Russia Conflict Part 2: National and Localized Threats
By TorchStone Senior Analyst, Ben West
While most Western companies have either reduced their presence in Russia if not abandoned the market entirely, Russia still poses a threat to business continuity around the world. This series of reports will outline ways that Russia threatens stability and business continuity based on scope. This second section of the series will address more localized threats against specific countries, including acts of sabotage or efforts to undermine national governments.
There are ample tactics and tools Russia can use against the West that avoid direct military conflict outlined in the previous part. We have already seen indications that Russian groups are promoting and engaging in terrorist activities and the September 2022 destruction of the NordStream pipelines has raised global concerns over sabotage campaigns. Additionally, Russia appears to continue to use its intelligence service to carry out disinformation and disruption campaigns to destabilize Ukraine’s neighbors and supporters. Russia continues to use cyber-attacks against its adversaries, although not with the level of effectiveness feared in the lead-up to the invasion of Ukraine. Finally, Part 2 addresses how countries bordering Russia and Belarus are preparing for future waves of “weaponized migration” like what occurred along the Polish-Belarusian border in 2021.
The Soviet Union relied on terrorist groups as proxies to undermine its enemies during the Cold War and Russia continues that tactic in the 21st century.
In Nov 2022, the European Parliament adopted a resolution recognizing Russia as a State Sponsor of Terrorism and as of March 2023, U.S. lawmakers were debating legislation that calls for Russia to be added to the list of State Sponsors of Terrorism, alongside Cuba, North Korea, Iran, and Syria.
Poland and Slovakia have already designated Russia as a State Sponsor of Terrorism.
While most of these designations are based on Russian actions in Ukraine, there is evidence that Moscow has the intent and capability to use terrorist groups against Ukraine’s foreign supporters.
Between Nov 24 and Dec 1, Spanish authorities discovered six packages containing explosive material addressed to various targets in Spain – including a private company in the defense industry.
Only one of them, a parcel addressed to the Ukrainian ambassador to Spain, detonated, slightly injuring a security officer at the Ukrainian embassy.
The other five devices targeted Spanish government offices, the US embassy, and a Spanish weapons manufacturer that made ordnance that NATO supplied to Ukraine. Ukrainian officials noted that at around the same time, their diplomatic missions around the world, from Kazakhstan to the United States had received other forms of threatening mail, including ominous blood-soaked packages and animal parts.
In late January, Spanish authorities raided a residence in northern Spain where they found tools consistent with the parcel bombs.
They arrested a 74-year-old retiree whom they accused of having links to Russia.
American and European officials believe that Russian military intelligence officers used white supremacist militant group networks in Russia and Western Europe to support the letter bomb campaign.
Investigators have focused on the Russian Imperial Movement (RIM), a radical group based in St. Petersburg with members across Europe.
The U.S. Department of State designated the RIM as a terrorist group in 2020 and suspects that they are connected to Russian intelligence agencies. Spanish police recently tracked RIM leaders in Spain, where they met with far-right Spanish organizations.
The New York Times cited unnamed U.S. officials who claimed that Russia intended the attacks against Spain’s prime minister, defense minister, and foreign diplomats to threaten European governments as they continue to support Ukraine’s efforts against Moscow.
U.S. and European officials believe that Russian intelligence agencies will conduct more such attacks in the future to discourage support for Ukraine.
Like the Russian Imperial Movement, a neo-Nazi paramilitary group known as Task Force Rusich issued an appeal on its Telegram channel for information from members on border and military activities in Latvia, Lithuania, and Estonia in December 2022.
Task Force Rusich is currently fighting in Ukraine alongside the semi-autonomous Wagner Group and has previously attracted attention for promoting the torture of captured Ukrainian soldiers on its Telegram channel.
The U.S. Treasury Department announced sanctions against Task Force Rusich in September 2022 calling it “a neo-Nazi paramilitary group that has participated in combat alongside Russia’s military in Ukraine.”
At the beginning of the Russian invasion and throughout the summer of 2022, one of the biggest concerns outside of Ukraine was European energy security.
Europe has managed its first winter virtually cut off from Russian energy exports better than expected.
However, following the suspicious September 2022 explosions that destroyed the NordStream I & II pipelines, European countries are concerned about additional acts of sabotage against their energy and communication infrastructure.
Following the September NordStream explosions, Norway and the United Kingdom announced renewed efforts to patrol their territorial waters to protect their underwater energy communications infrastructure.
In February, Dutch intelligence assessed that Russia was “undertaking acts of disruption, sabotage, and espionage against key Dutch maritime facilities such as natural gas pipelines, wind farms, and internet cables.”
The report went on to claim that “Russia is secretly mapping this infrastructure and undertaking activities that indicate espionage and preparatory acts of disruption and sabotage.”
In January, reports out of Poland seemed to illustrate how Russia may be surveilling and preparing attacks against vital infrastructure.
