europe – Analysis

According to the head of MI5, Russia is on a mission to ‘generate sustained mayhem on British and European streets.’

The statement refers to a string of high-profile sabotage and arson events that have occurred in Europe since the outbreak of the Ukraine war, ranging from the destruction of undersea cable infrastructure in the Baltic Sea to the burning down of Warsaw’s largest shopping mall, and even the petty harassment of pro-Ukraine public figures in Estonia.

When assessing the manifestations of this continental ‘mayhem,’ a novel modus operandi becomes evident: this is not the work of professional intelligence agents, many of whom are now being forced to operate from Russia having been expelled from their former postings in European states. Rather, the sabotage is being performed by amateurs recruited on social media, some of whom aren’t even legal adults, and typically for love of money more than love of the motherland. Such tactics reflect a fluidity well suited to the digital age, where saboteurs can be recruited, trained, and paid without even coming into contact with state intelligence agents.

On the strategic level, gray zone warfare remains highly appealing in its deniability. Yet as the events below suggest, this could actually be changing as a casualty of the new tactical normal. With more amateur operatives being caught and disclosing the details of their recruitment process, a clearer picture of Russian state involvement emerges, one that is generating in-turn responses from Western states. One example is NATO’s ‘Baltic Sentry,’ which seeks to establish an active military presence in the Baltic Sea to protect critical infrastructure there from sabotage. Another is the Biden administration’s direct warnings of severe consequences should Russian intelligence attempt to send exploding packages to North America. In both we see attempts to delineate limits on gray zone warfare – the establishment of diplomatic and security consequences where before there were none. This process is largely in its infancy however, with both offensive and defensive actors still navigating largely uncharted territory.

BALTIC SEA UNDERSEA CABLE SABOTAGE

Tactics: State organs enlist a third party that would typically operate in the target maritime space; for example, a captain of a commercial vessel. The third party then drops anchor near the target and proceeds to drag it along the seabed until the cable is severely damaged or cut outright. This tactic is particularly well suited to the Baltic Sea due to its shallow waters and critical undersea cable infrastructure (data and energy).

Benefits: There are three benefits so far as the state sponsor is concerned. The first is the low operating cost, which is basically the money needed to enlist the third party. The second is deniability since these gray zone operations do not directly involve any state instruments in performing the sabotage. The possibility of accidental damage provides another layer of deniability that is often invoked by detained crews, and potentially with all sincerity, since accidental anchor-related damage is a common cause of undersea infrastructure destruction. Third, damage to undersea infrastructure can have major economic impacts, costing anywhere between €5 million and €150 million to fix, with repairs taking months if not years to complete.

Costs: The question of how to create costs is not one that is easily answered, and herein lies the strategic appeal of gray zone warfare in the first place. Doing too much risks kinetic conflict; but doing too little invites more sabotage in the future. Littoral stakeholders have made efforts to hold individual captains and crews to account. There is also a more concerted military strategy to safeguard Baltic infrastructure. In January 2025, NATO announced the ‘Baltic Sentry’ initiative, which will deploy frigates, patrol aircraft, and maritime drones to monitor critical infrastructure in the area. Notably, the deployment will have the power to board, impound, and arrest crews suspected of sabotage.

Notable Incidents

Nord Stream (September 26, 2022): An underseas explosion renders the Nord Stream natural gas pipelines linking Germany and Russia inoperable. In the immediate aftermath of the explosion, fingers are pointed at all sides. Since then, Sweden, Denmark, and Germany have conducted separate investigations into the cause. The first two ended inconclusively, while the German one alleges the possible involvement of Ukrainian divers, trained in Poland.

BCS East-West / C-Lion1 (November 17-18, 2024): Two undersea cables are severely damaged in less than 24 hours, with the China-flagged bulk carrier Yi Peng 3 operating in the area at the time. China allows representatives from Germany, Sweden, Finland, and Denmark to board the ship, though it refuses entry to the Swedish prosecutor leading the investigation. The ensuing report notes that the Yi Peng 3 dragged its anchor for 1.5 days across 180 nautical miles, coinciding with the time of the cable breaks. Yet in the report’s final judgement, while emphasizing that the investigation was hampered by limited access, it declares that there’s no way to conclude either deliberate sabotage or accidental anchor deployment.
Estlink 2 (December 25, 2024): The Estlink 2 electricity connection between Finland and Estonia goes offline, prompting the Finnish authorities to detain the 24-strong crew of the Eagle S – a tanker believed to belong to Russia’s ‘shadow fleet.’ The Eagle S has since been allowed to leave, and three crew members remain detained as the investigation continues. The Estlink 2 is expected to be back online sometime in July.
Latvia-Sweden Cable Damage (January 26, 2025): Latvian government announces damage to a fiber optic cable linking Latvia and Sweden. The Maltese-flagged ship Vezhen is boarded and detained by Swedish authorities before being cleared of sabotage and released in February.

