While Russia is already advanced in encouraging “non state cyber actors” to attack the West, it is moving towards grooming other groups for “physical attacks”, the chief of Britain’s eavesdropping and cyber security bureau has said.

The West needs to be prepared for what may amount to state-backed terrorist attacks for Russia, the director of the Government Communications Headquarters (GCHQ) spy agency Anne Keast-Butler has warned in a rare address. As previously reported, however, several instances of such activity are alleged to have already been discovered by European police and security agencies, suggesting this new trend is already well underway.

While Keast-Butler’s comments on cyber security threats from Russia and China, as expressed at a government conference on the matter in Birmingham this week, are to be expected, the accompanying remarks on physical attacks are more unusual. She said GCHQ is: “increasingly concerned about growing links between the Russian intelligence services and proxy groups to conduct cyber attacks – as well as suspected physical surveillance and sabotage operations.”

In some cases the agency was seeing Russia “seemingly co-ordinating physical attacks against the West”. In the broader security sphere Keast-Butler said that while in the past Russia had created “the right environment” for non-state groups to thrive — by not arresting them, in other words — now they had moved into an active posture and were outright “nurturing and inspiring” non-state groups.

In this way hackers — and saboteurs and amateur spies, it is claimed — are proxies for the Russian state, she said. The United Kingdom has been attacked by Russian intelligence in the recent past, of course, but the Salisbury attack was by professional agents sent by Moscow to perform a single job — assassinating a defector, which they disastrously bodged — to which the new generation of apparent volunteer Russian agents performing acts of sabotage and espionage in the European countries where they live stands in contrast.

Founded in 1919, GCHQ is one of three major British intelligence agencies and a rough equivalent to the United States’ NSA which, as whistle-blower Edward Snowden revealed, intercepts vast quantities of internet traffic.

The GCHQ director’s comments follow a spate of arrests across Europe of alleged Russian saboteurs, who in at least some cases do not appear to conform to the stereotypes of traditional intelligence work but may instead be self-radicalised activists willing to launch attacks or spy on the West on their own, in a mode familiar from Islamic State inspired terrorism. There were several such incidents across the continent in April, including the arrest of a Polish national in his home country, accused of conducting hostile reconnaissance against the airport used by Ukrainian President Volodymyr Zelensky when he flies abroad.

Because Ukraine is covered by a no-fly zone, when politicians enter and leave the country they travel first by VIP train across the Polish border and then to Rzeszów-Jasionka Airport, where flights can then take them worldwide. The Polish Prosecutor said of the allegations against the man: “The findings of the investigation show that the suspect’s tasks included collecting information that would be helpful in planning a possible assassination attempt on the life of the President of Ukraine by the Russian services… the detainee was charged with reporting readiness to act for foreign intelligence against the Republic of Poland… The act is punishable by up to 8 years in prison.”

In the same month two German-Russian dual citizens were arrested in Germany over alleged hostile reconnaissance of a U.S. Army base in Bavaria used to train Ukrainian soldiers. The pair were said to be planning to “commit explosives and arson attacks, especially on military infrastructure and industrial sites in Germany”. One of the suspects in the case, Dieter S., was accused of: “conspiring to cause an explosive explosion and arson, acting as an agent for sabotage purposes… membership in a foreign terrorist organization and preparing a serious act of violence that endangers the state.”

Again in April five people in the United Kingdom were facing charges over an arson attack that burnt out a Ukrainian-owned business in London. At least one of the group was charged with hostile activity intended to “assist a foreign intelligence service carrying out activities in the UK”. In February of this year Estonia arrested ten alleged saboteurs, who were accused of working to spread fear as part of a “hybrid operation”, the neologism now in currency for war by other means.

A remarkable case in December 2023 saw 14 ‘spies’, who among their number were Ukrainian refugees, sentenced by a court for a plot to gather information and launch a variety of actions and attacks. The court heard how the group were in communication with Russian intelligence and had been promised payments in cryptocurrency payments in return for their work.

The bounties on offer from Moscow were said to have included $5 for putting up a poster disseminating pro-Russian or anti-Ukrainian propaganda, or $400 for installing a wireless surveillance camera watching a port, airport, or railyard where military equipment transited from Europe to Ukraine. $10,000 in crypto was apparently offered in return for derailing a military train carrying equipment to Ukraine.

While derailing a train may seem fanciful, such tactics are already in widespread use in the Ukraine war itself and beyond, with pro-Kyiv saboteurs working overtime behind Russian lines to prevent ammunition and resupply trains reaching the front line, frequently blowing lines, burning equipment, and derailing trains. In some cases the Ukrainian partisans have gone further, planting car bombs on the personal vehicles of targets within Russia.