Skip to content
.ca
sign in
4 minhigh

Preparing for Russia’s New Generation Warfare in Europe

Over the next two years, Russia is expected to escalate its hybrid warfare against NATO into a coordinated New Generation Warfare (NGW) campaign. This strategy integrates cyber operations, physical sabotage, influence campaigns, and airspace/maritime incursions to degrade European critical infrastructure and political unity while remaining below the threshold of conventional armed conflict.

Conf:mediumAnalyzed:2026-03-19reports

Authors: Insikt Group

ActorsAPT28SandwormAPT29TurlaGamaredon GroupBlueEchoBlueDeltaBlueAlphaDragonflyDoppelgängerCopyCopOperation OverloadOperation Undercut
New Generation WarfareRussiaCyber EspionageNATOHybrid Warfare

Source:Recorded Future

Key Takeaways

  • Russia is likely to escalate its hybrid warfare against NATO into a full-fledged New Generation Warfare (NGW) campaign over the next two years.
  • NGW combines sabotage, cyberattacks, influence operations, airspace/maritime violations, and economic leverage to undermine enemy confidence without triggering an Article 5 response.
  • Russian cyber activity in Europe has focused on access-oriented operations (firewalls, VPNs, email) for intelligence collection, but could pivot to disruptive attacks.
  • Public-private partnerships are essential for mitigation, as most targeted critical infrastructure in NATO territory is privately owned.

Affected Systems

  • Critical Infrastructure
  • Telecommunications
  • Energy Sector
  • Government Networks
  • Defense Supply Chains
  • Transportation Hubs

Attack Chain

Russian threat actors conduct access-oriented cyber operations targeting internet-facing firewalls, VPNs, and email services to establish footholds. These footholds enable follow-on credential capture and lateral movement for long-term intelligence collection and operational reach. Concurrently, state-sponsored entities execute influence operations, physical sabotage of critical infrastructure, and airspace/maritime incursions. If escalated into a full NGW campaign, these established cyber accesses could be repurposed to degrade remote access services, manipulate edge-device configurations, or cause temporary service disruption in coordination with physical and psychological warfare tactics.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article provides strategic threat intelligence and behavioral indicators of New Generation Warfare, but does not include specific detection rules or queries.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect credential harvesting, lateral movement, and anomalous remote management activity once a foothold is established, but may lack visibility into edge-device exploitation and network-level DDoS attacks. Network Visibility: High — Network telemetry is critical for detecting attacks on internet-facing firewalls, VPNs, DDoS activity, and anomalous tunneling or persistent connections. Detection Difficulty: Hard — The campaign relies heavily on valid accounts, edge-device exploitation, and blending state activity with proxy/hacktivist infrastructure, making attribution and detection challenging.

Required Log Sources

  • VPN authentication logs
  • Firewall traffic logs
  • Email gateway logs
  • Identity Provider (IdP) logs
  • DNS query logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Threat actors are targeting internet-facing VPNs and firewalls to establish persistent tunnels for long-term access.Firewall logs, VPN access logsInitial Access / PersistenceMedium
Adversaries are performing credential harvesting at scale using impersonated OWA or VPN login workflows.Web proxy logs, DNS logsCredential AccessLow
Threat actors are leveraging compromised identity providers or privileged administrative portals for lateral movement.IdP logs, Authentication logsLateral MovementMedium

Control Gaps

  • Lack of phishing-resistant MFA
  • Unpatched edge devices and firewalls
  • Insufficient monitoring of third-party provider access
  • Deferred maintenance and physical security gaps at critical infrastructure sites

Key Behavioral Indicators

  • Spikes in DDoS activity coinciding with geopolitical events or military exercises
  • Anomalous remote management activity from unexpected geolocations
  • Persistent connections or tunneling from edge devices to unknown infrastructure

False Positive Assessment

  • Medium

Recommendations

Immediate Mitigation

  • Enforce phishing-resistant multi-factor authentication (MFA) across all external-facing services.
  • Patch commonly exploited software on internet-facing devices and edge infrastructure.
  • Reduce exposure by locking down administrative portals, restricting access by IP address, and removing unused services.

Infrastructure Hardening

  • Implement conditional network access based on geopolitical and risk factors.
  • Deploy DDoS protection and autoscaling capabilities for critical web infrastructure.
  • Segment privileged access and monitor for abnormal remote management activity.
  • Ensure physical security measures (perimeter detection, anti-drone measures, camera coverage) are in place at critical sites.

User Protection

  • Require MFA and logging parity from third-party providers and vendors.
  • Expand insider threat and contractor vetting at critical infrastructure sites.

Security Awareness

  • Ensure communication response protocols are in place for rapid rebuttal of influence operations.
  • Rehearse continuity plans and coordinate incident response with national CERTs and upstream providers.

MITRE ATT&CK Mapping

  • T1133 - External Remote Services
  • T1190 - Exploit Public-Facing Application
  • T1078 - Valid Accounts
  • T1583 - Acquire Infrastructure
  • T1498 - Network Denial of Service
  • T1584 - Compromise Infrastructure

Related