EUROPE ARSON AND ESPIONAGE CAMPAIGN

Tactics: Similar to the Baltic Sea MO, state organs enlist the help of either criminal elements, ideologically aligned supporters, or desperate people to execute acts of sabotage and vandalism that help fuel the perception of discord and insecurity in Western societies. As per reporting from the Guardian, recent campaigns have utilized online recruitment to source new ‘freelance’ saboteurs, resulting in less targeted and less professional operations.

Benefits: Low costs for recruitment, which takes place either in-person or exclusively online over apps like Telegram. Low diplomatic costs, since operators tend to be motivated individuals rather than state agents, meaning that they can be abandoned upon capture. And highly deniable in that it often strains credulity that low-level acts of vandalism could link back to the Kremlin, at least in the absence of any arrests. The campaign has achieved some major successes, notably the burning down of the Marywilska mall in Poland.

Costs: Unprofessional and financially desperate operators tend not to remain quiet under questioning. Faced with years if not decades in jail, they’re far more inclined to spill the details of their handlers’ operating manual, and in doing so shrink the ‘gray zone’ of plausible deniability.
Notable Incidents

Poland Amateur Spy Ring (November, 2023): Poland charges 16 foreigners with espionage for a variety of activities since January 2023, including intelligence-gathering around seaports and military facilities, monitoring trains entering Ukraine, and conducting propaganda campaigns. All 16 had been recruited over Telegram; all were paid via crypto; and several received laptops, phones, housing, and/or vehicles.
Estonia Vandalism (December 8, 2023): Cars belonging to the Estonian Minister of the Interior and a journalist are vandalized, with attacks allegedly planned for other outspoken critics of Russia’s invasion of Ukraine. Seven people were convicted over the incident, with pro-Russia activist Allan Hantsom receiving a six and a half year sentence. The group is alleged to have been operating at the behest of GRU, which offered a €10,000 payment for the operation, split between the participants.
Poland Paint Factory Aborted Arson (January, 2024): Pro-Russia Ukrainian ‘Sergei S’ is recruited on Telegram and paid to set fire to a paint factory in Poland. He is subsequently apprehended trying to leave the country and, despite ultimately not going through with the attack, is sentenced to eight years in prison.
Warsaw Hardware Store Arson (April 14, 2024): A large hardware store burns down in Warsaw, causing an estimated €840,000 in damage. Poland later charges Belarusian ‘Stepan K’ with arson, alleging that he was working at the behest of Russian intelligence. If convicted, Stepan faces up to 10 years in prison.
Vilnius IKEA Arson (May 9, 2024): An IKEA is burned down in a suspected arson case in Vilnius, Lithuania. The authorities charged Ukrainian teenager Daniil Bardadim with terrorism. Bardadim is alleged to have been offered an old BMW and $11,000 in cash by a group linked to GRU, though prosecutors note that the suspect did not seem to harbor any pro-Russia views.
Marywilska Shopping Center Arson (May 12, 2024): A massive fire destroys the Marywilska 44 shopping center in Warsaw. The Polish authorities conclude that the fire was set by an organized criminal group working at the behest of Russian intelligence and conducting operations in several EU countries. They allege that the attack was linked to the Vilnius IKEA fire, with Daniil Bardadim named as a suspect here as well, along with four other co-conspirators, including Oleksander V., an alleged Russia-based handler. The incident continues to feed into wider geopolitical tensions, with Poland recently ordering that Russia close its Krakow consulate citing evidence of Russian intelligence involvement in the Marywilska fire.
DHL Package Explosions (July, 2024): Three separate package explosions occur in routing facilities in Leipzig, Birmingham, and near Warsaw over the course of three days, all involving packages sent from Lithuania. Each package ignites a magnesium-based fire that would presumably down a plane if detonated mid-flight. The operation is ultimately judged to be a dry run for shipments to Canada and the United States, and once this intelligence is shared with the Americans, the Biden administration reaches out directly to the Kremlin, warning of a major escalation in the event of a trans-Atlantic detonation. Poland subsequently arrests four people connected to the plot, as well as a suspected agent in Alexander Bezrukavyi, who was extradited from Bosnia. Reporting from the Guardian suggests the possibility that some if not all of the people involved in the plot thought they were simply doing typical courier work.
Second Package Plot (May, 2025): Germany arrests three Ukrainian nationals, accusing them of plotting to detonate packages in transit after being recruited by Russian intelligence. The incident is notable because it suggests that the election of Donald Trump has not produced a lull in Russia’s gray warfare campaign.