Escalating Russian Hybrid Warfare and Policy Responses in Europe
New analysis warns Russia is likely to escalate its opportunistic hybrid activity in Europe into a more coordinated campaign consistent with New Generation Warfare (NGW) doctrine, integrating cyber operations, influence activity, and sabotage across a broader geographic footprint and at higher tempo. The assessment anticipates more synchronized, multi-domain actions designed to degrade NATO cohesion and readiness—such as pairing physical disruption (for example, airspace violations affecting critical infrastructure like airports) with cyberattacks (for example, DDoS against communications) to amplify operational and psychological impact.
Ukrainian officials are simultaneously pushing for tighter regulation of Telegram, citing its repeated use by Russian intelligence to recruit locals for sabotage and terrorist attacks; the calls followed a deadly incident in Lviv that Ukrainian leadership attributed to Russia and said involved recruitment via Telegram. Separately, polling across major NATO countries indicates strong public support for treating severe hybrid actions—such as cyberattacks that shut down hospitals or power grids and sabotage of undersea cables or energy pipelines—as acts of war, highlighting a growing gap between public sentiment and NATO governments’ typically restrained responses to hybrid aggression.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Recorded Future assesses likely escalation of Russian hybrid warfare in Europe
A Recorded Future report published on February 24, 2026 assessed that Russia is likely to escalate over the next two years into a more deliberate Europe-wide hybrid campaign combining cyberattacks, sabotage, influence operations, and infrastructure harassment. The report also outlined mitigations for governments and private-sector critical infrastructure operators.
Ukraine officials call for tighter Telegram regulation
Following the Lviv attack, senior Ukrainian officials and lawmakers pushed for tighter regulation of Telegram and other anonymous platforms. Proposed responses included limiting app functions, banning the service, or requiring compliance with European regulatory standards.
Polling shows majorities in five NATO countries view hospital cyberattacks as acts of war
A POLITICO poll in the United States, Canada, France, Germany, and the United Kingdom found majorities in all five countries believe cyberattacks that shut down hospitals or power grids should be treated as acts of war. The poll also found majority support for classifying sabotage of undersea cables or energy pipelines as acts of war.
Attack in Lviv kills police officer and injures 25
An overnight attack in Lviv on February 22 killed a police officer and injured 25 others. President Volodymyr Zelenskyy said Russia organized the attack and that the perpetrators had been recruited via Telegram.
Ukrainian military intelligence warns Telegram poses security risks
In February 2024, Ukraine’s military intelligence warned that Telegram created security threats. The warning was later cited as an early official concern about the platform’s role in Russian influence and recruitment activity.
Russian hybrid attacks in NATO states increase after Ukraine invasion
Since the 2022 invasion, Russia has conducted increasingly aggressive but largely opportunistic hybrid warfare in NATO countries, including cyber, sabotage, influence activity, and pressure on critical infrastructure. Analysts say these incidents have become more frequent in recent years, including attacks or sabotage involving undersea cables and energy infrastructure.
Russia launches full-scale invasion of Ukraine
Russia began its full-scale invasion of Ukraine in February 2022. Subsequent reporting and analysis describe this as the starting point for increasingly aggressive Russian hybrid activity affecting NATO territory.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Preparing for Russia’s New Generation Warfare in Europe
recordedfuture.com
Open sourceUkraine pushes tighter Telegram regulation, citing Russian recruitment of locals | The Record from Recorded Future News
therecord.media
Open sourceTop NATO allies believe cyberattacks on hospitals are an act of war. They’re still struggling to fight back. - DataBreaches.Net
databreaches.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Geopolitically Driven Cyber Activity and Hybrid Operations Escalate Across Europe and Major Events
Multiple reports describe an uptick in **state-linked and politically motivated cyber activity** in Europe, framed as part of broader **hybrid warfare**. Dutch intelligence (AIVD/MIVD) warned that Russia is intensifying a mix of cyberattacks, sabotage, disinformation, covert influence, and espionage designed to stay below the threshold of open conflict while testing Western red lines and undermining support for Ukraine. Related policy commentary notes growing calls from European and NATO officials for stronger “strike back” or offensive cyber capacity, but argues that political will and proportional response options—especially against proxy-driven sabotage—remain the limiting factors rather than technical capability. Separately, threat reporting tied to the **2026 Winter Olympics** indicates increased **hacktivist mobilization and targeting chatter** against Olympic-adjacent entities (e.g., transportation, sponsors, and overlapping supply chains), alongside continued targeting of the defense industrial base by a mix of hacktivists, state actors, and cybercriminals. A case study on Venezuela’s Caracas outage during “Operation Absolute Resolve” cautions against attributing major disruptions to “cyber-only” effects when available evidence also indicates substantial **kinetic/physical damage** to substations, underscoring that modern operations may integrate cyber and physical actions and that misframing can distort infrastructure security priorities.
