Recent Western government allegations and media revelations suggest Russia's risk tolerance for physical and cyber operations against Western targets is increasing, raising the likelihood of more disruptive and/or violent attacks and slowly bringing NATO and Russia closer to direct confrontation. In recent days, Western governments have leveled a series of accusations against Russia, while media outlets have disclosed other claims about aggressive Russian behavior. On Sept. 5, the United States and nine other Western countries accused Russia of being responsible for a series of disruptive cyberattacks against Ukraine in 2020 and numerous attacks, largely for the purpose of espionage, against targets across the globe since then. The 10 countries specifically blamed Unit 29155 of Russia's GRU military intelligence agency, infamous for carrying out assassinations, sabotage and other aggressive attacks throughout Europe for at least a decade. Also on Sept. 6, CNN reported — citing two unnamed U.S. officials — that the United States had detected an uptick in suspicious Russian naval activity near critical undersea cables, which was worrying U.S. authorities that Russia may now be more likely to sabotage them. Separately, the prior day, the United States accused Russia of a widespread and multipronged scheme to interfere in the U.S. election on Nov. 5. As part of the U.S. accusation, federal prosecutors filed indictments against various individuals and entities accused of being a part of the Russia interference effort, with the court documents including evidence of a vast Russian influence campaign targeting politicians, businesspeople, journalists and others in France, Germany, Italy and the United Kingdom.

• On Sept. 8, Latvia said a Russian drone had crashed in the eastern part of the country after flying through Belarus and, in a separate incident, Romania also said a Russian drone had violated its airspace after carrying out attacks in Ukraine. Separately, on Sept. 6, U.S. and European officials, after months of warnings, accused Iran of sending short-range ballistic missiles to Russia, though Tehran has denied the accusation.
• Western authorities have accused Unit 29155 of, among other things, carrying out a series of sabotage operations in Bulgaria, the Czech Republic and other European countries in the mid-2010s, trying to mount a failed coup in Montenegro in 2016, attempting to assassinate a Russian defector and his daughter in the United Kingdom in 2018, and coordinating a letter bomb campaign in Spain in 2022 that included rudimentary devices sent to the U.S. and Ukrainian embassies, Spanish government offices and the office of a Spanish defense contractor that sold weapons to Ukraine.
• The Russian influence campaign against the four European countries was designed to stoke internal divisions within each one, as well as create friction between their governments and those in the United States and Ukraine. Similar Russian campaigns frequently try to stoke protests and opportunistically inflame popular anger over contentious political, economic and social developments.
• For years, and especially since Russia launched its full-scale invasion of Ukraine in February 2022, Western governments and independent investigators have expressed concern that Russia could sever undersea fiber-optic cables that carry vital communications traffic. Last year, a joint inquiry by public broadcasters in Denmark, Finland, Norway and Sweden revealed that, for a decade, Russia had been operating a fleet of 50 suspected spy ships in Nordic waters to map key locations like underwater cables and offshore wind farms for potential future sabotage.

The accusations and revelations come amid an increasingly aggressive Russian sabotage campaign in Europe and growing threats from Moscow that Western support for Ukraine will trigger Russian retaliation. Since at least late 2023, but accelerating in the first half of 2024, Russian security services have sponsored a vast sabotage campaign across Europe. They have largely relied on local proxies to provide a veneer of plausible deniability (and to make up for the mass expulsion of Russian spies in recent years) to plot a growing list of acts of sabotage and vandalism against property, harassment and intimidation against specific groups and individuals, and a variety of other operations designed to weaken European support for Ukraine and stoke societal discord. But since the start of the summer, Russia appears to have increased its risk tolerance. On Sept. 7, the head of the U.K.'s Secret Intelligence Service (MI6) said in a rare public appearance that ''Russia's intelligence services have gone a bit feral'' in ''reckless'' operations, including recent plots to sabotage NATO and U.S. military bases and harm servicemembers across Europe, as well as plans to assassinate high-profile private citizens. Most recently, on Aug. 23, the NATO base in Geilenkirchen, Germany, went on a higher state of alert after a reportedly ''serious indication'' of a likely act of Russian sabotage, potentially involving drones. This and other recent incidents have come amid growing tensions between Russia and Western governments as the Kremlin has accused NATO of abetting Ukrainian attacks on Russian soil — most recently by backing Ukraine's invasion of Russia's Kursk region, but more generally by providing long-range weapons to Ukraine and progressively loosening restrictions on their use. Among other things, the Kremlin has also recently expressed anger over what it called the ''theft'' of Russian assets after the European Union transferred the first tranche of profits of frozen Russian assets to Ukraine in late August and, separately, the U.S. announcement in late July that it would redeploy long-range missiles to Germany beginning in 2026. In response, top Russian officials, including President Vladimir Putin, have repeatedly warned that Russia reserves the right to respond in a time and manner of its choosing.

