Russia Stepping Up Hybrid Attacks, Preparing for Long Standoff with West, Dutch Intelligence Warns
Summary:
Dutch intelligence agencies (AIVD and MIVD), released a joint assessment warning that Russia is conducting an intensifying hybrid warfare campaign against European nations and is actively preparing for a prolonged confrontation with the West.
The report characterizes this campaign as a deliberate, sustained effort operating below the threshold of open conflict, combining cyberattacks, physical sabotage, disinformation, covert political influence operations, and espionage. Since late 2023, the tempo of these operations has increased sharply across Europe. In the Netherlands specifically, Russian actors have targeted public institutions, critical infrastructure, and government networks, including a notable intrusion into the control system of a public fountain, assessed as infrastructure reconnaissance. Russian-linked actors also conducted an opportunistic breach of Dutch police systems in September 2024, exfiltrating officer contact details, an operation later attributed to a newly identified group dubbed Laundry Bear (also tracked as Void Blizzard).
The report also highlights Russian maritime intelligence collection against undersea cable and seabed infrastructure in the Baltic, framing it as groundwork for potential future sabotage. Critically, Dutch intelligence assesses that Russian risk tolerance has increased since 2024, with the Kremlin demonstrating greater willingness to accept collateral consequences, including casualties, from its covert operations.
Security Officer Comments:
The breadth of Russian targeting, spanning government systems, law enforcement databases, public-sector websites, and critical infrastructure OT environments, signals that no single vertical should consider itself out of scope. The deliberate probing of OT/ICS environments is notable as it suggests Russian actors are building reconnaissance maps of physical infrastructure for potential future disruption.
The emergence of Laundry Bear as a distinct cluster indicates Russian intelligence services continue to expand their operational roster, likely to distribute attribution risk and maintain operational continuity despite ongoing Western exposure efforts. The increasing reliance on low-level, criminally recruited proxies further complicates attribution, as their tooling and behavioral signatures will likely diverge from traditional nation-state patterns. Defenders should expect a wider variance in TTPs and tradecraft quality, ranging from highly sophisticated espionage implants to crude but disruptive DDoS and smash-and-grab credential theft operations.
Russian actors may be less constrained in their operational decisions, including accepting noisier intrusions, more aggressive lateral movement, or physical co-located sabotage actions that could accompany cyber operations. The combination of IT network intrusions alongside physical reconnaissance of infrastructure, including maritime seabed mapping and drone activity near sensitive sites, points toward a potential hybrid escalation model where cyber access could be leveraged to support or enable physical disruption.
Suggested Corrections:
Organizations supporting government, defense industrial base, logistics, or critical infrastructure clients, should treat this assessment as a prompt for immediate posture review.
Network defenders should prioritize visibility into OT-adjacent environments and ensure proper segmentation between IT and any operational technology or building management systems, as recent campaigns demonstrate that even peripheral connected systems are viable entry points for reconnaissance.
Anomalous authentication events, particularly those involving contractor or third-party accounts, warrant heightened scrutiny given Russia's documented use of supply chain and trusted-access pathways.
Defenders should advocate internally for increased investment in threat intelligence sharing with sector peers and government partners, as the Dutch report explicitly calls for public-private cooperation as a core resilience measure.
Tabletop exercises should incorporate hybrid threat scenarios that include simultaneous cyber and physical components.
Finally, organizations with European operational footprints or clients should review incident response plans for scenarios involving infrastructure disruption, ensuring they are not solely designed around data-centric breach scenarios but account for availability and OT-targeting events consistent with Russia's documented campaign objectives.
Link(s):
https://therecord.media/russia-cyberattacks-europe-warfare
Dutch intelligence agencies (AIVD and MIVD), released a joint assessment warning that Russia is conducting an intensifying hybrid warfare campaign against European nations and is actively preparing for a prolonged confrontation with the West.
The report characterizes this campaign as a deliberate, sustained effort operating below the threshold of open conflict, combining cyberattacks, physical sabotage, disinformation, covert political influence operations, and espionage. Since late 2023, the tempo of these operations has increased sharply across Europe. In the Netherlands specifically, Russian actors have targeted public institutions, critical infrastructure, and government networks, including a notable intrusion into the control system of a public fountain, assessed as infrastructure reconnaissance. Russian-linked actors also conducted an opportunistic breach of Dutch police systems in September 2024, exfiltrating officer contact details, an operation later attributed to a newly identified group dubbed Laundry Bear (also tracked as Void Blizzard).
The report also highlights Russian maritime intelligence collection against undersea cable and seabed infrastructure in the Baltic, framing it as groundwork for potential future sabotage. Critically, Dutch intelligence assesses that Russian risk tolerance has increased since 2024, with the Kremlin demonstrating greater willingness to accept collateral consequences, including casualties, from its covert operations.
Security Officer Comments:
The breadth of Russian targeting, spanning government systems, law enforcement databases, public-sector websites, and critical infrastructure OT environments, signals that no single vertical should consider itself out of scope. The deliberate probing of OT/ICS environments is notable as it suggests Russian actors are building reconnaissance maps of physical infrastructure for potential future disruption.
The emergence of Laundry Bear as a distinct cluster indicates Russian intelligence services continue to expand their operational roster, likely to distribute attribution risk and maintain operational continuity despite ongoing Western exposure efforts. The increasing reliance on low-level, criminally recruited proxies further complicates attribution, as their tooling and behavioral signatures will likely diverge from traditional nation-state patterns. Defenders should expect a wider variance in TTPs and tradecraft quality, ranging from highly sophisticated espionage implants to crude but disruptive DDoS and smash-and-grab credential theft operations.
Russian actors may be less constrained in their operational decisions, including accepting noisier intrusions, more aggressive lateral movement, or physical co-located sabotage actions that could accompany cyber operations. The combination of IT network intrusions alongside physical reconnaissance of infrastructure, including maritime seabed mapping and drone activity near sensitive sites, points toward a potential hybrid escalation model where cyber access could be leveraged to support or enable physical disruption.
Suggested Corrections:
Organizations supporting government, defense industrial base, logistics, or critical infrastructure clients, should treat this assessment as a prompt for immediate posture review.
Network defenders should prioritize visibility into OT-adjacent environments and ensure proper segmentation between IT and any operational technology or building management systems, as recent campaigns demonstrate that even peripheral connected systems are viable entry points for reconnaissance.
Anomalous authentication events, particularly those involving contractor or third-party accounts, warrant heightened scrutiny given Russia's documented use of supply chain and trusted-access pathways.
Defenders should advocate internally for increased investment in threat intelligence sharing with sector peers and government partners, as the Dutch report explicitly calls for public-private cooperation as a core resilience measure.
Tabletop exercises should incorporate hybrid threat scenarios that include simultaneous cyber and physical components.
Finally, organizations with European operational footprints or clients should review incident response plans for scenarios involving infrastructure disruption, ensuring they are not solely designed around data-centric breach scenarios but account for availability and OT-targeting events consistent with Russia's documented campaign objectives.
Link(s):
https://therecord.media/russia-cyberattacks-europe-warfare