Russian-aligned cyber activity against NATO members has climbed sharply over the last year. Microsoft’s Digital Defense Report 2025 puts a number on it: a 25% year-on-year increase in attacks aimed at NATO countries, with governments, research bodies, NGOs and critical infrastructure among the most targeted sectors.
This rise is not occurring in isolation. It’s part of a broader campaign of hybrid pressure disinformation, diplomatic coercion, sabotage and cyber operations leveraging a constellation of state units (notably the GRU-linked Sandworm and APT28) and a loose ecosystem of “patriotic” hacktivists and cybercriminals who align with Kremlin priorities. Recent attributions and warnings from European governments and EU bodies show a growing willingness to name and shame, and to tie incidents across borders into a single, coherent threat picture.
Below, we break down what’s changed, who is involved, how the attacks are playing out across sectors, and the practical steps NATO states and their supply chains should take now.
What’s changed in the past year?
1) A measurable rise in volume and focus. Microsoft’s latest assessment points to a 25% uptick in Russian cyber operations against NATO members, with the United States and the United Kingdom among the most-targeted nations. The report also highlights the growing use of AI by Russian, Chinese, Iranian and North Korean actors to enhance intrusion and influence operations speeding up phishing creation, impersonation and content fabrication.
2) More open attributions from European governments. In 2024–2025, Germany, Czechia and France publicly attributed major campaigns to the GRU, especially APT28 (a.k.a. Fancy Bear). This included operations against political parties, ministries and defence/aerospace sectors, often tied to exploitation of widely used enterprise software and email systems. The EU, NATO and multiple allies condemned these campaigns, signalling a policy shift toward quicker, clearer attribution.
3) Blurring between state units, cybercriminals and “hacktivists”. ENISA’s Threat Landscape 2025 notes how pro-Russia hacktivist brands and collectives increasingly pair DDoS with extortion and ransomware, and how some operations recycle tools across different groups. This convergence boosts tempo, multiplies targets and complicates defence and response.
4) Heightened pressure on critical infrastructure and logistics. A joint advisory from the US, UK and partners warned of GRU targeting of Western logistics and technology firms the arteries of defence supply and mobility. Meanwhile, Poland recently reported a rise in cyberattacks on critical infrastructure attributed to Russia, underscoring the regional spillover risk.
Who’s behind the keyboard?
While Russia’s security apparatus includes multiple services, three clusters stand out in European/NATO targeting:
- GRU-linked units (notably Sandworm and APT28). Sandworm has a track record against energy and operational technology (OT). APT28 remains a prolific espionage actor with a long history of exploiting email and enterprise platforms for credential theft and lateral movement. Public statements by Germany, Czechia and the EU explicitly tie recent operations to APT28 under the GRU.
- FSB- and SVR-linked actors. While this article focuses on NATO-facing campaigns, other Russia-based services conduct overlapping espionage and influence operations. Open reporting in 2024–2025 points to continued use of spear-phishing, credential theft and supplier compromise across think-tanks, media and policymaking circles. (Here, the main point is the multi-service nature of Russian operations rather than a single dominant unit.)
- Affiliated hacktivists and criminal opportunists. Groups styling themselves as “patriotic” have claimed high-volume DDoS against NATO-aligned targets, sometimes mixed with website defacements or crude data leaks. ENISA and other analysts describe a high-volume, low-impact baseline punctuated by occasional higher-impact operations especially when hacktivist banners cloak state direction or reuse state tooling. The line between hacktivism and crime grows thinner when extortion and ransomware enter the mix.
Targets and tactics: where the pressure is felt
1) Democratic institutions and parties.
Email compromise and data theft targeting political parties, parliamentary staff and affiliated organisations have been repeatedly attributed to Russian state actors. Germany’s 2024 attributions around APT28’s operations against the SPD epitomise the risk: compromise of strategic communications, domestic political disruption and erosion of public trust. Expect similar efforts around elections, referendums and major policy debates.
2) Government ministries, diplomacy and defence.
Campaigns continue to pursue diplomatic cables, defence industrial base information, arms procurement details and policy drafts. CERT-EU reporting throughout 2025 highlights Russian espionage and pre-positioning across European institutions and national ministries classic indications of access staging for future options, from information operations to disruption.
3) Critical infrastructure & logistics.
