Geopolitically Driven Cyber Activity and Hybrid Operations Escalate Across Europe and Major Events
Multiple reports describe an uptick in state-linked and politically motivated cyber activity in Europe, framed as part of broader hybrid warfare. Dutch intelligence (AIVD/MIVD) warned that Russia is intensifying a mix of cyberattacks, sabotage, disinformation, covert influence, and espionage designed to stay below the threshold of open conflict while testing Western red lines and undermining support for Ukraine. Related policy commentary notes growing calls from European and NATO officials for stronger “strike back” or offensive cyber capacity, but argues that political will and proportional response options—especially against proxy-driven sabotage—remain the limiting factors rather than technical capability.
Separately, threat reporting tied to the 2026 Winter Olympics indicates increased hacktivist mobilization and targeting chatter against Olympic-adjacent entities (e.g., transportation, sponsors, and overlapping supply chains), alongside continued targeting of the defense industrial base by a mix of hacktivists, state actors, and cybercriminals. A case study on Venezuela’s Caracas outage during “Operation Absolute Resolve” cautions against attributing major disruptions to “cyber-only” effects when available evidence also indicates substantial kinetic/physical damage to substations, underscoring that modern operations may integrate cyber and physical actions and that misframing can distort infrastructure security priorities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
19 events from the most recent confirmed update back to the earliest known activity.
Dutch intelligence says China has reached U.S.-level cyber capability
In its annual report, the Dutch MIVD warned that China has likely achieved parity with the United States in offensive cyber capabilities and that only a limited portion of Chinese operations against Dutch interests are detected. The report also said Chinese actors accessed routers at smaller Dutch hosting and internet providers in 2025 and warned of increased 2026 campaigns targeting edge devices and strategic Dutch sectors.
EU sanctions Euromore and Pravfond over Russian influence operations
The European Union imposed sanctions on the pro-Russian organizations Euromore and Pravfond, accusing them of supporting Kremlin-aligned disinformation and hybrid influence operations targeting Europe and Ukraine. The measures freeze any EU-based assets and bar EU citizens and companies from providing the groups with funds or economic resources.
Report says Russia intensifies hybrid influence ahead of Armenia election
A report published on 2026-03-31 said Russia had stepped up hybrid warfare tactics in Armenia ahead of the June 7 parliamentary election, including information operations, influence campaigns, and support for opposition forces with strong Russian ties. The article framed the vote as a pivotal contest over Armenia's geopolitical orientation toward the West or continued Russian influence.
U.K. prepares tighter political donation rules over foreign interference
The British government began preparing reforms to political donation rules after the Rycroft Review and a cross-party parliamentary report warned that foreign interference in U.K. democracy is becoming more sophisticated across financial and information channels. Proposed measures included a temporary ban on cryptocurrency donations and a £100,000 annual cap on contributions from overseas voters.
Latvia accuses Russia of disinformation campaign targeting Baltic states
Latvia's Defense Ministry said Russia was running a coordinated disinformation campaign against Latvia, Lithuania, and Estonia by falsely claiming the Baltic states enabled Ukrainian attacks on Russia from their territory or airspace. Latvian officials said the effort aimed to discredit NATO, undermine trust in state institutions, and weaken support for Ukraine, including through social media bot activity.
Report alleges Russian influence campaign in Hungary's 2026 election
Reporting published on 2026-03-23 alleged that Russia was conducting a covert influence operation to help Viktor Orban ahead of Hungary's April 12 election, including online attacks on opposition leader Peter Magyar and other election manipulation tactics. The report also cited an alleged internal SVR document discussing extreme scenario planning, including a fake assassination attempt, as part of efforts to preserve a key Russian ally inside the EU.
Pro-Kremlin campaign exploits Ukraine energy blackouts
By mid-March 2026, EUvsDisinfo reported that pro-Kremlin foreign information manipulation campaigns were using Russia’s strikes on Ukraine’s energy infrastructure to depict Ukraine as collapsing, socially unstable, and abandoned by Europe. The report said these narratives were contradicted by polling, continued government aid, and grassroots fundraising and energy support across Europe.
