INCIDENT
A few days ago, the UK authorities issued a notice highlighting Russian espionage efforts targeting NATO personnel hosted in a hotel located in the German city of Wiesbaden. The guesthouse is close to the NATO Security Assistance and Training for Ukraine (NSATU) headquarters at the US Army’s Clay Kaserne military base, which is a key hub for coordinating military support and logistics assisting Ukraine’s defense forces against Russia.
NATO staff lodged at the accommodation reportedly alerted senior officials after detecting what they described as suspicious individuals allegedly performing static and dynamic surveillance around the premises. No further indications were disseminated honing the positive identification of hostile elements as members of Russian security services, although an inference was made with regard to these individuals as being part of suspected hostile organizations linked to the Kremlin.
COMMENT
Although the source reporting the incident is originally single – firstly posted January 11th on the X platform[1] and then as an article on the germane website[2] – and cannot be independently verified[3], the indicent has been widely reported as actually occurred. Comments gathered and disseminated on the net made reference to an unnamed senior NATO official reporting that the suspected individuals were thought to be working on behalf of Moscow. It was also added that vehicles involved in the information collection maneuver were linked to the Russian embassy in Germany, elaborating that they were believed to be used by Russian intelligence personnel to observe the arrival of U.S. reinforcements. Coherently with the last episode, over the last months NATO officials have repeatedly stressed that military and diplomatic personnel have been advised to prepare for “further escalation” in malign interference activities carried out by foreign intelligence services, primarily Russian and Chinese. It has also been confirmed that NATO member hosted at the location and NATO’s critical transport and military sites across Europe could be involved in espionage and harassment actions like the one in contention. NATO has urged personnel to be taking measures in “maintaining a heightened awareness of surveillance,” noting that Russian intelligence often employs broad collection methods during intelligence-gathering operations. The surveillance activity reported outside the German hotel has prompted concerns that lodging used by NATO personnel at other key hubs for the alliance’s assistance to Ukraine, including Rzeszów in Poland, may also become targets. Another senior NATO official noted that espionage incidents have risen in recent months alongside the continued deployment of troops and equipment to Europe.
The warning about the potential for hostile actions must be contextualized within the broader concept of Hybrid Threats (HT). These activities, falling short of open warfare, consist of sustained and coordinated efforts aimed at influencing and shaping an adversary to advance a state actor’s objectives through asymmetric means. To maintain plausible deniability, state actors frequently employ sub-state or non-state proxies to conceal their involvement. Within this framework, human-based espionage activities constitute a central instrument in Russia’s hybrid warfare strategy, especially in the context of operations targeting adversary military structures. As for the incident, it should also be plausible to consider the employment of proxy agents on behalf of the Russian security apparatus, which are on the one side “disposable” and on the other, they can grant refutability. With this respect, ample literature can be gleaned with regard to the so-called intel-crime nexus orchestrated by Russia and aimed at outsourcing hybrid operations – like human espionage – to individuals having prior criminal records usually recruited, online or thru traditional methods, out of economic grievances or ideological contiguity.
Hostile activities like the one in argument are part of a plethora of hybrid actions waged by Russia when dealing with states they consider antagonistic. Specifically, the UK has been subject to different aggressive hybrid actions executed on their territory, which has prompted a proactive and reactive posture informed, by a protracted, subdued state of alert. With this respect, significant activities (SIGACT) occurred as part of the prolonged gray-zone inspired confrontation/campaign – hence below the threshold of war – implemented by Russian intelligence and security services. Instances of SIGACT are the 2018 nerve agent poisoning of Sergei Skripal and his daughter Yulia; a string of cyber operations targeting UK media, telecoms, energy, and political institutions; the 2024 arson against a Ukrainian-linked business in London (deemed to be part of a broader pattern of sabotage in Europe).
Moreover, the newly appointed MI6 head, Blaise Metreweli, in her first public appearance mid December 2025 stated “… we all continue to face the menace of an aggressive, expansionist and revisionist Russia, seeking to subjugate Ukraine and harass NATO … Alongside the grinding war, Russia is testing us in the grey zone with tactics that are just below the threshold of war. It’s important to understand their attempts to bully, fearmonger and manipulate, because it affects us all … The export of chaos is a feature not a bug in this Russian approach to international engagement; and we should be ready for this to continue until Putin is forced to change his calculus …”
Lastly, back in September 2024, French authorities highlighted the threat posed by Russian-related hostile espionage activities executed against the industrial complex involved in supporting Ukraine[4]. The warning had the goal of raising awareness of the employment of hybrid tools in a progressive approach by starting with influence operations, moving towards selected espionage activities and then enhancing the operational posture by sabotaging targeted military-related production sites. The assumption was that the defense industry, although sensitive in terms of processes and throughputs, are to be considered “softer” targets of opportunities within the hostile subversive campaign waged by Russia when compared to more protected military installations. The German espionage case, nevertheless, has demonstrated an enhanced Moscow’s level of ambition in offensively opposing NATO assisting efforts in Ukraine favor.
