"We are entering an era of sabotage operations by Russia." A new cyberwar strategy.

• Both Russia and China are trying to gain access to energy, transportation and telecommunications networks well before a potential conflict, warns John Hultquist, Chief Analyst at Google Threat Intelligence Group.
• Preemptive attacks are a new cyberwarfare strategy. Sabotage can target logistics chains, railways, or ports at the moment of a military threat.
• Russia has begun recruiting children in Europe to conduct espionage activities on its behalf.
• State-sponsored criminal groups are already using malware based on language models, the CIS source warns. The first AI-powered malware has already been deployed in Ukraine.
• Cybersecurity issues, including those related to Russia's war in Ukraine, were discussed during the "New Industry Forum" and "Defense Industry" conferences. We encourage you to watch the live broadcasts of the debates held at both events.

There's been much talk in Poland about cyber threats posed by actors linked to Russia. However, in August 2025, 23 international intelligence agencies – including one from Poland – revealed a campaign in which China was gaining access to critical infrastructure around the world.

- Unfortunately, there are certain limitations to what we can talk about publicly. I cannot reveal specific names, technical data or organizations that were attacked, but I can give a general outline of the mechanism of the attack.

Okay, let's stay within the bounds of what can be revealed.

Overall, we were dealing with a very interesting campaign, targeting one specific sector – telecommunications networks. The attackers leveraged deep expertise and a thorough understanding of the underlying technology. They used this knowledge to evade detection and move through systems without the knowledge of their owners.

What is all this for?

"It was probably about monitoring the text messages of politicians in the United States. Typically, the goal of such activities is to monitor individuals of political or strategic importance. This can be done in various ways: hacking into a computer, a cell phone, or accessing telecommunications infrastructure and intercepting transmitted messages. Most cyberespionage involves eavesdropping on the conversations of important individuals, using various techniques."

So we can say that sending text messages is not safe for politicians and they should use other messengers?

"I wouldn't say it's inherently dangerous, but we certainly need to be aware that such messages are a target for state actors. In recent years, we've also observed that they're starting to look for other venues for politicians to communicate."

For example, a few years ago in Moldova, a politician's Telegram account was compromised, and the stolen information was leaked online. We saw very similar attempts in the recent elections in that country. Groups linked to Russia, in particular, are attempting to intercept conversations on Signal. They know that many highly confidential conversations take place there.

We need to defend ourselves today against attacks that may be part of the next conflict.

Based on observations of cyberspace activities, can we discern that China is preparing for any major operations? Before the full-scale Russian aggression against Ukraine in 2022, we experienced a wave of cyberattacks. So, can we speak of a pattern?

"Just before the offensive began, a cyberattack occurred on satellite services providing communications to the Ukrainian government and military. The attack was brief, but it was carried out at precisely the worst possible moment, resulting in devastating consequences. It was certainly planned well in advance."

While we have seen such preparations on Russia's part for a long time, China is now starting to do the same, including with regard to critical infrastructure in the United States.

Right now, we're seeing a phenomenon we call "digging in" – gaining access to systems in advance, long before a conflict occurs.

What are US experts afraid of from China?

"When I was in the Army, I was trained to transport military equipment by rail. We don't transport tanks across the country in trucks—we load them onto trains. So if someone blocks railways, ports, or logistics terminals, it could temporarily paralyze the US's ability to quickly respond militarily."

This doesn't mean they're planning immediate military action, but they want to be prepared for any eventuality. If war or other aggression is imminent, it may be too late to attempt to hack into and control critical infrastructure.

This is a very interesting moment for us, because in practice we are waging war in advance.

Do we need to defend ourselves today against attacks that may be part of the next conflict?

"Yes, it's already happening, constantly. Some actors are exceptionally effective at this: the FSB has repeatedly gained access to critical infrastructure in the US and Europe. The Russian military intelligence agency (GRU) has also conducted similar activities. The good news, however, is that in many cases they have been detected and removed from systems. Although, of course, I still worry that they still have partial access in some places."

