Shadow War: What Estonia and Poland Tell Us About Russia’s Clandestine Operations in Europe

CSDS POLICY BRIEF • 20/2024

By Ivan U. Klyszcz

4.7.2024

Key issues

• Russian clandestine operations in Europe are aggressive and have increased their pace and boldness since the launch of the full-scale aggression against Ukraine in 2022.
• The cases of Estonia and Poland are particularly helpful to understand the scope of Russian activities and their full destructive potential.
• Estonia and Poland have responded by, among other things, exposing Russia’s activities, empowering their counterintelligence and engaging in cross-border cooperation.

 

Introduction

Against the grain of policymakers placing the possibility of a confrontation with Russia in the future, on 22 May Estonian Prime Minister Kaja Kallas stated that Russia is already conducting a ‘shadow’ war against Europe. Indeed, Russia’s full-scale aggression against Ukraine is Europe’s largest security threat since 1991. In parallel to its brutal war against Ukraine, Russia’s aggressive clandestine operations against European Union (EU) and North Atlantic Treaty Organisation (NATO) members have gained new visibility across Europe. In fact, some experts estimate that the level of Russian activities across the continent resembles that of the Cold War. For example, the Voice of Europe case of 2024 revealed that Russian intelligence ran a transnational plot meant to disseminate propaganda with the support of Russia-leaning politicians ahead of the European parliamentary elections.

While the shadow war has impacted countries from Belgium to Greece and Finland, Estonia and Poland have been two visible cases where Russia has been building constant pressure through – among other things – its clandestine operations. The experience of these two countries in coping against Russian pressure can be revealing, as they have experienced the range of means Russia has in its toolkit, from cyberattacks to sabotage and espionage. Despite its changing and opaque nature, reports, revelations and disclosures allow us to gain a notion of the scope and impact of Russia’s shadow war on Europe. We argue that Western actors, faced with similar security challenges, should draw lessons from Estonia and Poland.

This CSDS Policy Brief starts with a short summary of the main actors involved: Russian intelligence agencies and the Estonian and Polish state bodies responding to Russian actions. Then, the Policy Brief describes three measures used by Russian intelligence to undermine Estonian and Polish national security, namely, cognitive warfare, recruitment and sabotage. Next, we present three measures implemented by Estonia and Poland to respond to Russia’s shadow war: exposure, reinforced international cooperation and enhanced counterintelligence.

Actors

Russian intelligence agencies experienced a period of turbulence in the 1990s in their post-KGB (Komitet gosudarstvennoy bezopasnosti in Russian) reorganisation. As the Kremlin sought to sideline loyalists to the Communist Party, President Boris Yeltsin dismantled the formerly all-powerful KGB into several competing agencies with overlapping mandates – especially abroad – and limited resources. In addition, former KGB officers exited the service to join the private sector, draining the agencies from human capital.

This trend was reversed in the 2000s under President Vladimir Putin – himself a former KGB officer. Putin returned many of the functions and authority to the country’s main civilian intelligence agency, the Federalnaya sluzhba bezopasnosti (FSB in Russian), except foreign intelligence, which remained the authority of the Sluzhba vneshney razvedki (SVR in Russian) and of military intelligence (the Glavnoye upravleniye, commonly known as GRU in Russian). These three main agencies have received expanded powers and budgets, reversing the decline experienced in the 1990s.

The outlook of these agencies is shaped by the Chekist tradition, stemming from the Russian Civil War. The Chekist tradition inaugurated by the Bolshevik underground and the leadership of Feliks Dzerzhinsky has evolved and changed with time, without losing some core features. These include a paranoid view of society and international relations, great power aspirations and an all-encompassing concept of “political warfare” or “struggle” (politicheskaya borba). Political warfare is the concept that guides Russian clandestine operations including assassinations, cognitive warfare, espionage and other areas the Soviets referred to euphemistically as “active measures” (aktivnye meropriyatiya).

Today, the political context since 2014 and especially since 2022 has been shaped by that country’s aggression against Ukraine. Namely, the agencies share the view with the Kremlin that Russia is waging a “defensive” war against NATO and its “puppet” in Kyiv. NATO allies – Estonia and Poland included – are routinely invoked as ‘satellites’ of the United States (US), portrayed as societies whose foreign policy is driven by irrational Russophobia.