• Russia has complemented its sponsorship of physical attacks with a steady stream of cyber campaigns. These range from continual influence operations to what Western officials say is increasingly more concerning and sophisticated activity in which Russian state-backed hackers probe critical infrastructure in apparent attempts to find vulnerabilities to exploit in the future.
• On Sept. 4, in response to a reporter's inquiry about a media report that Washington and Kyiv were finalizing a deal that would give Ukrainian troops access to more long-range cruise missiles, Russian Foreign Minister Sergei Lavrov warned that ''Americans already stepped over the line that they set up. They're joking about our red lines. Don't joke about our red lines. They perfectly know where they are.''
• In mid-July, the United States and Germany reportedly foiled a Russian plot to kill Armin Papperger, the CEO of the German defense firm Rheinmetall, whose weapons the Ukrainian military uses. The plan was apparently part of a larger Russian effort to kill other European defense industry executives, but the plot against Papperger was the only one that had meaningfully advanced.
• In late June and early July, multiple U.S. military bases in Europe were placed on a higher state of alert after the United States received intelligence that Russian-backed proxies were considering sabotage attacks against U.S. military bases and personnel.

There are numerous events that could further increase Russia's risk appetite before the end of the year. Russia's increasingly risk-acceptant sabotage campaign in Europe suggests the Kremlin's threshold for more aggressive attacks is lowering and there are multiple developments in the coming weeks and months that could lower it further. Among other things, Western countries will likely transfer more long-range weapons to Ukraine and further loosen limits on their use; this is especially likely if former U.S. President Donald Trump wins the election as it would incentivize outgoing President Joe Biden to make last-chance efforts to help Ukraine before Trump, who is much more skeptical of supporting Kyiv, takes office in late January. Other developments, like sending more NATO military trainers to Ukraine or finalizing a deal to use the profits on frozen Russian assets to finance a $50 billion loan for Ukraine (which the G7 agreed in in June to complete by late October, though recent media reports indicate that timeline may fall back), could also further incentivize more aggressive Russian behavior. 

No matter the precise trigger(s), the Kremlin has numerous avenues through which to sponsor more combative attacks. Among other things, Russian security services could realize sabotage plots against military facilities and personnel across Europe, such as by interfering with their supplies of electricity or water, or using drones or other means to harass and intimidate. They could also amplify their efforts to disrupt critical infrastructure, such as by interfering with GPS signals, sabotaging telecommunications networks, or cutting undersea cables or other offshore infrastructure like energy facilities (which Western officials, most recently Norway's spy chief on Sept. 10, are warning is becoming more likely). Moreover, Russian security services could direct proxies to carry out more frequent and aggressive attacks like arson and other forms of property damage against a wider array of locations — beyond those somehow linked to support for Ukraine — as well as more acts of targeted violence against individuals. Russia could also escalate by sponsoring operations on U.S. soil because until now, basically all Russian sabotage has been in Europe. Finally, there are numerous ways in which Russian state-backed hackers could step up their attacks on both sides of the Atlantic, including by deliberately seeking to damage the operational technology networks of critical infrastructure targets like electric substations and water supply facilities rather than merely probing them. Russian state-backed hackers could also partner more with cybercriminal gangs (for which there is ample precedent) to conduct more disruptive attacks using ransomware, data wipers and other tools to harm higher-profile Western firms.

• In mid-August, German authorities raised alerts at three NATO and German military bases after suspected attempts by unknown individuals to trespass and interfere with water supplies. While authorities ultimately found no concrete evidence of sabotage, the events demonstrate how Russian saboteurs, who were widely suspected of being behind the anomalous incidents, could escalate their activities to cause physical harm.
• On June 3, French authorities arrested a Russian-backed saboteur after he accidentally caused an explosion while building an explosive device. The subsequent investigation found that he was planning to attack a branch of the French home improvement chain Bricorama north of Paris before it opened, presumably to minimize the risk of casualties. The plot is instructive because it illustrates two ways in which Russian-backed sabotage could become more aggressive: by more frequently targeting non-strategic targets like common storefronts and/or by not being as sensitive to the risk of casualties.
• No matter the type of Russian attack, the upcoming winter holidays are attractive, not merely because of their symbolism but also because they involve the mass movement of people, are financially crucial time periods for many consumer companies, and coincide with colder temperatures that increase demand for various utilities, chiefly heating. These and other attributes open plenty of opportunities for Russia to disrupt air travel, power supplies, IT infrastructure and various other targets at a sensitive time.

