A new report from Defence24 has outlined the role of Russia in a number of cyberattacks and acts of sabotage. The report calls this “Phase 0” of a full war between the countries and outlines how Russia is testing “methods and tools” for future hybrid attacks.
“Poland has long been one of the primary targets of Russian hybrid operations,” wrote study author Aleksander Olech. “This has been a pattern that predates Russia’s aggression against Georgia in 2008 and Ukraine in 2014. It is important to stress, however, that the frequency of these attacks has increased dramatically since 2022, coinciding with Poland’s transformation into the main logistical hub for assistance to Kyiv.”
The report lays out a pattern of hybrid attacks that sit just “below the threshold of war.” These attacks include sabotage, arson, and supply chain disruption in addition to standard cyberattacks that cannot be attributed to any particular enemy.
From the report:
A variety of tools are used in these operations – from the exploitation of migration, as in the crisis on the Polish-Belarusian border, where migrants were used as a tool for political pressure and to test the state’s response, to intensive disinformation operations such as “Doppelgänger” and “Matryoshka”. The above-mentioned operations involved impersonating the media and discrediting fact-checking institutions, as well as acts of physical sabotage, including arson attacks on industrial and logistics facilities, carried out by individuals recruited by Russian intelligence. In addition, activities in cyberspace are an important component, ranging from massive DDoS2 attacks on government and infrastructure websites (as in the cases of Polish State Railways or the Polish Press Agency) to advanced data-theft operations involving military and personal data. All these actions are part of a coordinated hybrid strategy aimed at paralysing the functioning of the state, causing social chaos, weakening morale, and testing the limits of Poland’s resilience as a member of NATO and the European Union.
Fire and Mayhem
The first and most visible “Phase 0” tactic comes in the form of incursions by migrants on the border between Belarus and its Western neighbors. These crossings have been characterized as a form of hybrid warfare in which Russian-aligned Belarusian authorities sent countless migrants over the border in an effort to destabilize the Polish military and border patrol.
The report details efforts to push migrants across the Polish-Belarusian border, calling it a “demographic weapon” used to “destabilise the internal situation” and test state response. The tactics have evolved. Authorities found tunnels, ladders, and coordinated crossings, including one case where nearly 200 people entered Poland through a single tunnel.
“For example, on 11 December 2025, a tunnel was discovered near the town of Narewka. Its entrance was in the forest on the Belarusian side. It is estimated that 183 people entered Poland through it,” wrote the authors. “Another way to bypass the barrier is to use folding ladders with a boom and a several-meter-long rope, and to destroy a section of the infrastructure with a chainsaw or grinder.”
Interestingly, the move only pushed the Polish authorities to lock down the Belarusian border, resulting in “only 158 attempts to illegally cross the border [versus] 3,306 in the same period in 2022,” a drop of nearly 96 percent according to Euro.news.
Arson shows up repeatedly as a tactic. These attacks are often carried out by recruited individuals with little direct connection to the state directing them, which makes them harder to trace and easier to repeat. The report notes that “most acts of sabotage currently cause limited damage… [but] the scale of destruction will continue to grow.”
In 2024, a Belarusian identified as Stepan K set fire to an OBI DIY store. The blaze, which Stepan allegedly set overnight, happened on April 14, 2024 and resulted in €830,000 in losses. Another fire on May 12, 2024, this time at a shopping center called Marywilska 44, appears to also have been set by Russian operatives.
“We now know for certain that the massive fire on Marywilska was the result of arson commissioned by Russian services,” Polish Prime Minister Donald Tusk wrote on X. “The actions were coordinated by a person residing in Russia. Some of the perpetrators are already in custody, while the rest have been identified and are being sought. We will catch them all!”
Saboteurs have attacked Poland’s Baltic neighbors, including torching IKEA stores in Vilnius and Riga.
Rail infrastructure is another target. The report references “acts of diversion on Polish railways” as part of a wider campaign. The report cites “massive DDoS attacks on government and infrastructure websites… as in the cases of Polish State Railways or the Polish Press Agency.” In 2023, for example, assailants used cheap devices to order a “radio stop” for the Polish PKP railways, resulting in a traffic shutdown. According to Wired, the “saboteurs reportedly interspersed the commands they used to stop the trains with the Russian national anthem and parts of a speech by Russian President Vladimir Putin.”
Some of the most unsettling examples sit at the edge of war. The report describes incidents involving drones and airspace violations, including “crashes of unmanned aerial vehicles… on NATO territory” and the risk that these could escalate into “damage to critical infrastructure.”
The Canary of Europe
Espionage cases show how deep this runs. Individuals are recruited through social media, criminal networks, even video games. Payment can be as low as a few dollars for graffiti or as high as “$10,000 for serious crimes such as murder.” Russian operatives allegedly use promises of work, propaganda, and even blackmail to convince saboteurs to take part in efforts to destabilize the country.
“Those recruited are usually young men with a background in the military or other paramilitary organisations, often with links to the criminal underworld. It should be noted that Russia consistently uses non-state actors (individuals, entities, groups, etc.) as tools to carry out hybrid activities, allowing it to conduct proxy operations below the threshold of open warfare while maintaining the ability to deny state involvement,” write the authors. “Dozens of activities carried out by private entities and unrelated groups, such as sabotage of military and industrial infrastructure, acts of diversion on Polish railways, disinformation campaigns, cyberattacks, arson, drone flights, and weapons transfers, are not isolated incidents, but elements of a single, larger scheme of operations carried out by the Russian services.”
There are also direct information operations that blend into physical effects. One 2020 example involved a hack of a military university website, where attackers posted a fake letter urging soldiers to rebel and framing NATO forces as occupiers. These propaganda and disinformation attacks point to a larger trend of online media that targets undereducated Poles with admonitions to repel immigrants and to create a populist government in the MAGA vein. And things aren’t slowing down.
These attacks point to a single goal: the destabilization of the EU and NATO. In light of U.S. turmoil thanks to confounding and confusing presidential statements in addition to these attacks on a sovereign nation, all signs point to similar flare ups in other Western countries which could push “Phase 0” to “Phase 1.”
The report concludes:
A buildup of Russian activity marked the year 2025 and, at the same time, demonstrates that the Kremlin is capable of deploying a wide range of tools and sophisticated methods. It is expected that there will be even more hybrid attacks in 2026. The Russian Federation wants to prove at all costs that it can “hurt” a NATO country and will not suffer any real consequences for doing so.
Poland remains resilient in the face of these attacks but their concern is palpable. According to an anonymous Polish military officer, quoted in the report, “We do not realise how much will change in Poland after a single terrorist attack with casualties, carried out as part of hybrid operations by the Russian Federation. The fact that we have managed to avoid such a situation over the last few years is due to several factors. One of them is working across divisions, overcoming a silo mentality in the security sector, countering defeatism in cooperation between theorists and practitioners, and most importantly, thanks to the power of a network of people totally devoted to serving Poland, whom we consider to be the silent heroes of this story.”