For the Russian intelligence community, the war has presented defeats, failures and opportunities to gain new relevance in the Kremlin. Initially, the FSB was trusted with pre-war reconnaissance, then punished due to the war’s initial failures, and now trusted again to carry out a purge at the Russian Ministry of Defence. In Europe, the expulsion of nearly 400Russian spies under diplomatic cover in 2022 severely damaged Russia’s intelligence activities in the continent. This forced the services to activate assets under deep cover and to rely on quick-and-dirty recruitment by social media, and circulating officers from other stations, such as those in Latin America. Other Russian officers circulated out of Europe ended up in posts in Africa, for example, including a former Belgium-based officer now in the Central African Republic.

On the other side, the Estonian and Polish intelligence communities have been built from the break with the Communist-era structures. In both countries, the old Communist structures were dismantled, though gradually in Poland’s case. The Estonian agencies include the Välisluureamet (foreign intelligence, under the defence ministry), Kaitsepolitsei (KaPo, domestic intelligence) and the Rahapesu Andmebüroo (financial intelligence). In Poland, there are several agencies, among them the Agencja Bezpieczeństwa Wewnętrznego (ABW, domestic intelligence) and the Agencja Wywiadu (AW, foreign intelligence), as well as several military agencies and the anti-corruption agency.

Proximity has given Estonia and Poland, as well as Latvia, Lithuania and other “frontline” states, an insight into Russian covert operations. Indeed, incidents such as the 2007 “Bronze night” hybrid conflict in Estonia and the constant stream of disinformation targeting Poland have placed these countries at the centre of attention for intelligence agencies.

In the mid-2010s, Estonia’s intelligence agencies suffered a string of espionage incidents, prompting a reinforcement of their counterintelligence capabilities, today considered among the best ones in Europe. In recent decades, Poland’s intelligence community has faced more restructuring than in Estonia. For example, Warsaw has changed several times how it manages its intelligence community, establishing a Minister-coordinator for the intelligence community in 1997, then changing that responsibility to the Ministry of Interior, and then back to the Minister-coordinator in 2015.

Today, the political context for Estonian and Polish security policies is shaped by Russia’s war, as Tallinn and Warsaw attempt to rally support for Ukraine and enhance their security. Poland’s 2020 National Security Strategy identifies Russian imperialism as the foremost threat to the country, including by way of Kaliningrad and by hybrid war. Estonia’s 2023 National Security Concept calls Russia ‘[t]he greatest security threat to Estonia’.

The threat is not latent, but active. Both Estonian and Polish officials have revealed that the tempo of Russian operations has increased, and that operations have become ‘harsher’ and ‘more disturbing’. Since December 2023, there were 18 arrests announced by Polish authorities of individuals suspected of sabotage carried out on Russia’s behalf, though the total tally since 2022 is bound to be larger. To put this into perspective, over the period 2015-2019, 28 individuals were expelled from Poland on charges related to hybrid activities. In February 2024, Estonia announced it had detained 10 suspects accused of committing sabotage and intimidation operations on Russia’s behalf.

Shadow war

What are Russia’s covert measures against Estonia and Poland? And how are these two countries responding? Three broad categories can encompass a large segment of Russia’s clandestine operations against those two countries: cognitive warfare, recruitment and sabotage. Cyber-warfare, rather than a category of its own, is present in these three groups; Estonia and Poland have constantly registered attacks from pro-Kremlin hacker groups, with the largest such attack against Estonia taking place in 2024.

Cognitive warfare

Encompassing measures from disinformation to intimidation, Russia’s cognitive warfare against Estonia and Poland has been constant, especially since 2014. For example, in 2015, Sputnik – one of Russia’s main state-controlled disinformation and propaganda outfits – began to operate a Polish-language edition. In Estonia, the Kremlin has fostered for years pro-Kremlin disinformation networks, particularly targeting the country’s large Russian-speaking community – consisting of over 300,000 individuals, of which 83,000 hold Russian citizenship.

