site.btaChristo Grozev in EUDS Committee Hearing: Russia's Attacks against EU Are Comprehensive but Can Be Countered

Addressing a meeting of the European Parliament Special Committee on the European Democracy Shield (EUDS) here Tuesday on Russia’s hybrid threats and attacks in Europe, Bulgarian investigative journalist Christo Grozev said that Russia's assault on the EU is comprehensive and "feel like fear - not war" - but it can be countered. Grozev was invited to the meeting to share his insights based on over a decade of investigating Russian intelligence operations across Europe - "at times as an observer and occasionally as a target", to use his own words. 

Russia’s hybrid warfare goes far beyond espionage to include sabotage, cyberattacks, disinformation, and orchestrated chaos, he said.

He outlined seven domains of this multifaceted assault: physical sabotage within EU borders; cyber operations targeting institutions and critical infrastructure in Europe; electronic warfare disrupting European skies; Kremlin-funded political influence and disinformation campaigns; weaponization of migration; using energy as a weapon; and recruiting Western assets.

Grozev said this assessment relies on "direct, verifiable evidence from our own investigations".

Physical sabotage

Grozev said that this dimension has escalated dramatically. "While Russia previously targeted European military infrastructure, pre-2022—remember the munitions depot explosions in Czechia and Bulgaria, and assassination attempts on Emilian Gebrev in Bulgaria—its cross-border sabotage has significantly increased since the full-scale invasion of Ukraine. Last year alone, Polish counterintelligence arrested nine operatives paid by Russian handlers for arson, attempted train derailments, and filming these acts for propaganda purposes. A Belarusian operative set fire to a Warsaw megastore on Russian orders, falsely blaming Ukrainians. Finland and Estonia are repairing the Balticconnector pipeline and S–Link 2 cable, both deliberately severed by Russia-linked vessels," Grozev said.

He had detailed information on who handles such missions. Historically, it was GRU Unit 29155, comprising no more than 100 operatives, but now, Russia uses thousands of individuals: former FSB agents, organized crime figures, and individuals with criminal backgrounds from occupied Ukrainian territories. A new threat is what he called “retail saboteurs”: recruited individuals within Europe. "Recruitment happens via Telegram chatbots, and they're paid between USD 250 and USD 10,000 for specific tasks. Our investigation uncovered an FSB operative in France recruiting saboteurs last year for disruption during the Olympics,' said Grozev.

Cyber operations targeting institutions and critical infrastructure

"These cyberattacks have been constant since 2007, but in May of last year, Germany, Czechia, and Poland exposed a multi-year GRU Fancy Bear campaign that infiltrated political parties, defense contractors, and government systems via known vulnerabilities. We've now identified a new offensive cyber-capability unit linked to the same sabotage group - GRU Unit 29155. Previously focused on inciting inter-state discord within Europe, their objectives are now more sinister. A leaked target list we obtained includes European healthcare providers, medical suppliers, hospital DNA databanks, water systems, and transport hubs. The specific goals and timing remain classified, but the malign intent is very clear. These activities aim not to gather intelligence, but to sow chaos and disrupt essential services," he said.

Disrupting European skies

Since last spring, there have been over 800 GPS-jamming incidents across the Baltic and Nordic regions, forcing flight diversions and cancellations. Estonia and Finland have formally protested this deliberate peacetime harassment, said Grozev.

Political influence and disinformation campaigns

"Russia actively manipulates our political landscape. The "Voice of Europe" operation, as you may recall, revealed Kremlin payments to individuals in this very Parliament to promote anti-Ukrainian narratives ahead of the June 2024 elections. Intercepted GRU communications boast of buying or sponsoring European political figures. During Germany’s snap elections, over 700 fake accounts amplified AfD talking points and attacked the CDU candidate. Similar interference has occurred in Moldova and Romania." This is not new - recall the 2006 coup attempt in Montenegro - but the scale is now "ubiquitous", to use Grozev's words.

Weaponizing migration

Grozev mentioned as an example of this tactic that in 2024, the European Union saw a 66% spike in irregular crossings from Belarus - "an operation orchestrated by Russia to funnel asylum seekers into Poland, Latvia, and Lithuania". Beyond that, his organization has found passports of young Afghan citizens in the mailboxes of GRU Unit 29155 officers. "Dozens—possibly hundreds—of these individuals entered Western Europe as asylum seekers after spending months in Russia. The presence of their documents alongside sabotage experts in Russia strongly suggests potential infiltration with malign intent," he said.

Using energy as a weapon

One example is the halting on January 1 by Gazprom of gas transit through Ukraine, forcing Austria and Slovakia into emergency reserves. "Gazprom faces USD 18 billion in arbitration claims - but they don’t care. They can afford it," said Grozev.

Recruiting Western assets

He used as an example of such use of European citizens Jan Marsalek - the fugitive executive of the German company Wirecard, who now resides in Russia. "He helped recruit a Bulgarian-British cell for tasks including surveillance of a U.S. base, honey-trapping operations against journalists (including myself), and spreading false-flag narratives to discredit Ukraine. UK prosecutors have secured convictions against some of these individuals, but Marsalek walks freely in Russia—apparently beyond the reach or interest of European legislators and law enforcement. This illustrates Moscow’s fusion of human intelligence, cyberwarfare, and information operations, which it outsources very cheaply," said Grozev.

He went on to speak about the scale of disinformation as is a prime example of Russia's tactics. "We have been monitoring this qualitatively - less so quantitatively - through a new entity called The Observatory, affiliated with the American University in Bulgaria and the Civic Information and Democracy Center. A study we just conducted - available on their website - maps out over 190 Kremlin-linked websites. These saturate search engines with pro-Kremlin content, particularly targeting vulnerable regions such as the Balkans, the Baltics, and Moldova. These narratives do not aim to persuade - but to confuse and overwhelm."

Often, the goal of such campaigns is simply chaos, said Grozev. He cited a leaked Russian intelligence policy paper stating, “Confusion is victory”, and another document saying that instilling “existential fear” is key.

"Hybrid war is both ideology and industry in Russia," said Grozev.

He is optimistic, however, that it can be countered. "Exposed cells, mapped networks, and convicted spies show that these operations can be countered. Success stems from collaboration—cooperation among journalists and among states," he concluded.