Intelligence notes

Cable Sabotage as Hybrid Warfare — The Baltic Cluster, the Red Sea, and the Deniability Architecture

17 min read

Cable Sabotage as Hybrid Warfare — The Baltic Cluster, the Red Sea, and the Deniability Architecture

Article 5 of 8 — Information Infrastructure: The Physical Internet

The Pattern That Emerged, 2023–2025

Between October 2023 and December 2024, the Baltic Sea recorded three discrete incidents in which commercial vessels dragged their anchors across the seabed and severed energy and telecommunications cables linking NATO members. In February 2023, two Chinese-flagged vessels cut both submarine cables serving Taiwan’s Matsu islands within six days. In February 2024, three of the four major submarine cables in the Red Sea failed within minutes of one another, immediately following a Houthi missile strike that left a cargo vessel drifting with its anchor deployed. Taken individually, each event admits an innocent explanation. Taken together, they form the operational pattern of a class of hybrid warfare that has no name in any treaty, no threshold in NATO’s Article 5 architecture, and — as of mid-2026 — not a single concluded prosecution establishing state direction.

The physical events are well-documented and rest on High confidence forensic findings: anchor drag trails, AIS tracks, satellite imagery, BGP routing collapses. The attribution claims — that any of these incidents were ordered by Moscow, Beijing, Tehran, or Sana’a — remain almost uniformly at Low or Medium confidence, and in one case (direct Houthi cable-cutting) are Contradicted by the available evidence. This asymmetry between the certainty of the damage and the uncertainty of the directing hand is not a gap in the analytical record. It is the defining feature of the methodology.

Incident 1 — BalticConnector and the Estonian Telecom Cables (October 2023)

At approximately 01:20 local time on 8 October 2023, the Hong Kong-flagged container vessel Newnew Polar Bear, Chinese-owned, was transiting the Gulf of Finland at roughly 11 knots when it dragged its anchor along the seabed for more than 100 nautical miles. The drag trail — between 1.5 and 4 metres wide — severed the 77-kilometre BalticConnector gas pipeline between Inkoo, Finland and Paldiski, Estonia, and damaged the Estonia–Finland and Estonia–Sweden telecommunications cables. Seabed investigators subsequently recovered an anchor that matched the damage profile. These facts carry High confidence.

In August 2024, China acknowledged that Newnew Polar Bear had caused the damage, characterising the event as accidental and citing storm conditions. A Finnish-Estonian criminal investigation continues. The vessel’s captain, Wan Wenguo, was reportedly arrested in Hong Kong; the next hearing was scheduled no earlier than September 2025. Assessment (Low confidence): no open-source evidence has established deliberate PRC state direction. The 100-nautical-mile drag distance is difficult to reconcile with ordinary accident, but difficulty is not proof, and the available record contains no order, no comms intercept, no defector testimony, no forensic trace tying the vessel’s conduct to any state-level instruction.

The operational impact was nonetheless real: BalticConnector gas supply was disrupted for months during the heating season immediately following Russia’s gas-weaponisation campaign against Europe, and regional telecom redundancy was reduced.

Incident 2 — C-Lion1 and BCS East-West (November 2024)

Thirteen months later, the pattern repeated with a near-identical signature. On 17 November 2024 at approximately 10:00 local time, the BCS East-West Interlink cable between Lithuania and Sweden was severed. Roughly sixteen hours later, at 02:00 UTC on 18 November, the C-Lion1 fibre-optic cable — 1,173 kilometres linking Helsinki to Rostock — was disrupted off Sweden’s Öland island. AIS and satellite data placed the Chinese bulk carrier Yi Peng 3, which had departed the Russian port of Ust-Luga on 15 November carrying fertiliser, at both damage zones at the relevant times, moving at speeds consistent with anchor drag. The Swedish Navy publicly stated “almost 100% identification” of the vessel at both sites. These are High confidence findings.

