How Russia’s Hybrid Threats Redefine Risk for Europe’s Businesses
Published: 23 October 2025
When Cyber and Physical Security Become One
Last April, hackers gained remote access to a Norwegian dam. They were able to manipulate the water-flow valves for several hours before engineers managed to restore control. In August, Norwegian authorities officially confirmed that the attack was carried out by pro-Russian hackers. Months later, clusters of drones appeared over critical infrastructure in at least eight European countries, prompting these NATO states to scramble aircraft and review alert protocols.
These incidents did not cause harm or damage, but they signalled capability and intent: infrastructure can be reached, systems monitored, thresholds tested. These aren’t isolated provocations—they’re part of a long-running pattern of Russian hybrid threats that has already inflicted real damage in Europe and now appears to be escalating as the war in Ukraine stalls.
Keep reading for an overview of incidents that are likely (though not always conclusively proven) to be linked to Russia’s hybrid activities. With this information, we aim to help European businesses recognise the broader patterns and their cyber security impact. Further, we offer practical steps to help counter these threats.
How are Russian Hybrid Threats Affecting Europe?
Russia’s hybrid threat activity is escalating across Europe, with suspicious drone incursions, military provocations in the Baltic and Nordic regions, and satellite interference targeting NATO countries. These actions—some coordinated with disinformation campaigns—reflect a sharp rise in hybrid operations since 2024, blending cyber and physical tactics.
In line with these hybrid tactics, Northwave’s threat research also indicates that newly formed pro-Russian hacktivist groups are increasingly claiming cyber intrusions against European critical infrastructure. These developments also reflect a more general trend: threat actors blending cyber and physical operations to reach their objectives.
For Europe’s businesses and organisations, Russia’s horizontal escalation into Europe is not an abstract geopolitical manoeuvre. It is a shift in the threat landscape that directly impacts business continuity, risk governance, and reputational resilience.
What are hybrid threats?
Hybrid threats blend conventional and unconventional tactics (cyber and physical) to pursue strategic aims. They integrate political, economic, technical, psychological, and military methods, blurring the line between war and peace. Designed to be hard to attribute, they exploit societal vulnerabilities to sow doubt, destabilise communities, erode trust, influence decision-making and hinder effective response.
Why is Russia scaling up hybrid activities?
As the war in Ukraine stalls, Russia is expanding its hybrid tactics across European sectors to project strength, create uncertainty, and test NATO’s unity—while avoiding direct conflict. With these actions, Moscow aims to signal that continued European support for Ukraine comes at a cost, with any organisation potentially within reach.
Driven by a desire to restore great power status, a permanent conflict mindset, and strategic necessity, Russia relies on low-cost, deniable tactics such as cyberattacks, sabotage, and disinformation.
Russia thus employs hybrid tactics as a central tool of foreign policy, treating cyberspace and disinformation as part of a continuous “information confrontation” among major powers. In this view, peace and war merge into constant competition for influence, where any method that shapes perception or weakens adversaries is fair game. Sabotage, in this context, is less about physical damage and more about psychological impact.
How is Russia targeting European organisations?
Russia’s hybrid tactics against Europe are constantly evolving, impacting organisations across sectors such as logistics, retail, water, energy, and manufacturing. Cyber disruptions by Russian non-state actors are not new—European businesses have been targeted for years by predominantly Russian ransomware groups, operating untouched by Russian authorities, and by pro-Russian DDoS attacks. The outbreak of war in Ukraine has only intensified these threats, acting as a force multiplier.
But on top of that, physical and cyber sabotage by state and non-state actors linked to Russia have gained even more momentum since 2024.
Physical sabotage: from arson to assassination plot
Europe has faced a surge of suspected Russian sabotage attempts targeting its critical infrastructure. In the past two years, especially in 2024, Europe has faced a surge in suspected Russian physical sabotage. This marked a shift in Moscow’s strategy, favouring physical disruption to intimidate and destabilise.
Energy assets in the North Sea and Baltic Sea are subject to surveillance by drones and Russian vessels, with nearly 20% of hybrid attacks now targeting this sector.
Logistics were hit mid-2024 when explosive parcels sent from Lithuania detonated in Germany, Poland, and the UK. Lithuanian prosecutors have since charged fifteen suspects, presumably linked to Russian intelligence. GPS jamming from the Russian enclave Kaliningrad continues to disrupt Baltic aviation and shipping.