Russia’s cognitive warfare has a broad range in terms of complexity and visibility. In one extreme, there is the case of the Baltic Platform, a series of scholarly and expert conferences meant to launder disinformation, disseminate strategic narratives and shape public opinion abroad, inciting anti-NATO and pro-Russian sentiments. The first meetings of the Platform took place in 2023 and 2024, and involved speakers and guests from various countries, including Belarus, Iran as well as Finland, Germany and Poland. Among the narratives disseminated is the notion that the Russian-led “Union State” – a treaty that subordinates Belarus to Russian control – would have been a better way for Estonia, Finland, Latvia and Lithuania to ensure their ‘self-determination’.

At the other extreme, there are violent attempts at intimidation. In the region, the most visible case was that of the exiled Russian opposition leader, Leonid Volkov. On 12 March, Volkov was struck in his home in Lithuania by an assailant later discovered to have been a Polish citizen, suspected to have acted with previous Russian reconnaissance. The Lithuanian National Crisis Management Centre called this the country’s first case of ‘political terrorism’.

In Estonia, other cases of intimidation have targeted top government officials and journalists. On 8 December 2023, the cars of the Estonian Minister of Interior, Lauri Läänemets, and the editor-in-chief of the Russian-language edition of Delfi, Andrei Šumakov, were struck by assailants allegedly recruited by Russia. The windows were broken in what the police and KaPo have assessed to have been an intimidation attempt targeting Estonian society as a whole.

A constant source of pressure has also been the traffic of undocumented migrants at the Poland-Belarus and the Estonia-Russia borders. As migration is a divisive topic across Europe, Russia’s tactic is meant to stoke conflict within societies and create a sense of crisis. The deadly stabbing of a Polish soldier at the border with Belarus by an alleged migrant on 28 May caused uproar.

Russia’s cyberwarfare also has a cognitive element, within the framework of Foreign Information Manipulation and Interference (FIMI). Throughout the 2024 European Parliament elections, Russia deployed what has been called operation “Doppelganger”. It involved creating clones of legitimate news websites, meant to disseminate disinformation and propaganda by tricking users into believing that these are real sources. In facsimile websites of popular Polish outlets such as Polityka, the Kremlin passes along narratives that attempt to stoke hatred towards Ukrainian refugees.

Recruitment

Since 2022, there has been a string of reports of spies recruited by Russia to gather intelligence, disseminate disinformation and propaganda, conduct sabotage, or carry out attacks on individuals. This recruitment is taking place in two ways: cross-border and online via social media.

In the former case, recruitment takes place when individuals are inside Russia or across the Russian border, where they are exposed to the FSB border agents. Particularly sensitive locations are Kaliningrad and Ivangorod, the Russian city opposite to the Estonian border town of Narva. In both cases, FSB officials can detain and intimidate individuals attempting to cross the border, demanding their compliance. According to KaPo, by the end of 2023 the FSB increased its recruitment and intimidation efforts of individuals crossing the border, subjecting them to data seizures and detentions on fabricated charges. Online, social media can offer anonymity and discretion to the recruiters, who often offer payment in exchange for intelligence collection and other activities. Russian intelligence has invested into cryptocurrencies for years, and indeed many of these payments have been done through relatively hard-to-trace crypto.

The targets and missions of this recruitment vary. Aside from the operationally valuable monitoring of Polish infrastructure, recruits also engage in sabotage and cognitive warfare. For example, in August 2023 Polish security agencies detained two individuals – who happened to be Russian citizens – paid online, allegedly by Russian intelligence, to paste pro-Wagner posters in Warsaw and Krakow.

The targets of Russian recruitment also tend to include Ukrainians who arrived in Estonia and Poland as refugees. Often Russian speaking, these individuals are vulnerable, and less resilient and able to cope with Russian attempts at recruitment. The detained individuals in Poland mentioned above include people with Ukrainian citizenship but also Poles and Belarusians.

