Risky Game: Hybrid Attack on Baltic Undersea Cables

In the days following the Biden administration’s authorization for Ukraine to strike into Russian territory with US-made ATACMS, another hybrid attack against two data cables took place in the Baltic Sea. Cinia, the Finnish state operator of the C-Lion1 cable between Finland and Germany – which is also the only cable running directly between Finland and central Europe – reported an external force damaged the 1,200km (745 miles) fiber optic undersea cable off of the coast of Sweden’s Öland Island. Just a few hours later, Swedish telecom operator Telia reported damage to its cable between Sweden and Lithuania a short distance away. The Danish navy has detained the Yi Peng 3, a Chinese-registered ship, as part of its ongoing investigation. This hybrid attack – likely from Russia – is clearly meant to send a message to Europe and hopes to divide European governments. Russia’s continued hybrid attacks on critical undersea infrastructure (CUI) in the region are a risky game following NATO’s Washington Summit in July statement that hybrid attacks could trigger Article 5.

What events led up to this latest hybrid attack?

The timing can be no accident. The week of the hybrid attack marked 1,000 days of fighting in Ukraine. President Joe Biden has now allowed Ukraine to use American ATACMS missiles to strike targets inside of Russia itself. In addition, NATO is currently conducting the exercise Lightning Strike 24 in Finnish Lapland, right on Russia’s northern flank. These exercises together constitute the largest artillery exercise conducted in Europe in NATO’s history.

Targeting undersea infrastructure has become an established part of the Russian hybrid playbook. In the last few years, Russia has been linked to not only the rupturing of the Balticconnector gas pipeline and two data cables between Finland and Estonia, but also the cutting of cables outside of Svalbard and the Shetland islands, as well as allegedly using spy ships to scour wind farms in the North and Baltic seas for vulnerabilities that could be exploited. In fact, this exact scenario was already floated last year. In the Balticconnector incident, a Hong Kong registered vessel, the Newnew Polar Bear, is believed to be responsible. With the alleged implication of the Yi Peng 3’s involvement, this adds China to the mix of countries using the hybrid domain to probe for weaknesses, as well as underscores growing Sino-Russia cooperation.

So what makes hybrid interference in the Baltic sea region so attractive? As this and previous cases have shown, targeting the maritime domain is cheap, convenient, and relatively risk-free. With international freedom of navigation laws left largely unaffected by the war in Ukraine, sailing a ship to critical locations and then having it, for example, drag its anchor along the seabed is hard to prevent. Coupled with the fact that the Baltic seafloor is both relatively shallow and exceptionally well-mapped, the proximity to Russian ports in both St. Petersburg and Kaliningrad, as well as the difficulty of determining subsurface sabotage first as being intentional, and then attributing it to a specific actor, the risk-rewards calculation is hard to beat if your goal is to cause as much disruption as possible.

What has been the response?

This hybrid attack included Germany at a difficult moment for its government. The three-party coalition government collapsed on November 6; a new government will be elected on February 23. German Chancellor Scholz phoned Russian President Putin earlier in the week – their first such call in more than two years. Ukrainian President Zelensky criticized the call for undermining solidarity within the West. Chancellor Scholz is under mounting pressure from within his own party. Germany’s Defense Minister, Boris Pistorius, offered the most clear-eyed assessment of the attacks, saying "We have to conclude, without knowing exactly who did it, that it is a hybrid action and we also have to assume — without knowing it — that it is sabotage."

The joint response to this latest hybrid attack shows incredible unity at the European level. The initial joint response from the Finnish and German Ministers of Foreign Affairs in the early stages of this incident sent a powerful signal. This was followed by a joint declaration by the Foreign Ministers of Germany, France, Poland, Italy, Spain and the United Kingdom, as well as Kaja Kallas, the presumptive High Representative of the European Union for Foreign Affairs and Security Policy, all of whom unequivocally leveled blame on Russia. In their statement, they note that Russia has persistently and systematically attacked European security architecture. They also raise the growing cooperation between Iran, North Korea, and other partners. Although China was not mentioned, this was before the revelation of the Yi Peng 3’s possible involvement.

While some politicians have floated the activation of both Article 4 and 5 of the North Atlantic Treaty in response to this type of hybrid attack, so far they have not yet done so. Article 4 gives NATO allies the opportunity to consult over a response to a shared threat. This underutilized Article has only ever been invoked seven times in the more than 75 year history of the alliance. If something is deemed an attack on all NATO allies it can lead to Article 5, a collective response that has only been triggered once (on 9/11). The final declaration of the July Washington summit explicitly recognized hybrid interference as legitimate grounds for activating Article 5. It remains unlikely NATO will get involved before it is proven beyond reasonable doubt that the Kremlin is involved.

As with a lot of suspected or confirmed cases of Russian hybrid interference in the west, the main purpose with this latest action (if it does turn out to have been intentional) seems to be to send a message. In this case, the real-world effects were minimal; although internet traffic between Finland and Germany was cut off for a few hours, it was quickly rerouted while the cable was being repaired (estimated to take between five and fifteen days). The damaged cable between Sweden and Lithuania is one of three cables running in parallel between the two countries; the two remaining cables could pick up the traffic from the third without a hitch. Consequently, the actual damage caused is mostly just the nuisance and cost of repairing the cables, without any tangible or immediate benefits for Russia.

Instead, the publicity is the point. Russia wants to send the signal that it has the ability to strike anywhere at any time, stoking fear in western publics. The fact that two separate cables were damaged so close to each other supports this hypothesis – after all, damage to just one cable could have very plausibly been brushed off as just an accident. Russia also wants the west to perceive its capabilities as greater than in actuality. Despite this act of hybrid interference playing out in the physical world through the damaging of underwater cables, at its core it is an attempt to influence public opinion and weakening trust in western governments. This in turn legitimizes and encourages seeking peace with Russia, a dangerous fallacy as its illegal war against Ukraine enters the third year. In fact, this would not be the only message Russia sent this week; on Thursday it launched an intermediate-range ballistic missile (IRBM), usually reserved for carrying nuclear warheads, towards the Ukrainian city of Dnipro.

Russia is playing a risky game in its hybrid operations. Its attempts to showcase its strength and weaken trust in western governments were met by unequivocal European unity. Closing gaps and heightening protection of critical undersea infrastructure must remain a top priority to further prevent Russia from operating in the grey zone of hybrid threats, abetted by its growing list of partners. Otherwise, this will not be the last time Russia sends a message by attacking critical infrastructure in the Baltic Sea region.