Joint warnings in 2025 emphasised GRU attention to logistics entities and technology suppliers, aligning with Russia’s military needs and contingency planning. Meanwhile, EU-wide analysis shows OT threats rising, with attackers probing industrial networks that have grown more connected to IT estates. Poland’s October 2025 statement about rising attacks is consistent with this picture.
4) Research, think-tanks, NGOs and media.
These organisations shape policy and public understanding; they’re targeted for insider insight and to seed narratives. Microsoft’s assessment lists them among the top-hit sectors, and AI-enabled persona building makes social engineering against analysts and journalists both scalable and convincing.
5) The wider supply chain.
Attacks against managed service providers, software vendors and cloud tenants offer a route to multiple NATO-aligned customers. Campaigns exploiting popular collaboration tools, identity providers or device code flows reflect this reality. CERT-EU notes targeting of authentication flows and messaging platforms a reminder that identity is the new perimeter.
Tradecraft: how operations unfold
Initial access at scale:
Expect phishing with document lures and MFA fatigue; exploitation of public-facing apps; and weaponisation of widely deployed software flaws. Russian operators have repeatedly demonstrated patience, returning to known-good techniques like email credential theft while opportunistically adopting new vectors. Microsoft’s 2025 write-ups of actors such as Void Blizzard show a willingness to revert to straightforward password-grabs when they work.
Living off the land:
Post-compromise, attackers lean on built-in admin tools, cloud-native capabilities and compromised identities to avoid noisy malware. The aim is persistent, low-friction espionage that can pivot into data theft or disruption if needed.
Hacktivist-style disruption as a smokescreen:
DDoS barrages and defacements can mask more serious intrusions elsewhere drawing defenders into short-term firefighting. ENISA’s 2025 report warns of hacktivist brands adopting ransomware and extortion, expanding beyond performative DDoS.
Information operations fused with intrusions:
Data stolen from politicians, journalists or ministries can feed disinformation campaigns. AI-generated personas and content increase the volume and plausibility of forgeries, deepfakes and misleading narratives. Microsoft and major outlets flag an upswing in AI-enabled deception accompanying technical intrusions.
Pre-positioning in OT and logistics:
Even where no immediate sabotage occurs, footholds in logistics networks or industrial environments create strategic leverage for future crises. Western advisories in 2025 underline GRU interest in these domains.
Why the uptick now?
Strategic leverage while the Ukraine war grinds on.
Cyber operations offer cost-effective pressure on NATO supporters probing red lines without triggering kinetic escalation. Campaigns against logistics, political parties and government networks map precisely to Moscow’s diplomatic and military objectives.
Hybrid signalling around milestones.
Analysts anticipated escalations around major NATO events, and reporting through mid-2025 pointed to likely intensification of hybrid threats including seabed cables and energy. Even when operations remain below the threshold of armed attack, accumulated friction can sap resilience and test alliance cohesion.
An evolving ecosystem that lowers barriers.
The entanglement of state units, contractors, criminals and hacktivists lets Moscow surge activity without always burning elite assets. Recycled toolchains, shared infrastructure and rented access blur attribution and make campaigns faster to stand up. ENISA observes expanding tool reuse and actor convergence across the EU threat landscape.
AI as an accelerant.
AI tooling reduces the cost of crafting spear-phishing, voice clones and influence content. Defenders are adopting AI too but the near-term effect is more, faster, and better-packaged attacks, especially against over-stretched policy and NGO teams.
Case snapshots across Europe
- Germany & Czechia (APT28 attributions). In May 2024, Berlin and Prague publicly tied campaigns to the GRU’s APT28, citing compromises of party email accounts and government targets, with EU/NATO condemnation following. These incidents set the tone for 2025’s firmer attribution posture.
- France (first formal public attribution to the GRU). In April 2025, France officially attributed a series of cyberattacks to the GRU, including APT28 activity marking a policy shift toward explicit naming.
- Poland (critical infrastructure pressure). In October 2025, Poland reported a rise in cyberattacks against critical infrastructure and pointed to Russia, dovetailing with allied advisories about logistics and industrial targeting.
These are not one-offs. They reflect a persistent pattern across NATO’s northern and eastern flanks, but also in Western Europe where political, aerospace/defence and research targets are prized.
What should governments and enterprises do now?
1) Assume persistent access attempts and design for containment.