Sabotage

Russian clandestine operations in Europe have already featured sabotage operations. Some of the best-known ones include the detonations of Bulgarian and Czech ammunition depots, in 2011 and 2014, each meant to thwart arms deliveries to Georgia and Ukraine, respectively. This trend has continued since 2022 but gained new scope, as reportedly Polish harbours and railways have been monitored by Russian agents. The strategic eastern Poland town of Rzeszów – whose airport has served as an entry point to Ukraine – has attracted the attention of Russian intelligence, as its operatives install cameras and tap into radio towers for surveillance of air and rail traffic. According to information revealed in 2023, these monitoring operations were meant to precede a sabotage operation against rail traffic, as substantial aid and military supplies arrived in Ukraine this way. Some of this sabotage is taking place online, too. Poland has been the target of a growing number of Distributed Denial-of-Service (DDoS) attacks, specifically against its rail infrastructure.

In Estonia, sabotage has not played as prominent a role due to its relative distance from Ukraine. Yet, the case of the Läänemets and Šumakov intimidation attempt led to the arrest of 10 individuals accused of the attacks, as well as of planning a sabotage operation. While not much is known about the sabotage operation, Estonia has been constantlysupplying resources and war materiel to Ukraine, making those deliveries potential targets. The possibility of further sabotage plots has been discussed at the Estonian National Defence Council later on, as well.

Arson has been a constant, blurring the line between sabotage and cognitive warfare – terror and intimidation. For example, a string of fires in May 2024 raised concerns that Russian intelligence might be carrying out arson attacks in Poland. While the authorities dismissed the allegations of foreign connections of certain fires, in other cases they have pointed to a potential foreign source. In May, Polish authorities alleged that Russian intelligence was behind the fire that destroyed Poland’s largest shopping centre in the Marywilska area of Warsaw. In that month, Prime Minister Donald Tusk revealed that nine individuals were arrested on suspicion of sabotage, including on charges of attempted arson. In addition, some of the detained individuals were suspected of also planning arson attacks in Lithuania.

Fighting back

The threat posed by the aggressive activities of Russia’s intelligence community in Estonia and Poland have not prompted a major reorganisation of counterintelligence activities, so it is possible to conjecture that the response has not deviated from the usual toolkit in counterintelligence. This toolkit includes several measures, among them exposure, empowering intelligence agencies and cross-border cooperation.

Exposure

Estonia and Poland have been revealing sabotage and espionage cases featuring Russia consistently, including after 2022. The Estonian annual security reviews – published in English and Estonian – are published every year since the early 2000s. They are well-known, and they often feature summaries of cases that the agencies pursued in the past year. Additional statements occur outside of these reviews. Since 2014, the Estonian government has been investing in media literacy courses at schools as well as offering grants for journalists and news outlets, including in the Russian language.

Like in Estonia, the Polish special services have a consolidated website, disseminating analysis and information about their activities in counterintelligence. The primary audience are Polish citizens, who are informed of the disinformation narratives disseminated by Russia. These are efforts in debunking and pre-bunking. Many of these communications are addressed to audiences abroad, with a website in English too. Moreover, the country’s leadership has been openly exposing Russian plots. For example, Prime Minister Tusk openly spoke on the investigations of the Marywilska mall fire, and the suspicions that Russian intelligence might be behind that and other incidents.

Both Estonia and Poland have officially discouraged – though not forbidden – travel to Russia, making explicit that travellers there risk data seizures and arbitrary detentions.

Empowering agencies

In the 2010s, already faced with increased pressure from China and Russia, Estonia introduced harsher penalties for espionage and reportedly increased its counterintelligence capabilities. The start of Russia’s full-scale war on Ukraine did not appear to bring major changes for Estonia, as no major institutional or managerial reorganisation has been announced.

In Poland, however, 2022 restarted some reform processes. A reform to the Criminal Code concerning espionage was considered before 2022, but it fell off the agenda. After February 2022, and with espionage cases starting shortly after the full-scale war began, amendments to Article 130 of the Criminal Code – setting penalties for espionage – were discussed. The amendments came into place in August 2023, prolonging the sentences for espionage and increasing the authority of the intelligence agencies. The government also reversed the closure of regional branches of the ABW. In 2024, the budget for the intelligence agencies received a 100 million złoty increase, plus an additional US$760 million to be spent on cyber security.