The investigative aftermath illustrates the deniability architecture in operation. On 19 December 2024, fourteen Chinese officials, nine German officials, and six Swedish officials boarded Yi Peng 3 for a restricted five-hour inspection. Swedish prosecutors were denied access to the Voyage Data Recorder and to onboard surveillance footage. Two days later, on 21 December, Yi Peng 3 departed for Port Said without being boarded by Swedish authorities. On 15 April 2025, the Swedish Accident Investigation Authority (SHK) issued its formal report, concluding: “It cannot be determined with certainty whether [the] Chinese ship intentionally damaged the data cables.” The Swedish criminal investigation remains open.

Assessment (Low confidence): the combination of departure from a Russian port, transit through Chinese-flagged hulls, repeated anchor drag, and PRC obstruction of the forensic chain is consistent with a deliberate operation — but the public record does not establish state direction. The Voyage Data Recorder contents have never been publicly disclosed. No motive for explicit PRC state direction has been established in open source. The gap is not an artefact of analytical caution; it is the structural product of jurisdiction shopping, flag-state non-cooperation, and the protected status of merchant shipping under UNCLOS.

Incident 3 — Eagle S and Estlink-2 (December 2024)

The Christmas Day incident pushed the pattern furthest into the territory of demonstrable state interest. At 12:26 EET on 25 December 2024, Estlink-2 — the 1,016 MW power cable between Finland and Estonia — failed; transmission capacity dropped to 358 MW. Over the same evening, four telecommunications cables were disrupted, with two Elisa cables completely severed and not restored until 6 January 2025. Finnish investigators traced an anchor drag trail roughly 100 kilometres long. The suspect vessel was the Cook Islands-registered oil tanker Eagle S, transporting unleaded gasoline from Russia’s Ust-Luga port — a vessel publicly identified as part of Russia’s shadow fleet circumventing G7 oil-export sanctions.

The Finnish response broke from the pattern of every previous incident. At 00:28 on 26 December, the Karhu rapid-response unit of the Finnish Police and the Coast Guard’s Special Intervention Unit fast-roped onto Eagle S by helicopter while the tanker was still inside Finnish territorial waters. The boarding preserved the chain of evidence in a way the Yi Peng 3 inspection had not. In August 2025, Finnish prosecutors filed charges of “aggravated criminal damage and aggravated interference with telecommunications” against the captain and two senior officers. These facts are High confidence.

The juridical outcome then exposed the deeper problem. On 3 October 2025, the Helsinki District Court dismissed the case, ruling that Finland lacked jurisdiction under UNCLOS over the alleged conduct in the relevant waters. Prosecutors appealed; the Helsinki Court of Appeal ruling remains pending as of this article. Assessment (Medium confidence) — the highest confidence band among the five incident clusters — that the operation served Russian state interest: the shadow fleet connection establishes a documented Russian commercial and strategic stake in the vessel’s mission, and a 100-kilometre drag trail is exceptionally difficult to reconcile with navigational error. However, anonymous US and European officials, quoted in early January 2025, characterised the Baltic incidents as “accidents, not deliberate acts ordered by Russian officials,” a characterisation Nordic governments publicly disputed as premature. Any intelligence community assessment of explicit Kremlin direction remains classified, and the gap between the shadow fleet’s function and an order to cut a specific cable on a specific night has not been closed in open source.

Incident 4 — The Matsu Cables (February 2023)

On 2 February 2023, a Chinese fishing vessel cut the TAIMA No. 2 cable serving Taiwan’s Matsu islands. On 8 February, the anchor of a Chinese cargo vessel cut TAIMA No. 3. The two cables are the sole undersea links for Matsu’s approximately 13,000 residents. Taiwan’s National Communications Commission confirmed the vessel identifications by flag and AIS data. The backup microwave relay delivered only 2.2 Gbps against normal demand of 8–9 Gbps. TAIMA No. 3 was repaired on 31 March 2023 (a 50-day outage); TAIMA No. 2 repairs extended into May. High confidence on all physical and operational findings.

The Matsu case is analytically valuable not for any single incident but for the volumetric record: Matsu’s cables have been cut 30 times since 2017, with 10 attributed to Chinese sand-dredging vessels. Assessment (Low confidence) for state direction of the specific February 2023 cuts; Assessment (Medium confidence) that the long-term pattern functions as a form of gray-zone pressure on an island territory whose communications can be degraded without crossing a military threshold. The methodology — repeated, denied, individually deniable, cumulatively coercive — is the same that re-emerges in the Baltic eighteen months later. Matsu may be read, conservatively, as a laboratory.

