The Russia-Ukraine war has included several disruptive cyberattacks across Europe. NATO now responds with a new cybersecurity policy brief to protect maritime ports.
This week, several countries in Europe have discovered that hackers in support of Russia - if not outright backed by the country - were behind a number of attacks in different critical infrastructure sectors. On August 13, 2025, Norway’s Police Security Service (known locally as PST) officially accused Russian hackers of organizing an intrusion on a dam at Risevatnet in Bremanger. On April 7th, 2025, hackers took control of a floodgate at the dam for four hours, releasing 132 gallons (500 liters) each second, for a total of 475,200 gallons or over 1,660 tons of water being released.
Around the time of the incident, a video with a mark from a pro-Russian cybercriminal gang was published on Telegram, showing the dam’s control panel. The director of PST, Beate Gangås, said the attack was part of a pattern of state actors using other hackers to demonstrate their abilities, basically bragging “look what we can do if we want to”, without necessarily wanting to cause serious damage to infrastructure. Still, the head of Norway’s Intelligence Service, Nils Andreas Stensones, credited Russia as Norway’s biggest security threat, while denying that the countries were now at war.
Despite the video, Russia denied any involvement with the operation and called the accusations “unfounded and politically motivated”, going so far as to say “...the PST is unsuccessfully trying to substantiate the mythical threat of Russian sabotage against Norwegian infrastructure this year, which it itself invented in its February (annual) report,” in an email to Reuters.
Just a day before the PST shared their claims, cybersecurity technology company Bitdefender posted a blog explaining how a newly identified threat actor group “Curly COMrades” was behind espionage attacks on government agencies in the country of Georgia and an energy company in Moldova. The group’s operations have been found to “align with the geopolitical goals of the Russian government.” The Curly COMrades main objective was to find and keep long-term access in their targeted environments.
Their methods to maintain access were described as clever, by Martin Zugec (the technical solutions director at Bitdefender) in an interview with Recorded Futures. They manipulated a tool in Windows to regain entry at scheduled but unpredictable intervals and used a new malware MucorAgent to collect and exfiltrate data. The blog said the group “show[ed] a preference for stealth, flexibility, and minimal detection rather than exploiting novel vulnerabilities.”
Unfortunately, Norway, Georgia, and Moldova are not the only countries that have been targeted by Russia’s hackers recently. Since Russia invaded Ukraine in early 2022, Europe saw a wave of cyber incidents from groups supporting Russia (ranging from likely state-sponsored cyber groups to cybercriminal organizations based in Russia’s allies, like Belarus). AP News created a map of these incidents along with other operations related to the war - spreading propaganda, espionage, arson, plotted killings, sabotage, and vandalism - in March 2025. AP noted the difficulty in proving Russia’s involvement in these campaigns, which has allowed the country to call all claims of interference or espionage “politically motivated,” even while there are hundreds of cases that Russia is supposedly tied to.
Though there are talks of Russia stopping the war, the cyberattacks on critical infrastructure in Europe have not stopped or slowed. The European Union (EU) formally condemned Russia’s hybrid campaigns on July 18, 2025. Perhaps inspired by the Norwegian dam sabotage, another international body, the North Atlantic Treaty Organization (NATO) moved to address the danger of cyber-insecure maritime ports in a policy brief, also released on July 18, 2025.
The brief, published by the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE) names Russia, Iran, and China as the originators of a large proportion of attacks on port facilities in Europe and Mediterranean. It’s noteworthy that these three countries, along with North Korea, were also designated as cyber threats to the US in the Office of the Director of National Intelligence’s (ODNI’s) 2025 Threat Assessment. According to NATO’s report, ports manage 80% of global trade while supporting NATO’s defense system - but state-sponsored cyber attacks “can not only cause financial losses but disrupt military logistics…the need for collective responses through lawful means, such as retorsion in the form of economic sanctions, will be critical in deterring state-sponsored cyber attacks.”
The CCDCOE enumerates quite a few issues with the current frameworks and strategies for maritime cybersecurity: The 2011 NATO Alliance Maritime Strategy needs to be updated for current threats, the modern strategy doesn’t have an established protocol for connecting with commercial port operations (which can be problematic when these ports are involved in military operations), roles in civil-military coordination are unclear, and hybrid warfare (combining cyber attacks with physical ones) could not have been anticipated in the first strategy. Additionally, ports are often interconnected with other critical infrastructure agencies, so a port intrusion could easily have a broad impact with cascading effects.
Recommendations in the policy brief directly answer to the identified gaps: revising the NATO Alliance Maritime Strategy, establishing and working in structured intelligence-sharing networks, creating specific roles and coordination protocols, and lastly, developing working groups for maritime cybersecurity. The document concludes with a call to action: “Nations must recognise these evolving threats to their critical maritime infrastructure and develop comprehensive strategies to enhance resilience while enabling continued modernisation and digital transformation of port operations. This requires prioritisation of cybersecurity in maritime strategy, conducting regular joint exercises that simulate cyber scenarios, and creating mechanisms for threat intelligence sharing across national boundaries.”
This policy change could be crucial to securing not just maritime ports in NATO, but also preventing widespread downstream consequences in intersecting industries. This policy brief on maritime cybersecurity is especially relevant in the context of growing state-linked cyber campaigns on critical infrastructure. With proper implementation and luck, this could be extremely protective and maybe inspire more countries, like the US, to work harder on improving their cyber posture on the ports.