May 7, 2026
EU Leadership Warns of Russian Hybrid Warfare Campaign Targeting Europe
European Commission President Ursula von der Leyen publicly warned that Russia is conducting a coordinated hybrid warfare campaign against Europe, combining cyberattacks, sabotage, and disinformation to destabilize the European Union and weaken its support for Ukraine. In a speech before the European Parliament in Strasbourg, von der Leyen cited a surge in security incidents attributed to Russian state-backed actors, including the violation of Estonian airspace by Russian MiG jets and the appearance of drones over critical infrastructure in Belgium, Poland, Romania, Denmark, and Germany. The United Kingdom, though not an EU member, also reported drone incidents near civilian and military sites, prompting the deployment of a counter-drone unit to Denmark during major European summits. Von der Leyen highlighted that these incidents are not isolated but part of a deliberate and escalating campaign designed to test the EU’s resolve and unity. She referenced specific examples such as undersea cable cuts, cyberattacks that paralyzed airports and logistics hubs, and malign influence campaigns targeting European elections. The European Commission president emphasized that these actions are calculated to remain in a "grey zone" of deniability, making attribution and response more complex. She called for urgent action, urging EU leaders to develop a strategic plan in close coordination with NATO to counter these threats. The blueprint for a pan-European security response was presented to EU leaders at a recent summit in Copenhagen. Von der Leyen stressed the need for greater vigilance, technological readiness, and unity among EU member states to deter further aggression and protect European sovereignty. The campaign is seen as a direct attempt to divide the EU and undermine its support for Ukraine amid ongoing conflict. The speech marked a significant escalation in the EU’s public stance on Russian hybrid threats, moving from isolated incident response to recognizing a systematic and strategic campaign. The European Commission’s warning comes amid increasing evidence of Russia’s use of both physical and cyber means to disrupt European stability. The call to action includes enhancing countermeasures against cyberattacks, protecting critical infrastructure, and strengthening information resilience against disinformation campaigns. The EU’s response is expected to involve both defensive and offensive cyber capabilities, as well as closer intelligence sharing with NATO allies. Von der Leyen’s remarks underscore the seriousness with which European leadership now views the hybrid threat landscape, and the necessity for a unified and robust response.
Mar 21, 2026
Mobile Networks and Cyber Operations Enabling Drone Warfare in the Russia–Ukraine Conflict
Ukrainian hacktivists linked to the **Fenix cyber analytics center**, supported by **InformNapalm**, reported compromising accounts belonging to dozens of Russian military personnel and gaining access to monitoring systems used by Russian attack-drone operators. The operation allegedly enabled covert, near real-time surveillance of drone-operator activity and the transfer of collected data to Ukrainian Defense Forces, and it was cited in reporting around Ukraine’s decision to sanction Belarusian leader Alyaksandr Lukashenka over Belarus’s role in enabling Russia’s use of **repeater infrastructure** on Belarusian territory to extend UAV control and expand strike reach into northern Ukraine, including against energy and rail targets. Separately, Dutch intelligence services (**AIVD/MIVD**) warned that Russia is intensifying a broader **hybrid warfare** campaign across Europe—combining cyberattacks, sabotage, disinformation, covert influence, and espionage—to undermine public trust and weaken support for Ukraine while staying below the threshold of open war. In parallel, telecom-focused research highlighted how **public mobile networks** are increasingly being used as command/telemetry links for combat drones, citing examples from the Russia–Ukraine war and describing how 4G/5G standards work (e.g., 3GPP enhancements in Releases 15–18) has made cellular-connected UAV operations more feasible—raising infrastructure-security concerns for mobile operators and national critical infrastructure.
Mar 21, 2026