SIGNIFICANCE
Occurring against the backdrop of an increasing number of reported Russian hybrid operations targeting EU member states—ranging from suspected sabotage to cyberattacks and disinformation campaigns linked to Moscow—the incident carries significant implications that merit close attention and represent a serious strategic concern. This situation is even more sensitive if related to the present times where significant settling outcomes between Ukraine and Russia are still being negotiated.
The alarm is “nothing new under the sun” though: the purported hostile espionage activity is part of the Russian “active measures” repertoire – influence, interference, even sabotage (both physical and/or technological) accomplishments, all “tools of choice” that are being used to generate effects within HT campaigns – along with the strategic harassment against Western countries aimed at influencing the political and strategic decision making process.
Espionage—the collection of information aimed at understanding adversaries to act against them more effectively—appears to be the preferred initial instrument. As previously emphasized, in this context agent recruitment—the identification and cultivation of human assets through diverse means and motivations—constitutes the primary mechanism for carrying out such activities. In the present scenario, however, the most dangerous human intelligence collection method might be represented by the insider threat: the paradigm shift, highlighting a change in the confrontational pattern that increases the odds at stake, refers to Russian cooption of NATO staff tasked with gathering, analyzing, and transmitting sensitive information and who are selected based on their expertise, access, and organizational position.
The incident has highlighted a conceptual confrontational domain which has been defined as gray-zone competition: it develops itself below the threshold of open conflict by engaging in a pervasive, long-lasting, physical/digital subversive campaigns designed, developed and implemented to generate detrimental effects by executing, in a progressive mode, informational (espionage) / influencing (psy-ops and cognitive/sentimental warfare) / sabotaging activities carried out by hostile intelligence services, like Russian or Chinese.
Borrowing from the US military doctrinal terminology, the alleged Russian espionage activity might be considered as part of the Intelligence Preparation of the Operational Environment (IPOE). Doctrinally, IPOE is defined as “a continuous analytical process used by military intelligence to understand the operational environment, the adversary, and their potential courses of action, producing assessments that support commanders’ decision-making and mission planning”. The process typically involves defining the environment, assessing its effects, evaluating the threat, and determining adversary courses of action, and serves as the foundational framework for tactical intelligence by systematically enabling effective operations. As previously mentioned, the espionage against NATO staff members and installation might be considered as ubiquitous activities whose goal is to collect and process intelligence information and data to be used to mount follow-on subversive operations.
In order to better grasp the level of concern attributed to the Russian HT posture and the need to set-up a functionally, organizationally and process-wise structure capable of dealing with the menace, on November 2025 the UK Ministry of Defense launched the new Military Intelligence Services (MIS). As reported in the press released “… Following the recommendations in the Strategic Defense Review, the reforms bring every intelligence unit and organization within Defense under one organization for the first time, including units from the Royal Navy, British Army and Royal Air Force – speeding up how information is gathered, analyzed and shared across the Armed Forces The announcement comes amid escalating threats to the UK, as adversaries intensify cyber-attacks, disrupt satellites, threaten global shipping lanes, and spread disinformation … today also sees the launch of the new Defence Counter-Intelligence Unit (DCIU). Over the past year, hostile intelligence activity against the MOD has risen by more than 50%, revealing just how quickly our adversaries are intensifying their efforts”.
Finally, as a consequence of the persistent HT in its manifestation as espionage activities, the implementation of a vulnerability assessment process is to be sought to systematically identify critical weaknesses/vulnerabilities of potential targetable friendly systems: through the use of the CARVER matrix[5], the identification and implementation of defensive and offensive counterintelligence protective measures are aimed at identifying, countering, neutralizing and exploiting hostile intelligence activities. An additional tactical element to take into consideration as an individual protective countermeasure, which is acknowledged as a window of opportunity/vulnerability by hostile intelligence service, is the change of the pattern-of-life (PoL): it represents the individual’s daily routine, which is being placed under observation to identify openings to penetration/influence/disruption
[1] The account of the I-Paper (Inews) Security Correspondent Richard Holmes
[2] https://inews.co.uk/news/nato-warns-of-russian-spies-4145755?srsltid=AfmBOoqqhU2-WXmZI_7ab7zMrqX-H5W5cS1SCRW8V6vi4YaHtzEusxxm
[3] Using the NATO source reliability and information credibility grading system, the assign weight can be B3, where B is a source usually reliable (minor doubt, history of valid info most of the time), whilst 3 refers to information possibly true (plausible, but not confirmed)
[4] This author has already articulated the concept in the 16/09/2025 “SPOTREP. The French security services’ warning against Russian espionage activities against the defense industry”
[5] CARVER is a structured target-selection matrix that evaluates potential targets across six analytical dimensions: Criticality (how essential the target is to the adversary), Accessibility (how reachable it is), Recuperability (how quickly the enemy can recover), Vulnerability (how easily it can be struck), Effect (second-order or cascading impacts), and Recognizability (how readily it can be identified). By quantifying these factors, CARVER process allows planners to objectively prioritize high-value, low-risk targets while weighing tactical benefits against strategic impact and collateral effects