Manufacturing has seen direct physical attacks presumably linked to Russian intelligence in 2024, including a massive fire at the Diehl Metal factory (a Ukraine-linked defence supplier) in Berlin and a foiled assassination plot against Rheinmetall’s CEO, Germany’s top arms supplier.
Retail was targeted in 2024 with arson at an IKEA in Vilnius and a Warsaw shopping mall, both attributed by prosecutors to individuals likely to be recruited by Russian intelligence. The targeting of retail signals a move toward soft, high-visibility targets.
Undersea infrastructure remains vulnerable, with anchor-dragging operations by Russia-linked commercial vessels threatening pipelines and fibre-optic cables. Repairs can cost up to €150 million.
Water facilities in Finland were probed through mysterious physical break-ins at 11 facilities in 2024, raising alarms about reconnaissance and pre-positioning.
Together, these incidents reveal a hybrid strategy aimed at eroding confidence, imposing economic costs, and demonstrating reach. All while staying below the threshold of open conflict.
Cyber sabotage: operational technology in the Crosshairs
While 2024 saw a wave of physical sabotage across Europe, 2025 marks an additional shift towards cyber disruption, particularly targeting operational technology (OT) in critical infrastructure. Newly formed pro-Russian hacktivist groups, including Cyber Army of Russia Reborn, Z-Alliance, SECT0R16, TwoNet and the Infrastructure Destruction Squad, increasingly claim network intrusions that blur the line between cyber and physical impact. The claims listed below are based on Northwave’s threat research, unless stated otherwise.
Pro-Russian hacktivist campaigns are growing more advanced and strategically aligned with Russia’s geopolitical goals. What began as low-impact DDoS attacks in 2022 has evolved into hybrid operations involving denial-of-service, data breaches, OT reconnaissance, and (alleged) system manipulation.
Recent Cyber Sabotage Cases in Europe
Energy: In 2023 and 2024, Russian military intelligence-linked actors probed Danish firms with network intrusions and executed ongoing spear-phishing campaigns against energy organisations across the continent.
Pro-Russian DDoS attacks intensified, targeting utilities and grid operators (including nuclear) across Europe. In 2025, Z-Pentest and SECT0R16 claimed network intrusions into biogas and hydroelectric systems in Germany and France, supported by video evidence.
Logistics: In 2024 and 2025, airports, ports, and freight platforms faced coordinated DDoS disruptions. Z-Alliance claimed a network breach in August 2025 against a freight platform in Romania, hinting at deeper interference.
Manufacturing: In 2025, groups like SECT0R16, Z-Pentest, and IDS claimed access to industrial networks in Germany, Italy, Poland, and other countries. Targets include defence suppliers, heavy industry, food processing, and precision manufacturing. Some attackers have shared screenshots showing manipulation of SCADA and HMI systems.
Retail is mostly hit by DDoS, but Z-Pentest claimed access to a Czech hypermarket’s internal systems in retaliation for Czechia’s Ukraine support.
Water Utilities: In 2025, Europe experienced a rise in claimed cyber intrusions targeting water utilities, with incidents in Spain, Italy, Poland, and France suggesting systematic probing of critical infrastructure, including the confirmed manipulation of the Norwegian dam by Z-Alliance. In September, TwoNet accessed a simulated water treatment plant, attempting to disrupt operations.
What does Russia’s hybrid warfare mean for your organisation: A call to action
Russian hybrid operations are a sustained strategy to apply pressure, shifting fluidly across sectors and methods. Though many incidents remain vague and difficult to verify, their pattern and intent are clear: to project force while creating confusion and uncertainty.
These tactics increasingly target corporate infrastructure—energy, logistics, retail, communications, and manufacturing—making businesses a key part of Europe’s defence posture. For Russia, they are low-cost tests of resilience; for organisations, they threaten trust, continuity, and credibility as much as physical systems.
Crucial steps in defending against hybrid threats include:
- Integrating cyber and physical security
- Prioritising basic cyber hygiene as a starting point towards more advanced defences
- Preparing for crisis situations, including both physical and digital disruptions
- Maintaining geopolitical awareness (what is your organisation’s societal and economic importance?)
- Preparing for disinformation campaigns (including false claims of network intrusions)
- Securing operational technology (OT)
Download our free 2025 Global Threat Landscape report for an in-depth explanation of how to improve your resilience against hybrid, OT, and other cyber threats.
We are here for you