Incident 5 — Red Sea (February 2024): Incidental Damage or Strategic Signal?

The Red Sea cluster admits the cleanest exoneration of any state actor for direct cable-cutting. On 24 February 2024, three submarine cables carrying an estimated 25% of Europe–Asia data traffic failed within minutes of one another: SEACOM/TGN-EA at 09:46 UTC (BGP-confirmed via Kentik analysis), AAE-1 at 09:51 UTC, and EIG on or around the same date. Cloudflare reported Europe–India latency increases of up to 30%. High confidence on the failures and timing.

The directing physical cause was the MV Rubymar, a cargo vessel that had been disabled by a Houthi missile strike days earlier and abandoned with its anchor deployed. US government and industry assessment — including reporting from Bloomberg, gCaptain, and Kentik — converged on Rubymar’s drifting anchor as the most probable cause. The Houthis explicitly denied cutting the cables (confirmed in PBS NewsHour reporting). No open-source evidence indicates the Houthis possessed or deployed direct cable-cutting capability. Houthi counterclaims attributing the cuts to US/UK military action are assessed as disinformation.

This is therefore a Contradicted claim for direct Houthi cable-cutting and an Assessment (Medium confidence) for indirect causation: the Houthi missile strike on Rubymar disabled the vessel; the disabled vessel’s anchor cut the cables; the chain of causation runs through Houthi action without requiring Houthi intent to target cables. Subsequent statements from Houthi leadership signalling awareness of cable vulnerability indicate the strategic lesson was absorbed, even if the original incident was incidental. The Red Sea case thus illustrates a distinct mechanism: kinetic action against shipping that produces second-order infrastructure damage as a byproduct, with the perpetrator subsequently incorporating the byproduct into deterrent rhetoric.

GUGI — The Capability That Shadows All of the Above

None of the five incidents required exotic capability. Anchor drag is, almost by definition, available to any merchant hull. But the analytical frame for Baltic and Atlantic cable security cannot ignore the existence of a Russian organisation purpose-built for seabed manipulation.

The GUGI — Main Directorate for Deep-Sea Research (Главное управление глубоководных исследований) — was established in 1965 and assumed its current structure in 1975. It operates from the 29th Separate Submarine Division at Olenya Guba on the Kola Peninsula. Its declared assets, established with High confidence in open sources, include the AGS Yantar surface research ship, which carries the “Rus” class submersibles rated to 6,000 metres; the K-329 Belgorod, an Oscar-II derivative commissioned in July 2022 and at 184 metres the longest submarine in the world, configured to carry both Poseidon UUVs and GUGI mini-submarines; the BS-64 Podmoskovye, a GUGI mothership; and the AS-31 Losharik, a deep-diving miniature submarine rated to approximately 2,500 metres which suffered a fire in 2019 that killed fourteen officers, was repaired, and returned to service.

Yantar’s pattern of deployment near submarine cable routes is documented with High confidence: near US East Coast cables en route to Cuba (September 2015); inside Norwegian territorial waters (October 2015); deploying the Rus submersible to 6,180 metres in the mid-Atlantic (December 2015); loitering near cables connecting Turkey and Cyprus and anchoring near Greenland (2016); near transatlantic cables south of Ireland and in the Irish Sea (August 2021, per Naval News / H.I. Sutton tracking); and tracked in the Mediterranean near Spain and Algeria (January 2025).

The capability is established. Assessment (Medium confidence): the combination of deep-diving submersibles, ROV equipment, and repeated Yantar deployments to cable corridors constitutes a deliberate cable-mapping and potential-manipulation posture. Gap: whether active cable tapping or pre-positioning for sabotage has been executed is not confirmed in any open-source forensic report or declassified intelligence assessment available at the time of writing. GUGI’s specific targeting methodology for cable operations is not documented in open sources. The capability is real; the operational record, at the public level, is not.