What if such access was retained?

Unfortunately, we are entering an era of systematic sabotage operations by Russia . Actions are certainly underway in cyberspace designed to destroy infrastructure at the right moment. The Russians have been using two such techniques in Ukraine for years.

In the first approach, attackers gain access to the power or water system and then damage its components in such a way that restoring full functionality takes a very long time. They often choose a target that can trigger a domino effect—that is, disrupting not only a single system but also many related processes. For example, an attack on a power plant not only destroys the facility itself but also brings down the entire infrastructure that depends on it.

And the second technique?

The second strategy is to attack the software supply chain. This exploits the way modern software works: constant updates from central repositories or manufacturers.

Hackers break into the company providing updates and replace the legitimate package with one containing their malicious code. When users download the update, they actually install a Trojan horse, which opens a path to their systems. If such an attack is widespread enough, it can lead to the destruction of critical infrastructure, as the malware reaches thousands of different environments simultaneously.

There is one final, very interesting element to all this, which makes the matter even more complex – the groups that use these techniques do everything they can to hide the real perpetrator.

"Chaos becomes a tool to weaken institutions and societies"

What does it mean?

"Responsibility for attacks is often blamed on hacktivists or cybercriminals. Ransomware can be launched, disguised as a profit-driven attack. In reality, however, it doesn't have a financial purpose, but rather aims to paralyze the system. Russia and Iran, in particular, are creating the appearance of criminal attacks to conceal state actions. Their goal, however, is not to permanently damage systems, but to intimidate the public and undermine trust in institutions."

It's a form of psychological and informational attack—intended to frighten and divide us. It's very effective because if everyone knows who's behind the attack, the propaganda effect disappears. But if society argues over who's at fault, then trust in the state and its institutions wanes.

We had such a situation in Poland after the drone attack.

"Of course, that's a great example. Poland effectively experienced two attacks back then. The first was a physical incursion of drones over its territory. The second was a disinformation attack, a campaign of lies about the origin of the drones. This second element—information chaos, mutual accusations, and the undermining of facts—is becoming a tool for weakening institutions and societies."

Are the Chinese today starting to use the same methods as the Russians?

"The difference is that Russia has already repeatedly 'pulled the trigger,' meaning it has actually launched destructive cyberattacks. However, we are convinced that China is not only gaining a foothold in our infrastructure but is also testing the possibility of weakening our will to act. Furthermore, their activity is of an intelligence nature – this is the issue with which we began our conversation."

So it's about collecting data and analyzing it?

"Yes, as always in espionage. Sometimes adversaries do it in surprisingly simple ways—for example, sending invitations to wine tastings to politicians and diplomats. These messages look completely innocent: 'Wine tasting at the Greek Embassy in Berlin—click to confirm attendance.' But when the diplomat clicks, his computer is infected."

Russian intelligence hires children to spy for them. How can you defend yourself?

Let's return to infrastructure. Do adversaries attack critical infrastructure exclusively from the outside? Or, as in classic espionage, do they also attempt to physically infiltrate the organization, employing their own people?

- There is always a threat of so-called close access or insider threat – a situation where someone from within the organization facilitates access or personally conducts activities on behalf of a foreign country.

One of the more disturbing signs of this type concerns a recent case in the Netherlands where Russian intelligence allegedly hired children to approach buildings and hack Wi-Fi networks. Russian intelligence services are increasingly hiring third parties to perform various tasks for them in the field.

They used to do it themselves, now they outsource it to others.

"Interestingly, in the same city, The Hague, several years ago, several members of a team that also regularly attacks Poland were arrested. They had an antenna in their car adapted to intercept and hack Wi-Fi networks in neighboring buildings. Their target was the Institute for the Prohibition of Chemical Weapons (OPCW), which was then investigating the Skripal poisoning (a Russian military intelligence officer who acted as a double agent for the British intelligence services - editor's note). The GRU wanted to know what the findings were, so they tried to hack the building's Wi-Fi network. Today, they no longer have to do it themselves – they can simply hire teenagers online."