Pro-Kremlin disinformation pivots to Iran war to undermine Ukraine
EUvsDisinfo reported that Kremlin-aligned information operations rapidly shifted to the Iran/Middle East conflict, pushing false narratives that portrayed Ukraine as a destabilizing actor and suggested Kyiv might stage provocations to regain attention. The campaign also circulated fabricated claims, including a fake Euronews story about an Iranian missile strike on property allegedly linked to an aide of Ukraine's commander-in-chief.
Attacks on Jewish and Israeli-linked sites raise Iranian hybrid threat concerns
Beginning on 2026-03-09, a series of low-casualty attacks targeted Jewish and Israeli-linked sites in Belgium, the Netherlands, and the United Kingdom. Analysts said the incidents, claimed by the previously unknown HAYI group and amplified through pro-Iranian online networks, may indicate likely Iranian-backed hybrid activity in Europe, though definitive proof was not established.
Dutch intelligence warns Russia is intensifying hybrid attacks
AIVD and MIVD publicly warned that Russia is stepping up cyberattacks and other hybrid operations across Europe while preparing for a long standoff with the West. The agencies said a direct Russia-NATO clash remains unlikely but is no longer unthinkable.
Hacktivist communities escalate Olympic-related cyber coordination
Threat intelligence reporting around the 2026 Winter Olympics identified increased hacktivist chatter, mobilization, and operational coordination tied to protests and geopolitical tensions. Online communities referenced Olympic-related targets such as transportation infrastructure and sponsors.
CyberScoop report challenges cyber-only narrative of Caracas outage
CyberScoop reported that publicly available evidence points to substantial kinetic damage during the January 3 Caracas outage and that no public confirmation from the Pentagon or U.S. Cyber Command supports a cyber-only explanation. Experts said cyber activity may have played a supporting role rather than being the sole cause.
Evidence emerges of kinetic damage at Caracas substations
Public videos, photos, journalist accounts, and Venezuelan government statements described destroyed equipment, bullet impacts, blown doors, oil leaks, and fires at substations including Panamericana, Escuela Militar, and Fuerte Tiuna. Analysts and experts said the visible physical damage alone could plausibly explain the localized outages.
Operation Absolute Resolve triggers Caracas power outage
A major power outage struck Caracas on January 3 during Operation Absolute Resolve. Early reporting widely characterized the disruption as a precision cyberattack affecting Venezuela's power grid.
Poland discloses 2025 cyber intrusions at five water treatment facilities
Poland’s Internal Security Agency (ABW) said attackers breached water treatment facilities in five Polish towns during 2025 and in some cases accessed industrial control systems, creating a direct risk to continuity of water supplies. ABW did not publicly attribute the incidents to a specific actor, though it said hostile activity against Poland had intensified with particular emphasis on Russian services.
Attack on Dutch police steals officers' contact details
A Russian-linked group later dubbed Laundry Bear carried out a September 2024 attack on Dutch police systems, stealing work contact details of police officers. Dutch intelligence later highlighted the intrusion as a notable example of Russian cyber activity targeting the Netherlands.
Russia's risk tolerance in hybrid operations increases
According to Dutch intelligence, Russia became more willing in 2024 to accept physical damage and potential casualties in its operations against Europe. The shift was cited as evidence of a more aggressive hybrid campaign.
Russia-linked hybrid activity in Europe rises sharply
Dutch intelligence assessed that Russian hybrid operations across Europe, including cyberattacks, sabotage, disinformation, covert influence, and espionage, increased significantly starting in late 2023. The agencies said this marked the beginning of a more sustained confrontation below the threshold of open war.
Ukraine reports rise in Russian-directed sabotage-for-propaganda scheme
Ukrainian prosecutors and security officials said sabotage incidents in Ukraine have increased since 2023 and are suspected to be orchestrated by Russian intelligence through the online recruitment of vulnerable individuals via social media and Telegram. Officials and researchers said the acts are then amplified by pro-Russian propaganda networks to falsely depict a broad anti-government underground movement, despite no evidence of a nationwide resistance.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
19 references tracked. Mallory keeps watching after this page renders.