Although neither side desires direct conflict, more aggressive Russian-backed attacks against Western countries, especially those that cause casualties or mass disruptions to daily life, would gradually lower the bar for more direct NATO-Russia confrontation. Despite its seemingly lowering threshold for sponsoring more belligerent attacks on NATO soil, Russia still has strong incentives to avoid generating even more backlash from Western states, which have many ways to offer more support for Ukraine. Western governments also strenuously seek to avoid getting further enmeshed in the Ukraine war as they grapple with increasingly war-weary populations and their own political, economic and security challenges at home. Nonetheless, a more bellicose Russian-backed sabotage campaign in the West would gradually raise the probability of more direct confrontation, especially if a Russian attack leads to casualties or large disruptions to daily life for civilians, such as long-lasting blackouts or major communications disruptions. This is partly because a sufficiently damaging Russian attack could be grounds to trigger NATO's Article V self-defense clause, something the bloc would try to avoid but could be compelled to do if an attack had lethal or incredibly disruptive impacts. But it is also because Western governments would struggle to respond to Russian provocations in a way that does not also escalate tensions. Thus far, Western states have largely relied on tightening sanctions and disclosing the identities of the Russian individuals and proxies allegedly behind Russia's attacks in an effort to show that Western governments can ultimately find those responsible and make their lives more difficult due to public notoriety. However, Russia has found numerous workarounds to bypass sanctions, which show ever more evidence of leakage, and the West's name-and-shame campaign has failed to have any strategic impact beyond tactical repercussions, like making it harder for those named to travel abroad or access bank accounts in the West.

• Since Russia's February 2022 invasion of Ukraine, there have been sporadic developments that have temporarily raised the probability of a direct NATO-Russia confrontation, such as the November 2022 incident in which a missile struck Polish territory (though this was later confirmed to have been a Ukrainian air defense projectile that veered off course after trying to intercept an incoming Russian missile). Each crisis period has been fleeting and so far there are no signs NATO members have seriously considered invoking Article V as they have strongly preferred de-escalation. 
• In recent years, NATO has formalized what was previously an implicit doctrine that a sufficiently damaging cyberattack could trigger Article V. There is no consensus on what type of attack would breach this threshold, but NATO members would be much more likely to trigger Article V in response to a cyberattack that had a real-world kinetic effect — especially one against critical infrastructure that put human lives at risk — compared with an attack that merely damaged digital systems.

In the face of a more antagonistic Russian campaign, Western governments would likely be compelled to up their responses, but few good options mean they would likely have to rely on measures that would gradually increase the likelihood of a tit-for-tat spiral with Russia. Unlike Russia, NATO states would be hesitant to sponsor any sort of sabotage campaign — in the real or digital worlds — that could harm Russian civilians, nor would they be willing to work with criminals and other proxies, as Russia does, to carry out such a plan. This means the most likely lever for NATO states would be to provide Ukraine more support, but this would also likely further increase Russia's own risk tolerance, thus raising the likelihood of both sides slowly lowering the threshold to tit-for-tat retaliation that leaves the door open for an escalatory spiral, including via a misunderstanding or miscalculation. Given the high tension and deep mistrust between the two sides, such a spiral could easily get out of control and also reverberate beyond Ukraine and nearby European theater, given the many locations where Russia and Western governments compete, such as parts of Africa and the Middle East.

• In June 2019, The New York Times revealed a secret U.S. cyber effort to deploy malware into the networks of Russia's electricity grid and other critical infrastructure. It appears the effort was intended as a warning and there is no indication that attacks were ever carried out. The Biden administration, which has been very cautious about keeping an upper limit on tensions with the Kremlin, would be unlikely to sanction a cyberattack that harmed Russian civilians, but doing so would almost certainly trigger a hostile Russian response, including a retaliatory cyberattack that harmed American civilians.
• Syria is one of the places where both Russian and U.S. forces continue to operate in close proximity and where they have repeatedly clashed in recent years. The deadliest clash between U.S. and Russian soldiers took place in 2018, when dozens of Russian and Syrian fighters were killed in a four-hour standoff with U.S. forces, which sustained no casualties. While there have since been no incidents at a similar scale, there have been multiple smaller flare-ups and many accusations from each side about the other's supposedly provocative and aggressive actions, suggesting how a broader escalation between Russia and NATO could play out far beyond Ukraine.