But how can we prevent children from being recruited by the Russians or Chinese?

This will be very difficult. I'd like to point out how difficult it is to deal with another similar challenge, the so-called North Korean IT worker problem.

What does it involve?

As IT work increasingly becomes remote, North Korea has begun sending its IT specialists en masse to work for Western companies —primarily in the US, but increasingly also in Europe. They employ them under false identities, often through intermediaries (so-called facilitators). In Tennessee, a student ran such a business from his dorm. This is a huge, real problem— many of these employees have gained access to the systems of the world's largest companies. We're not talking about entry-level positions—they work as full-fledged IT specialists, with access to critical resources.

There have already been cases of blackmail – when such employees were fired, they used access to systems to extort money or data.

How to defend against such attacks?

"The exchange of information on our side is crucial. Today, we know a great deal about these groups, often even knowing the names of the individuals involved. We are constantly updating information on techniques and methods of operation. We want to share this information with Polish defenders, among others."

"If we have it, laboratories in China must be working on it"

Do you also have offensive abilities in Google (Mandiant)?

- No, we deal exclusively with defense and information gathering. Offensive operations are the domain of states, sometimes contractors working for governments. That's not our focus or competence.

How do you see the development of cyberspace in the future?

I haven't mentioned AI yet, but now I have to. There's a lot of hype surrounding AI, but in my opinion, it's just the beginning. Our adversaries have been using AI for several years now, most often to fabricate images and text. Remember the website ThisPersonDoesNotExist?

Of course. It was used to generate photos of natural-looking people who didn't actually exist.

Just a week after its debut, we saw the first use by adversaries to create false personas for social engineering and disinformation purposes. They are very quick to adopt technological innovations.

However, a real breakthrough came in recent months. One of the most important actors attacking Poland, the APT28 group, was caught launching AI-enabled malware in Ukraine. This is the first time we've seen anything like this.

What exactly was AI used for?

After infection, the malware accessed the LLM (interestingly, the Chinese one) via API to dynamically generate operational commands. Antiviruses often detect static command patterns; here, the commands were generated "live," thus bypassing detection. It's like moving all the parts through a gateway and assembling the weapon on the other side. This was the first case – and more are emerging. AI-powered malware will become more widespread.

In what other areas will AI help opponents?

"I think it will be used to find vulnerabilities in systems. We did something similar at Google – the 'Big Sleep' program. Under controlled conditions, we've already found dozens of vulnerabilities and patched them. And since we have this, the labs in Moscow and Beijing are certainly working on it. And I have no doubt they'll get there. And then the scale of exploitation of zero-day vulnerabilities will skyrocket."

The second trend will undoubtedly be related to the automation of network attacks. Today, after gaining a foothold in the infrastructure, adversaries "think in a crafty way": what are my options, which tools should I use, where are the passwords, etc. AI can automate this—select an option, launch a project at the next server, and move on. This is bad news.

And good?

The good news is that AI will also be the answer. Since threats are autonomous, defenses must also be at least partially autonomous.

Something like a game of chess played by two computers?

Yes, resolved immediately. We're already working on this, including supervisory agents, whose role is to ensure other agents don't get hijacked. The pace of change is frantic—it's really hard to keep up at times.

Who is “winning” today?

Fortunately, most of the capabilities are being developed in the Western technology ecosystem, so we have a head start. But if we slow down and lose focus, we'll lose that advantage.

Let's assume you're the Prime Minister of Poland and you have to react within the next year. What do you do?

First, build a threat profile for the country based on incident history and adversary motivations. Then, prioritize defense based on this profile. And most importantly, accept that the profile will change rapidly, enabling services (military, security) to adapt to the new profile proactively, rather than reactively.

Otherwise, we will be defending ourselves with pre-AI tools against AI threats – and that will end badly.