Polish intelligence warns hackers attacked water treatment control systems | The Record from Recorded Future News
therecord.media
Open sourceIn Ukraine, Contract Saboteurs Fuel Propaganda About a Pro-Moscow Resistance | OCCRP
occrp.org
Open sourceChina’s cyber capabilities now equal to the US, warns Dutch intelligence | The Record from Recorded Future News
therecord.media
Open sourceEU targets two Russian propaganda networks with new sanctions | The Record from Recorded Future News
therecord.media
Open sourceHacktivism and the Winter Olympics 2026: What Rapid7 is Seeing and What it Signals
rapid7.com
Open sourceRussia stepping up hybrid attacks, preparing for long standoff with West, Dutch intelligence warns | The Record from Recorded Future News
therecord.media
Open sourceEurope’s Cyber Bullets Can’t Replace Political Will | Lawfare
lawfaremedia.org
Open sourceThe Caracas operation suggests cyber was part of the plan - just not the whole operation | CyberScoop
cyberscoop.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Escalating Russian Hybrid Warfare and Policy Responses in Europe
New analysis warns Russia is likely to escalate its opportunistic hybrid activity in Europe into a more coordinated campaign consistent with **New Generation Warfare (NGW)** doctrine, integrating cyber operations, influence activity, and sabotage across a broader geographic footprint and at higher tempo. The assessment anticipates more synchronized, multi-domain actions designed to degrade NATO cohesion and readiness—such as pairing physical disruption (for example, airspace violations affecting critical infrastructure like airports) with cyberattacks (for example, **DDoS** against communications) to amplify operational and psychological impact. Ukrainian officials are simultaneously pushing for tighter regulation of **Telegram**, citing its repeated use by Russian intelligence to recruit locals for sabotage and terrorist attacks; the calls followed a deadly incident in Lviv that Ukrainian leadership attributed to Russia and said involved recruitment via Telegram. Separately, polling across major NATO countries indicates strong public support for treating severe hybrid actions—such as cyberattacks that shut down hospitals or power grids and sabotage of undersea cables or energy pipelines—as **acts of war**, highlighting a growing gap between public sentiment and NATO governments’ typically restrained responses to hybrid aggression.
Mar 21, 2026
Nation-State and Hacktivist Cyber Threats Targeting Europe
European organizations are facing a surge in cyberattacks driven by nation-state actors, financially motivated cybercriminals, and hacktivist groups. According to assessments from cybersecurity experts, many of these attacks are linked to ongoing geopolitical tensions, particularly Russia's invasion of Ukraine, and increasingly involve coordinated operations with North Korea. The tactics used include distributed denial-of-service (DDoS) disruptions, website defacements, and data leak campaigns, often with the primary goal of propaganda or strategic intelligence collection. Other persistent threat actors include groups from Iran, China, Turkey, Kazakhstan, and India, who target European entities for motives ranging from intellectual property theft to financial gain. The spillover from conflicts in the Middle East has also led to increased cyber activity against European organizations, especially those tied to Israel or Western military operations. Key sectors under threat include financial services, transportation, and non-governmental organizations. Experts warn that adversaries are seeking new ways to compromise identity and cloud infrastructure, reflecting a broader trend of evolving cyber operations shaped by global political developments.
Mar 21, 2026
Geopolitical Cyber Operations Targeting Critical Infrastructure and Economic Systems
Reporting and commentary highlighted how **state-linked cyber activity** is being used for sustained pressure against critical infrastructure and economic targets rather than isolated, one-off attacks. Taiwan’s government and related reporting described **China-linked probing and “prepositioning”** against Taiwanese critical infrastructure as ongoing and scaling, consistent with reconnaissance and access maintenance objectives that could enable future disruption. Separately, an op-ed argued that U.S. signaling around the ability to “darken” parts of Caracas and reported disruptions affecting Venezuela’s state oil sector illustrate how cyber-enabled interference can function as a tool of state power **below the threshold of open conflict**. A longer-form retrospective on the Russia–Ukraine conflict framed the period as a “full-scale cyber war,” citing the **Kyivstar destructive attack** attributed to **Sandworm** as a landmark incident: attackers reportedly maintained access for months before wiping large portions of the operator’s environment, disrupting telecom and related services. The same piece described Ukraine’s broader incident volume growth and the use of multiple **wiper malware** families, alongside claims of Ukrainian retaliatory operations (e.g., DDoS activity against Russian banking), reinforcing the theme that critical infrastructure and national economic systems are central targets in modern geopolitical cyber campaigns. While one weekly “signals” post also mentioned patch/KEV dynamics and SaaS exposure as near-term risk amplifiers, its primary geopolitical takeaway aligned with the broader pattern of sustained state-linked activity against critical infrastructure.
Mar 21, 2026