Russia's grey zone tactics aim to undermine, not cross the line - at least for now
What do a Norwegian dam, a Baltic Sea telecoms cable and a warehouse in East London have in common?
All three have been attacked, directly or indirectly, in incidents Western officials and analysts link to Russia. Taken individually, each can look like an isolated crime, an "accident" or a niche security story.
But stitched together, they point to something bigger: a widening campaign of sabotage and disruption across Europe, operating in the shadows below the threshold of open war.
And that's deliberate.
Russia exploiting vulnerabilities
In Ukraine, Russia's campaign against critical infrastructure has played out in full view: power stations, railway lines and energy systems have been repeatedly targeted as winter sets in and temperatures drop.
But analysts say similar tactics are now showing up across Europe - adapted for a different battlefield.
As Charlie Edwards, senior fellow for strategy & national security at the IISS, puts it: "Your energy system, your submarine cables, your water treatment plants, your logistics supply chains, your rail networks… are exposed."
Much of that vulnerability comes down to age, upkeep and ownership.
Many of Europe's most vital systems are run by a patchwork of public bodies and private companies, often with uneven security standards, and Mr Edwards says the risk isn't just technical, it's structural.
"Large parts of European critical infrastructure are owned, managed or maintained by private companies… looking at the bottom line," he explained.
That can leave gaps: outdated operational technology, weak cyber hygiene and slow upgrades - exactly the kind of cracks hostile states look for.
Sabotage back on the agenda
Gibridnaya voyna is the Russian term for hybrid warfare.
It's a Soviet-era doctrine associated with applying pressure across multiple domains at once - and experts believe it's in play across Europe right now.
Dr Daniela Richterová, senior lecturer in Intelligence Studies at King's College London, describes sabotage as something many Europeans haven't had to think about for decades.
"Attacks against mostly critical infrastructure… this can be done in various ways - by blowing things up, by contaminating resources, by setting fires… maybe cutting bits of critical infrastructure," she explained.
Case study 1: The hacked Norwegian dam
One incident that alarmed European security services took place in Norway, where a dam was hacked and floodgates were opened after attackers exploited weak protections.
Video later circulated online appeared to show a water release valve being pushed to maximum capacity.
Dr Richterová says the implications are obvious and chilling, telling BFBS Forces News: "If this dam would have been located differently… then there could have been flooding of significant civilian areas."
Norway's security service took the unusual step of attributing the attack to Russia, and investigators believe older, less sophisticated systems made the breach easier.
It's a pattern analysts say repeats across Europe: critical infrastructure that is vital, but not always modern.
Case study 2: East London - sabotage by proxy
Another shift in tactics is the alleged reliance on local proxy agents - people recruited to carry out simple tasks such as surveillance, arson or vandalism.
In the UK, Dylan Earl and his network were arrested and jailed after a Ukrainian-owned warehouse in East London was set on fire.
Former British Army staff sergeant Dave Butler, who served with the military intelligence unit BRIXMIS in Cold War-era East Germany, says the logic is familiar.
"You don't need a highly skilled intelligence operator to come into the country… if they've all got just one task to take care of," he said.
But the low skill level can also create danger.
Dr Richterová says in the London case the alleged instruction was to watch the site not burn it.
"They were asked to conduct surveillance… and within a couple of days… they actually burned down the facility," she said.
Case study 3: The Baltic Sea cable attacks and a shadow fleet vessel
Not all sabotage happens on land.
Undersea cables carry vast amounts of Europe's data and telecoms traffic, and in recent years they've been repeatedly damaged in suspicious circumstances in the Baltic.
In response, Nato established Baltic Sentry, a mission intended to deter further attacks, and for a period, incidents appeared to slow.
But on New Year's Eve 2025, Finnish forces carried out a raid on the Fitburg, a vessel described as part of Russia's shadow fleet, suspected of dragging an anchor for tens of kilometres over a key telecoms cable connecting Finland and Estonia.
Mr Edwards' assessment is blunt. "It looks deliberate… I don't think there is another way of describing it other than a deliberate act of sabotage," he said.
"And it raises a difficult question: is Baltic Sentry still working… as well as Nato wanted?"
The outlier: DHL and the fear of mass casualties
One case in particular stands out because of the potential risk to life.
In 2024, a series of explosions linked to parcels moving through delivery company DHL were traced to a group of men.
These individuals were later charged with taking part in a Russian-coordinated plot to send explosive parcels to Britain, the US and Canada, and experts believe they came dangerously close to causing mass casualties.
In 2024 these devices exploded on pallets rather than inside planes - but was that by accident or design? Mr Edwards isn't sure.
"Was this because.. Russian military intelligence genuinely wanted to see aeroplanes sabotaged and blown up over the skies of Europe or the North Atlantic?" he asked.
"Or was their target a warehouse that they thought might be holding relevant, capability for the Ukraine war, and at least publicly I don't think it is clear.
"It has been suggested that they were test runs for something more serious, but as far as I'm concerned, that would have been an act of war."
US concerns were reportedly so high after this that then-US President Joe Biden is said to have called the Kremlin to warn this activity crossed a red line.
Nothing similar has been publicly linked in the same way since.
From unsettling to overwhelming
If single sabotage incidents are meant to probe and unsettle, experts warn the nightmare scenario is coordination: multiple hits, in multiple places, designed to overwhelm.
Lord Toby Harris, chair of the National Preparedness Commission, argues a "polycrisis" may be inevitable.
"If you were doing it with hostile intent… of course, you do things simultaneously. So you disrupt the internet at the same time as you disrupt power supplies," he explained.
Dr Richterová says one objective is to show capability, and to demonstrate reach by "using these attacks… to really show that it can do this at scale… sometimes simultaneously or within a short span of time".
Why keep it "sub-threshold"?
So far, analysts argue there remains a line Russia is careful not to cross: mass casualties.
Dr Richterová says the logic is to stay below the threshold that could trigger Article 5, Nato's collective defence clause.
"The objective is not to kill people at this point," she said. "Casualties lead Nato member states to trigger Article 5."
That leaves Europe stuck in an uncomfortable space: attacks that undermine confidence, cause economic harm and expose vulnerabilities - but are hard to attribute and politically difficult to escalate.
Overt in Ukraine, deniable in Europe
From hacking dams in Norway to damaging telecoms cables in the Baltic, analysts say the Kremlin is testing the same playbook it uses in Ukraine adapted for a European setting.
In Ukraine, the destruction is overt. In Europe, it's deniable: proxies, hackers and shadow fleet vessels.
But the objective is consistent: to weaken, to undermine and to demonstrate that nowhere is beyond Moscow's reach.
The question for Nato and European governments is whether they can secure critical infrastructure and deter escalation...
... before a future attack becomes deadly.
Join Our Newsletter