The analytical significance of GUGI to the Baltic incident cluster is therefore not that GUGI cut any of the cables — there is no evidence it did — but that GUGI’s existence renders the question always live. Every anchor drag in the North Atlantic, the Baltic, or the Norwegian Sea is read against a deep-sea capability operated by the same state whose shadow fleet is now demonstrably implicated.

The Deniability Architecture

The five incident clusters share five attributes that together constitute a coherent methodology:

  1. Anchor drag as the universal mechanism. Every cluster uses anchor drag or anchor-adjacent causation as the physical instrument. Anchors are universal to merchant shipping. Their deployment can always be characterised as accidental, mechanical failure, or response to weather. The mechanism is intrinsically deniable.

  2. Commercial cover. Every directly implicated vessel — Newnew Polar Bear, Yi Peng 3, Eagle S, the Matsu fishing and cargo vessels, MV Rubymar — was a commercial hull engaged in nominally commercial activity. None were state-flagged warships. The merchant shipping system, designed for global commerce, is a structural impediment to forensic attribution.

  3. Flag-state non-cooperation. Where the flag state is the suspected directing party, the Voyage Data Recorder, surveillance footage, crew testimony, and onboard logs become unrecoverable. The Yi Peng 3 inspection — in which the host state’s officials outnumbered the investigating state’s officials more than two to one and the VDR was withheld — is the canonical illustration.

  4. Cross-flag analytical noise. Two of five incident clusters involve Chinese-flagged or Chinese-owned vessels (Newnew Polar Bear, Yi Peng 3) in incidents with primary Russian strategic interest (both departed from Russian ports; both struck infrastructure between Russia-adjacent NATO members). This is not a category error; it is a feature. The use of a third state’s flag to service a different state’s strategic interest dilutes attribution by design.

  5. Sub-Article-5 positioning. Each incident causes damage substantial enough to be costly but insufficient — individually — to constitute armed attack under NATO’s Article 5. Cable cuts are repairable. Power capacity is restored. Telecom redundancy partially absorbs the loss. The gray zone below collective-defence thresholds is the target operational space.

The result is not failure of attribution. It is the intended structural outcome of an attribution-resistant methodology. The Helsinki District Court’s October 2025 dismissal of the Eagle S case for jurisdictional reasons under UNCLOS is the single clearest articulation of the problem: the legal framework governing the seabed was not built for a campaign of deniable infrastructure attack, and even the strongest case in the cluster collapses on jurisdiction before reaching the merits.

What the Pattern Implies for NATO Critical Infrastructure Doctrine

No incident in the cluster has progressed to a concluded prosecution establishing state direction. The Eagle S case represents the furthest legal advancement, and it was dismissed for jurisdiction; the appeal is pending. The Yi Peng 3 case is procedurally stalled by flag-state non-cooperation. The Newnew Polar Bear case proceeds against the captain alone, with PRC framing the conduct as accidental. The Matsu pattern is documented but unprosecuted. The Red Sea incident is, on best evidence, indirect.

This record produces three structural conclusions for NATO and analogous critical-infrastructure regimes:

  • Forensic recovery is the chokepoint. The Finnish boarding of Eagle S while still in territorial waters preserved evidence the Swedish inspection of Yi Peng 3 did not. The doctrinal lesson is that response speed — including aggressive use of helicopter-borne boarding teams while the suspect vessel is still inside coastal-state jurisdiction — is decisive. Once the vessel exits to the high seas under a non-cooperating flag, the case is structurally lost.

  • UNCLOS as currently interpreted is inadequate. A legal regime that produces dismissal-for-jurisdiction on the strongest case in a four-incident Baltic cluster is, by revealed performance, not fit for hybrid-warfare cable defence. Whether the remedy is treaty amendment, joint NATO jurisdictional protocols, or coastal-state legislation aggressively asserting interference with submarine cables as a crime triable at the coast, the present framework rewards the methodology.

  • Article 5 thresholds are being deliberately probed. The cluster’s defining feature — sub-Article-5 damage, repeated, distributed across cables and across months — is not coincidence. It is calibrated. The analytical framing that treats each incident as discrete is the framing the methodology depends upon. Read as a campaign, the Baltic cluster is the most sustained sub-threshold infrastructure operation against NATO members since the alliance’s founding.