On the Belarus-Poland border, the reintroduction of the exclusion zone is meant to upgrade the border fence and increase its monitoring, as well as enhance the authority of the police in the area. These and other related measures have been divisive.

International cooperation

Given the cross-border nature of these Russian operations, cooperation with partners across borders has also been necessary. This has included the bilateral format, the European format (e.g. Europol) and cooperation with the US and with Ukrainian intelligence agencies.

European cooperation has been activated numerous times. The Voice of Europe case is illustrative of the threats addressed and the cross-border measures taken, namely, intelligence sharing and coordination among law-enforcement agencies. Allegedly financed by Putin ally Viktor Medvedchuk to the tune of €2 million, this online publication disseminated anti-Ukraine narratives for years, including with support from sympathetic Members of the European Parliament. It was eventually discovered that the outlet was run from offices in Czechia and Poland. Reportedly, the raids on the Voice of Europe offices were carried out in coordination between the two countries, as well as with Belgium and Ukraine. In addition, Lithuania and Poland have cooperated in the detention and trial of the suspects in the Volkov case. Poland has been in constant dialogue with Germany on the situation on the Belarus border. Cooperation with Ukraine has also been ongoing. In May 2024, Ukraine extradited to Poland a man suspected to be an organiser of Russia’s Belarus border operation.

Beyond Europe, cooperation with the US has also stood out. Generally, the US considers Baltic intelligence agencies to be highly capable against Russian threats, so cooperation has been constant since the countries joined NATO. Reports have emerged about the US sharing intelligence with Poland to secure its territory, such as during the 2022 missile incident at Przewodów. In June, the US and Poland announced the opening of a centre meant to counter Russian disinformation about Ukraine throughout the world. Some cases cannot be considered cooperation but rather fall within the scope of diplomacy. In June as well, Polish President Andzrej Duda visited Beijing, with the situation at the Belarus border in the agenda – China is the largest trade partner of Belarus.

International cooperation has been a two-way street, too. In the past two years, there have been a proliferation of academic events meant to exchange the disinformation and counterintelligence experiences from Estonian and Polish services. For example, in March a new NATO-supported Estonian-French project on disinformation was announced.

Conclusion

Russia’s shadow war against Europe is ongoing and its scope and shape continues to evolve. While these operations have a cyber component, their scope is not limited to cyber-attacks and hacking. Moreover, with a decreased fear of blowback, Russian intelligence has been caught carrying out widespread sabotage and operations of cognitive warfare throughout Europe. These operations have become more aggressive, and they reflect the paranoid and hostile outlook of the Kremlin towards Europe and the West.

Several European countries have struggled under the influence of Russia’s intelligence agencies. The Jan Marsalek case in Austria revealed the extent to which that country’s counterintelligence capabilities have atrophied, especially in preventing and identifying spy recruitment within the services themselves. A similar situation was visible with the “Carsten L.” case in Germany, where a court found a former German BND (Bundesnachrichtendienst, in German) intelligence officer guilty of spying for the Russians. In addition to counterintelligence capabilities, enhanced cross-border cooperation could have also detected Marsalek, as he reportedly travelled across Europe while working for Russia. The beleaguered Austrian and German counterintelligence agencies could also gain additional authority and repair their reputation by being empowered by their respective governments. As the Chair of the Bundestag Defence Committee stated, ‘[w]e urgently need to strengthen our security and counterintelligence because we are vulnerable in this area’.

Understanding the pressure that Russian intelligence – and the broader state apparatus behind it – have placed the “frontline” states under can bring benefits to Western actors seeking to respond to Russian clandestine operations. Estonia and Poland rely on many instruments to respond such as exposure, deterrence and cooperation. Continued dialogue, exchange of best practices and mutual support will enhance European security against Russia’s shadow war.

__________

An earlier version of this paper was presented at the “Geopolitics of Central and Eastern Europe and the Ukraine War” workshop at University of Southampton. The author wishes to thank the organiser, Dr Kamil Zwolski for the workshop and the participants for their feedback.