Poland’s Coast Guard announced the rescue of three suspicious divers near the port of Gdansk under highly unusual conditions—at night, in frigid temperatures, using tools inconsistent with their stated purpose of searching for amber (a common pursuit in the Baltic Sea under better conditions).
The divers were also in an unauthorized area near energy infrastructure and where authorities want to develop a new floating natural gas terminal to help offset Russian gas imports. Poland has been on the front lines of Europe’s opposition to Russia and was one of the first countries to end energy imports from Russia in opposition to Moscow’s invasion of Ukraine.
There are even warnings that Russia may be experimenting with acts of sabotage against satellite networks.
U.S. officials are concerned about a satellite Russia launched in August 2022 that appears to be tracking a U.S. spy satellite launched earlier in the year.
Experts say that the Russian satellite even appears to have the ability to launch a kinetic attack on either the U.S. spy satellite or others.
Russian officials have also warned that space-based commercial services like SpaceX’s Starlink internet service are legitimate targets due to Ukraine’s reliance on them to carry out military operations.
Russian Meddling and Disruption Campaigns
While Russia has been careful to avoid outright conflict with NATO member countries, it has demonstrated less caution with non-NATO members.
Moldova has so far borne the brunt of the impact, suffering from fuel shortages, stray missiles, and even an alleged coup attempt. If Russia chooses to expand the current conflict, whether it be to pacify domestic pressure or to distract Western supporters from Ukraine, Moldova appears to be Moscow’s most likely choice.
In February, Russian Foreign Minister Sergei Lavrov ominously accused the West of trying to use Moldova as “the next Ukraine.”
Even before Russia invaded Ukraine in February 2022, Moldova was in a tenuous position.
Russia has maintained forces in the Moldovan breakaway region of Transnistria since the early 1990s and could be used as a flanking force to Ukraine’s west.
While there have so far not been any signs of Russia’s military opening another front in Moldova, there is ample evidence of Moscow exerting political pressure on Chisinau.
Orange denotes the contested region of Transnistria
On December 5, Moldovan authorities discovered a downed missile in a village two miles south of the Ukrainian border that was most likely a stray projectile from a larger barrage of Russian strikes against Ukraine reported the same day.
While there were no reported injuries, the explosion appears to have caused disruptions to the electoral grid.
This was at least the second missile to stray into Moldovan territory after a first missile was reported on Oct 31.
Russia continues to threaten Moldovan airspace by launching missiles over its territory, including the most recent one on Feb. 10.
In addition to the threat of accidental (or even intentional) ordnance strikes on Moldova, Moscow also appears to be fomenting political unrest there to destabilize the country.
Moldova’s Russia-friendly Shor Party has supported recent anti-government protests critical of the rising cost of living due in large part to disruptions caused by Russia’s invasion of neighboring Ukraine.
The Shor party is led by exiled Moldovan oligarch, Ilan Shor, who is named on a U.S. State Department sanctions list as working for Russian interests.
On Feb 13, Moldova’s President Maia Sandu accused Russia of planning a coup in her country, involving opposition protests and engaging participants with military training, as well as attacks on government buildings to force a change of leadership.
The current government has indicated that it will continue to pursue the same democratic reforms and accession to European institutions that Moscow is deeply opposed to.
President Putin appears to be escalating the situation by removing legal barriers to aggression in Moldova.
On Feb 21, President Putin revoked a 2012 decree that committed Russia to resolving the separatist issue in Moldova while respecting the country’s sovereignty and territorial integrity.
While such legal stipulations had little value in Moscow, to begin with, publicly revoking them sends a clear message to the rest of the world that Russia views Moldova as a legitimate target.
In addition to Moldova, Serbia and the broader Balkan region is another option for Moscow to exploit to pressure Ukraine’s Western supporters.
While Russia does not have forces stationed there like in Moldova, Moscow uses cultural ties and stokes ethnic grievances that tend to make the region highly prone to conflict.
Serbian authorities recently charged three men who threatened violence against the government.
Among those charged is Serbian far-right leader Damjan Knezevic, who has backed Russia’s Wagner mercenary group and was pictured visiting their headquarters in St Petersburg.
Another man was arrested apparently taking a sniper rifle to protest.
Meddling in NATO Member and NATO Applicant Countries
Supporting protest movements is an effective way for Russia to meddle in NATO member countries, too, since such activity does not risk triggering a broader conflict.
Swedish media have suggested that Russia may have been behind a controversial January 2023 protest that is delaying approval of Sweden’s NATO membership.
Russia-linked journalist Chang Frick paid for and obtained the permit for a Quran-burning protest in Stockholm that Turkey later cited as its reason for blocking approval for Sweden’s bid to join NATO.
Frick had previously worked for Moscow-backed TV news outlet RT (formerly Russia Today) and told the New York Times in 2019 that his “real boss is Putin.”
