Intelligence Agencies Warn Defense Industrial Base of Russian Sabotage Operations
Six U.S. intelligence agencies issued a warning on Thursday to the defense industrial base about Russian government sabotage operations attempting to undermine Allied support for Ukraine.
“Over the last year, the Russian government and its proxies have planned and directed sabotage attacks against European military installations, foreign defense companies, logistics facilities, and public utilities in an effort to undermine Allied support to Ukraine,” according to the warning. “Russian intelligence services are recruiting criminals and other proxies to carry out attacks in Europe, and may also try to identify and recruit defense industrial base insiders.”
Six intelligence agencies collaborated on the warning, including the National Counterintelligence and Security Center (NCSC), the FBI, the Defense Counterintelligence and Security Agency, and U.S. Army Counterintelligence Command.
The warning provided references to two recent plots that intelligence officials are aware of. The first was disrupted in April 2024 when UK authorities charged several Britons with planning and conducting an arson attack on a Ukraine-linked business in London on behalf of Russian intelligence. The second was an incident in June 2024 when Polish authorities announced they had arrested 18 people during the past six months for plotting arson and other acts of sabotage across Poland on behalf of Russia and Belarus.
The New York Times reported that the intelligence agencies decided to issue the warning due to “concern about a Russian attempt to assassinate the head of a German arms maker.”
The warning urged U.S. companies—especially those supporting entities involved in the Ukraine conflict or other geopolitical conflicts—to enhance their vigilance and take additional steps to boost their security.
“Russia’s sabotage activities in Europe increase the risk to U.S. companies abroad and potentially at home,” the warning said. “Such sabotage operations can sow fear and doubt, damage important infrastructure, disrupt commerce, or cause injury and death.”
Zev Faintuch, head of research and intelligence at duty of care provider Global Guardian, says that Russia has ramped up its “active measures” against the West during the past year.
“Russia’s all-of-society approach to its war on Ukraine—and the West—is mirrored by its attacks on ‘all of Western society,’” Faintuch explains. “Any firm involved in the supply chain of the NATO defense industrial base is now fair game for Russia. While Russia cannot militarily strike American or European production facilities the way it targets Ukrainian factories, Moscow has options for disruption or harming production.”
Indicators of Sabotage
The agencies included a list of potential indicators of Russian sabotage efforts that organizations should be aware of.
- Explicit or implied threats to facilities or personnel
- Online posts by individuals noting an intent to commit violence or direct threats
- Photographic or video surveillance of facilities, staff, or systems, including employees who bring unauthorized surveillance tools into the workplace
- Physical threats or intrusions that may indicate casing or perimeter security tests
- Indicators of outsiders eliciting staff members, including requests for proprietary information
- Cyberattacks or network penetrations
- Staff that seeks physical or digital access beyond their normal duties
“Sabotage can involve several steps before actual attacks, including planning, preparation, surveillance, and recruitment,” the warning said. “Some acts of sabotage are designed to hide the hand of the perpetrator, appearing to be accidents or equipment failures.”
Some sabotage efforts involve both cyber and physical elements. For instance, in an exclusive published today, WIRED detailed an effort from Russia’s APT28 hacking group that appears to have “remotely breached the Wi-Fi of an espionage target by hijacking a laptop in another building across the street.”
Volexity cybersecurity researcher Steven Adair will share details of the campaign at the Cyberwarcon conference later today.
“This is the first case we’ve worked where you have an attacker that’s extremely far away and essentially broke into other organizations in the US in physical proximity to the intended target, then pivoted over Wi-Fi to get into the target network across the street,” Adair told WIRED. “That’s a really interesting attack vector that we haven’t seen before.”
Next Steps for Security Teams
Faintuch says the threat appears to be more acute in Western Europe where Russian intelligence has closer ties to organized crime. But adds that now is the time for American defense companies and their suppliers to step up their internal security practices.
“This starts with complete security audits—review of physical and digital access control, camera surveillance, and security for executives,” Faintuch explains. “To be proactive, companies can also buttress their cybersecurity training, insider threat monitoring, and social media monitoring to help stay ahead of the curve.”
The intelligence agencies divided mitigation measures to prevent Russian sabotage into four major categories.
Partnerships. Organizations were encouraged to engage with local law enforcement, first responders, and intelligence agencies to keep informed of potential threats, receive guidance on security practices, and respond to incidents. The agencies also recommended holding routine exercises with local partners to “practice and validate your incident response protocols.”
Enhancements. Organizations were urged to provide regular training on security awareness to employees and emphasize reporting suspicious activities.
The warning also doubled-down on organizations ensuring that existing physical security, cybersecurity monitoring, and surveillance of systems are operational and able to spot disruptions.
“Identify your most important assets and prioritize their protection with layered security measures,” the warning explained.
The agencies also suggested creating an “anomaly log” to track suspicious or unusual incidents—both physical and cyber—for security and safety purposes.
Personal security. In an unusual step, the agencies also emphasized the need for organizational personnel to take steps to improve their security practices.
“Be mindful of what you post on social media. Those involved in work tied to Ukraine or other geopolitical conflicts should be cautious about disclosing work, travel, personal, and family information online,” the warning said. “Adversaries can use this information to identify access, location, and personal vulnerabilities.”
The agencies also suggested personnel vary their routes to and from work, pay attention to their surroundings, and report suspicious incidents to corporate security and supervisors—escalating to law enforcement if they feel in danger.
When traveling, the agencies encouraged individuals to provide someone in the United States with their travel itinerary and establish check-in times during the trip. They also discouraged traveling with devices that contain sensitive information.
“Do not share detailed information about yourself, family, or associates with any individual who has shown an unusual interest in them,” the warning added.
Resilience. The warning encouraged organizations to diversify and enhance the security of their supply chains to reduce the impact of potential compromise.
“These efforts can aid in recovery and deter the saboteur by decreasing the effectiveness of a sabotage attempt,” warning said.