Intelligence notes

Dashboard

Russian-European Sabotage Campaign 2025

4 min read

Russian European Sabotage Campaign — 2025 Attribution Evidence

Overview

A significant escalation in Russian hybrid operations targeting European critical infrastructure was documented throughout 2025, with a particular concentration in Poland. Incidents rose from ~13 (2023) → 44 (2024) → further escalation in 2025. Attribution to GRU-linked networks has come from multiple NATO-member governments.

Key Incidents

Rail Sabotage — Poland (November 2025)

  • Explosive device detonated on Warsaw–Lublin railway line near Mika
  • Route is a critical artery for military/humanitarian aid to Ukraine
  • PM Donald Tusk: “unprecedented act of sabotage”
  • Polish security services: “everything indicates” Russian intelligence services responsible
  • Public attribution by PM Tusk

Marywilska Shopping Center Arson — Warsaw (2024/2025 Attribution)

  • Major fire at Marywilska shopping center
  • PM Tusk publicly stated (2025) that it was ordered by Russian services
  • Perpetrators detained; others identified

Parcel Bomb Network — Multi-Country

  • Intercepted parcel bombs and mailed explosive devices linked to GRU-linked networks
  • Charges filed in Lithuania against individuals tied to Russian services
  • Incidents in Poland, Germany, UK, and region
  • FSB counter-claims of explosive “insoles” sent from Poland toward Russian forces

Broader Toolkit

  1. Cyberattacks — aviation IT disruptions (London to Berlin), energy sector targeting, rail routing software
  2. Electronic warfare — widespread GNSS jamming in Baltic and North Sea corridors
  3. Drone incursions — “mystery drones” over airports (forcing shutdowns in Denmark), airspace violations in Poland, Romania, Baltics
  4. Undersea infrastructure — suspicious seabed activity near cables and energy nodes
  5. Arson attacks — targeting energy infrastructure, warehouses, defense industry

Attribution Pattern

  • Tactics: proxies, recruited locals/migrants, coordinated via Telegram/encrypted channels
  • Plausible deniability by design
  • Assessment: deliberate hybrid campaign targeting NATO directly
  • Russian response: consistent denial; claims of false-flag operations

NATO/EU Response

  • Shift toward active measures by late 2025:
    • Faster public attribution naming Moscow
    • Joint offensive cyber strikes
    • Information operations targeting Russian military production/logistics/energy
    • Surprise drills, seabed situational awareness
  • NATO exercises: 15K troops, 11 nations (High North, Baltic, Poland)
  • Locked Shields 2026: 41 nations practicing critical infrastructure protection
  • Baltic leaders: unchecked hybrid activity threatens “foundations of European security”

Germany’s Stance

German Foreign Office: hybrid attacks on critical infrastructure are “emerging frontline of geopolitical confrontation,” particularly regarding energy security.

Relation to Brazil/LATAM

Tier: Watch — While the campaign is Europe-focused, the tactics and toolkit (rail sabotage, GNSS jamming, parcel bombs, recruiter-via-telegram model) are exportable. Monitoring for similar patterns in Latin American logistics infrastructure is warranted.

Key Sources

  • @NOELreports attribution reporting
  • @KyivIndependent — PM Tusk statements
  • @Defence24eng — Polish defense mapping of Russian hybrid threats
  • @TheStudyofWar — ISW assessments
  • @GermanyDiplo — official German attribution
  • @CforCD — Baltic threat assessments

Next Collection Priority

Track new incidents in Europe since the November 2025 Warsaw rail attack. Monitor for expansion into LATAM.

Institutional Escalation — 2025-2026 Updates

SVR Takeover of Wagner IO Operations in Africa (February 2026)

An Africanews investigation (February 21, 2026) documents that Russia’s SVR foreign intelligence agency has formally assumed control of ex-Wagner influence operations in Africa — conducting disinformation campaigns and providing intelligence on French/US plans in the Sahel. (Assessment — Medium confidence; single investigative source [awaiting-corroboration])

Analytical implication for European sabotage network: The institutional hardening visible in Africa — CIB operations moving from loose-network PMC command to FSB/SVR command structure — is analytically consistent with the parallel tightening of European sabotage operational security documented above. The Wagner-era “deniable contractor” model is being replaced with state intelligence agency oversight.

GRU Officer Identified in Marywilska Arson

PM Tusk’s attribution of the Marywilska shopping center arson to Russian services has been corroborated: a GRU officer was identified in open-source reporting as the order-giver. (Fact — corroborated, multiple Polish/European sources)

Warsaw–Lublin Railway Attack (November 2025)

Two Ukrainian nationals suspected of involvement in the Warsaw–Lublin railway attack fled to Belarus. Several others detained in Poland. (Fact) This confirms the proxy recruitment pipeline from third-country nationals through Telegram/encrypted channels — consistent with the tactical signature documented in this note.

Germany: Scale of Incidents (2024)

German security authorities recorded 321 suspected incidents attributable to Russia in 2024 alone, with escalation continuing into 2025. This scale is substantially larger than previously documented. The 4x increase from 2023 to 2024 is analytically consistent with deliberate campaign expansion, not tactical opportunism. (Assessment — High confidence; GLOBSEC analysis)

Additional Sources (2025-2026 Updates)

SourceConfidence
Africanews — SVR assumes Wagner IO operations in Africa (2026-02-21)Medium [awaiting-corroboration]
GLOBSEC — Russian hybrid incidents in Germany, 2024 analysisMedium
Multiple Polish/European sources — GRU officer identification in Marywilska arsonHigh (corroborated)

Graph View

Backlinks