The revelation raises concerns that Moscow may have supported the Quran-burning protest during the sensitive NATO accession talks to slow down Sweden and Finland’s entrance into the alliance and exacerbate existing fissures within NATO.
Russian meddling in NATO countries is unlikely to stop anytime soon and more grievances are mounting to support such campaigns.
As Paris prepares to host the 2024 Summer Olympics, 35 countries have called for the International Olympic Committee (IOC) to ban athletes from Russia and Belarus due to their countries’ invasion of Ukraine.
Several European countries have even threatened to boycott the games if the IOC allows Russian and Belarusian nationals to compete—even as neutral athletes.
Bans or restrictions on Russian athletes are likely to provoke a Russian response.
Russia already has a long history of disrupting or attempting to disrupt the Olympic Games dating back to their suspension from competition in 2016 due to a doping scandal.
First, there were a series of cyber-attacks against and attempts to physically infiltrate organizations and labs in Europe involved in the investigation of the doping scandal.
Then came the revenge attacks, starting with the leak of American athletes’ private medical records, disruptions to the online ticketing platform during the 2018 Olympics in South Korea, and a significant, state-backed effort to conduct cyber-reconnaissance on the 2020 games in Tokyo.
Attacks on the 2024 Olympics are almost certain and any country supporting a boycott can expect to also be targeted in Russian cyber campaigns.
One of the surprises of the past year is the relative lack of major, Russian-backed cyberattacks in coordination with its conventional military actions in Ukraine.
To be clear, Russia has continued to exploit network vulnerabilities in Ukraine and around the world, but there has been no noticeable shift in tempo or scope of the attacks.
However, Russia remains a formidable threat when it comes to cyber-attacks and will target private companies for both disruptive impact and profit.
Russia’s modus operandi for cyber-attacks typically involves working with online criminal groups that profit from online scams and ransomware attacks in exchange for amnesty.
This arrangement provides Moscow plausible deniability and reduces costs of retaining the costly talent needed for sophisticated cyber campaigns.
U.S. sanctions announced in February 2023 highlighted how Moscow can benefit from criminal cyber threats.
Authorities in the United States and the United Kingdom announced sanctions against seven individuals allegedly behind the Russia-based cybercrime gang Trickbot for carrying out attacks using Conti and Ryuk ransomware.
The U.K. National Cyber Security Centre assessed that it is “highly likely” that key members of the criminal group maintained links to Russian intelligence services.
It went on to assess that, “the targeting of certain organizations, such as the International Olympic Committee, by the group almost certainly aligns with Russian state objectives.”
The U.K.’s Office for Budget Responsibility shows that the IT Services, Energy, and Media sectors were the most common targets of Russian cyber-attacks from March – July 2022.
Previously, in August 2022, officials in Montenegro accused Russian security forces and pro-Kremlin hackers of an attack on national government offices.
Officials indicated that Cuba ransomware, a Russian-speaking ransomware group that claimed responsibility for the attack, has amnesty from Moscow if it avoids targeting Russian interests.
In February 2023, Italy’s National Cybersecurity Agency warned that a ransomware attack by the Russian-backed group LockBit was impacting thousands of servers around the world belonging to Western governments and online trading platforms.
One such attack on the London-based ION Trading U.K. caused cascading disruptions to stock trading organizations around the world.
While arrangements with cybercriminal gangs appear to be the most common form of online attacks, Russia’s intelligence agencies remain very active in the cyberthreat theater.
A 2022 analysis by Microsoft determined that Russia’s military intelligence office (GRU) was the most likely culprit behind ransomware attacks targeting Poland and Ukraine in October 2022.
That campaign used a novel strain of ransomware to target Polish and Ukrainian transportation and logistics organizations, likely intended to disrupt the flow of weapons and material from Western donors for Ukraine’s war effort.
European Union members first accused Belarus of engaging in weaponized migration in 2021, when President Lukashenko responded to EU-backed sanctions against him by allowing thousands of migrants from North Africa and the Middle East into Belarus before bussing them to the border with Poland.
Poland refused to accept the migrants, creating a border crisis amidst ongoing anti-government protests in Belarus.
Countries are concerned that Belarus and Russia could repeat this tactic in response to European opposition to the war in Ukraine.
So far, Poland, Finland, and other border countries have responded by fortifying barriers along their borders.
In March 2023, Finland began construction of a fence along its 832-mile-long border with Russia out of concern that Moscow may try to punish Helsinki for joining NATO by targeting Finland with weaponized migration.
Poland has announced plans to increase electronic sensors and monitoring devices along its 125-mile-long border with Kaliningrad, a Russian exclave on the Baltic Sea.
While physical and electronic barriers may mitigate the impacts of future attempts to use weaponized migration, disruptions along these highly tense borders have the potential to create crises in the future.
The third part of this series will address threats against organizations and individuals.