Strategic Implications

  • The gray-zone cable problem is now structural, not episodic. Between February 2023 and December 2024, at least seven distinct cable-cut incidents affecting NATO members or Taiwan crossed into public reporting; the underlying rate (Matsu’s 30 cuts since 2017) suggests baseline activity far higher than headline incidents indicate.

  • Attribution timelines outpace operational impact. The Newnew Polar Bear admission came ten months after the incident; the Yi Peng 3 SHK report came five months after the inspection; the Eagle S dismissal came nine months after the boarding. Cables are repaired in weeks. The asymmetry between operational recovery and legal attribution is itself a feature of the methodology.

  • Capability and execution are not the same question. GUGI’s deep-sea cable-mapping capability is established at High confidence. Its operational use to cut a specific cable is not established at any confidence in open source. Analysts who conflate the two overstate the record; analysts who dismiss GUGI because no direct operation has been forensically attributed understate the strategic context.

  • The Houthi case clarifies the indirect-causation pathway. Kinetic action against shipping that produces infrastructure damage as a byproduct is a distinct category from deliberate cable-cutting. It will recur wherever shipping lanes and cable corridors overlap — the Red Sea, the Taiwan Strait, the Strait of Hormuz, the English Channel.

  • The strongest single doctrinal investment is forensic-response speed at the coast. The Finnish boarding of Eagle S is the methodological exemplar. Until coastal states standardise rapid-boarding protocols and pre-position evidentiary teams, the deniability architecture will continue to produce dismissals on the strongest cases.

Cross-Series Anchors

This article is the fifth in the Information Infrastructure — The Physical Internet series. It builds on the physical-layer foundations laid in Encoding Light — How Fiber Optics Carry the Internet Across Oceans and The Submarine Cable Map — 600 Systems, 1.5 Million Kilometers, and connects to ongoing tracking at Baltic Sea Cable Incidents 2023-2025 and Red Sea Cable Cuts 2024. The actor and capability backdrop is documented at GUGI, Russia, China, Russian Hybrid Operations in Europe, Economic Chokepoints — Coercive Statecraft, Fiber Optic Transmission, Yemen War, IRGC Quds Force, and NATO.

Sources

Confidence tags below apply to the source’s reliability, not to any attribution claim drawn from it. All state-direction attributions in this article carry the epistemic labels stated inline.

  • Finnish Border Guard and National Bureau of Investigation press releases on Eagle S boarding, 26 December 2024 — Primary, authoritative.
  • Swedish Accident Investigation Authority (SHK) report on C-Lion1 and BCS East-West, 15 April 2025 — Primary, authoritative.
  • Helsinki District Court ruling on Eagle S jurisdictional dismissal, 3 October 2025 — Primary, authoritative.
  • Taiwan National Communications Commission (NCC) statements on Matsu cable cuts, February–May 2023 — Primary, authoritative.
  • PBS NewsHour reporting on Houthi denial of Red Sea cable-cutting, February–March 2024 — Secondary, reliable.
  • Kentik BGP analysis of SEACOM/TGN-EA, AAE-1, EIG failures, 24 February 2024 — Primary technical.
  • Cloudflare Radar latency reporting, Red Sea event, February 2024 — Primary technical.
  • Bloomberg, gCaptain reporting on MV Rubymar anchor drag mechanism, March 2024 — Secondary, reliable.
  • Naval News / H.I. Sutton open-source naval analyst tracking of AGS Yantar, 2015–2025 — Secondary, specialist OSINT.
  • Reuters, Yle, ERR News reporting on Baltic cluster incidents, 2023–2025 — Secondary, reliable.
  • PRC government statements via Xinhua and MFA on Newnew Polar Bear, August 2024 — Primary, state-aligned (not authoritative).
  • Anonymous US/European official commentary on Baltic incidents, January 2025 — Background, attributed-anonymous; not corroborated on the record.

Article 5 of 8 in the series Information Infrastructure — The Physical Internet*. Next: Article 6 — Cable Repair as Strategic Choke Point.*

Graph View

Backlinks