Treat identity as a breach boundary. Prioritise phishing-resistant MFA (FIDO2/WebAuthn), conditional access, device health signals and continuous access evaluation. Segment privileges and use just-in-time admin elevation with hardware-bound credentials. Monitor for impossible travel and “golden SSO” anomalies.
2) Close the top five paths.
- Harden email and collaboration platforms: disable legacy auth, apply strict token lifetimes, lock down device code and OAuth consent flows.
- Patch Internet-facing services fast (WAF/virtual patching where needed).
- Protect VPNs/SSO enforce strong factors and restrict from unmanaged devices.
- Audit third-party integrations and service accounts; rotate secrets regularly.
- Prioritise exposure management: internet-exposed assets, shadow IT, misconfigured buckets.
(CERT-EU’s 2025 briefs repeatedly call out identity and messaging platforms as favourite entry points for Russian actors.)
3) Prepare for high-noise DDoS while hunting for the quiet intrusion.
Stand up DDoS scrubbing with upstream providers/CDNs and pre-agree activation run-books. While the flood rages, dedicate a separate team to hunt for stealthy compromises hacktivist noise can be cover for real intrusions. ENISA’s 2025 landscape underscores the volume of hacktivist DDoS claims alongside emerging extortion cross-overs.
4) Instrument your SOC around lateral movement and data theft.
Hunt for abnormal Kerberos tickets, cloud admin grants, service principal abuse, mailbox rules and bulk downloads. Deploy deception assets (canary accounts/documents) to detect post-compromise staging. Map controls to MITRE ATT&CK techniques common to APT28/Sandworm.
5) Harden OT and logistics dependencies.
Segment OT from IT with monitored conduits, deploy allow-listed engineering workstations and treat remote access to industrial networks as privileged. For logistics providers and integrators, require SBOMs, build-pipeline attestations and shared incident exercises. Recent allied advisories focusing on GRU interest in logistics make this a near-term priority.
6) Counter the influence layer, not just the intrusion.
Stand up media forensics and rapid takedown workflows for deepfakes, cloned voices and forged leaks targeting your leadership or policy agenda. Brief executives and comms teams on AI-assisted impersonation risks and pre-draft response playbooks. Microsoft and others warn of escalating AI-enabled deception accompanying intrusions.
7) Share, simulate, sanction.
Participate in national cyber exercises and NATO-/EU-level drills; test decision-making under multi-vector pressure (DDoS, data leak, election discrediting). Support evidence-based attributions and coordinated sanctions where appropriate steps that EU governments and NATO have increasingly embraced since 2024.
Indicators of a maturing defensive posture
If you’re in government, critical infrastructure, defence supply, research or media in a NATO country, ask yourself:
- Identity rigour: Are all admins on phishing-resistant MFA with device binding? Are break-glass accounts hardware-key protected and vaulted?
- Telemetry depth: Do we have full EDR coverage, email/cloud audit logs retained for 12+ months, and detections for mailbox rule abuse and OAuth consent grants?
- Third-party governance: Can we enumerate all privileged external apps/integrations and revoke them centrally?
- DDoS/run-book readiness: Have we tested scrubbing failover and separation between DDoS response and threat-hunting lines of effort?
- OT/logistics drills: Have we conducted joint tabletop exercises with logistics partners and assessed single points of failure (e.g., SSO, MSP consoles, VPN concentrators)?
- Narrative defence: Do we have protocols to authenticate leadership messages (e.g., pre-registered statements, known-good channels), and to challenge fabricated leaks swiftly?
Progress here is tangible insurance. It won’t eliminate risk, but it reduces the chance that a single spear-phish, token theft or DDoS spasm becomes a strategic headache.
Looking ahead
Few analysts expect Russian cyber pressure on NATO states to ease in the near term. Microsoft’s data shows increased operational tempo; ENISA documents actor convergence and expanding tool reuse; allied advisories warn about logistics and industrial targeting; and EU/NATO institutions are attributing faster and more forcefully than in previous years. The trajectory points to persistent, politically timed pressure, opportunistic exploitation of widely deployed software, and a steady fusion of intrusion with information operations.
For defenders, the task is both technical and civic: harden identity and cloud baselines; plan for DDoS while hunting the quiet intrusions; treat OT and logistics as first-class security domains; and prepare to counter AI-enabled influence designed to sap trust in institutions. That is how NATO societies keep the lights on, keep the debate honest, and keep their strategic resolve intact even as the cyber pressure dial turns another notch.