The Ukraine war and the shift in Russian intelligence priorities

ABSTRACT

The war in Ukraine has transformed Russian intelligence activities. It has drawn the bulk of Russian intelligence collection resources, both inside Ukraine and further afield, to focus on war-related, often low-level operational/tactical targets. Even strategic collection is related to the war, especially directed toward bolstering Russia’s global reputation. However, the war has also led to the dismantling of a large portion of Russia’s intelligence apparatus, including both human and signals intelligence, especially in Europe, just when it is needed the most. It has prompted greater scrutiny and international counterintelligence cooperation against Russian intelligence activities than has been seen since the 1980s. Russia’s own actions have drawn those reactions. Nevertheless, Russian intelligence services are resilient and persistent. They learn from mistakes and adapt to changing circumstances.

KEYWORDS:

• Russia
• Ukraine
• Russian invasion
• intelligence
• FSB
• GRU
• SVR

Russian intelligence activities have been on the front page of media outlets frequently in the two years since Russia’s full-scale invasion of Ukraine began in February 2022. Stories ranging from spies being arrested to intelligence illegals being intercepted to spy ships operating off coasts have appeared regularly in the media. One commentator, reacting to the steady stream of reports of Russian spies, asked the question, ‘Is Russia spying more – or are more spies just being caught?’¹

In reality, Russia’s intelligence activities have possibly declined in quantity by force of multiple expulsions of diplomatically covered Russian intelligence personnel from embassies across Europe. However, an even more significant change is in the types of targets Russian intelligence operations have pursued since the beginning of Russia’s invasion. Strategic intelligence dominated Russian collection up to 2022, including collecting intelligence about foreign states’ internal and foreign policies, especially those related to Russia; diplomatic collaboration against Russia; scientific and technological information; economic policies, especially related to imports of Russian energy products; NATO military planning; and pursuing Russian oppositionists abroad. That does not mean Russian services did not routinely collect intelligence in preparation for war before the invasion, especially in Ukraine since 2014. However, since February 2022, the balance of targets has leaned more toward operational/tactical than strategic. Unsurprisingly, based on the exigencies of a struggling military campaign to defeat Ukrainian forces, operational/tactical requirements have risen to the fore, especially inside Ukraine but also in countries through which Western-supplied military hardware flows.

This article examines the types of information Russian intelligence services have been attempting to collect in the years leading up to and since Russia’s invasion. It also, as much as public information allows, attempts to pin tasks on specific Russian intelligence services, the Federal Security Service (FSB), the Foreign Intelligence Service (SVR), and the Main Directorate of the General Staff of the Russian Armed Forces (GU, often still called by its former name, GRU). While much attention has been paid to Russian covert operations over the past decade, such as political manipulation and assassination operations, those operations are based on previously collected intelligence. Thus, this article focuses on the intelligence collection aspect of Russian services rather than the more visible covert activities.

This article analyzes publicly available reports of investigations and arrests of Russian intelligence operatives. That source of information is not comprehensive – many investigations are never made public, and sometimes arrests are announced only after the passage of time to allow for further investigation. Additionally, Ukrainian media announcements of arrests frequently mingle propaganda-ridden language with reports of Russian intelligence activities. However, even that incomplete and imperfect dataset provides a usable picture, especially since so many instances of Russian intelligence activities have been publicized. The number of announced arrests and investigations casts light on the trend toward a more tactical focus.

Intelligence leading to war

While it is unclear precisely when Russian leaders, Vladimir Putin in particular, made the final decision to launch a full-scale invasion of Ukraine, Russian intelligence services have been preparing for such a contingency for several years. Since Russia annexed Crimea and initiated an insurgency in eastern Ukraine in 2014, Russian intelligence services have been working to recruit sources that could operate inside Russian-occupied Ukraine. The FSB in particular established an extensive presence in occupied territories for both intelligence and security purposes.

The FSB is the Russian service responsible for collecting and analyzing intelligence in and about the former Soviet states. According to Soldatov and Borogan, the FSB was granted the authority to conduct foreign intelligence activities in the late 1990s. The priority of that mission rose in the early 2000s, when so-called ‘color revolutions’ overturned Moscow-friendly regimes in Ukraine, Georgia, and Kyrgyzstan.² Ukraine’s place on Russia’s intelligence priority list fluctuated over the following decade, depending on the orientation of the leadership in Kyiv, increasing when Ukraine inclined toward Europe. Ukraine became Target Number One in 2014 when the Maidan Uprising swept Viktor Yanukovich out of Kyiv, prompting Russia’s annexation of Crimea and initiation of an insurgent war in eastern Ukraine.

The FSB’s Fifth Service has elements responsible for collecting intelligence in the former Soviet space – including Ukraine – and for the FSB’s strategic analysis in support of the President. The analysis that the Fifth Service’s Information-Analysis Directorate produced leading up to the February 2022 invasion was reportedly optimistic, reassuring the President that Ukrainians would welcome the removal of Ukraine’s leadership and occupation by Russia. The FSB assessed that a Russian victory in Ukraine would be easy, take only a few days, and cost few Russian lives.³ One FSB officer was so convinced of a quick victory that he bragged to a contact that he had already picked out his apartment in Kyiv.⁴ However, that analysis has since been revealed to be lacking, especially in its pandering to a Russian leadership that was bent on punishing Ukraine regardless of the cost.

How could the FSB have assessed the situation in Ukraine so poorly? In February 2022, just a few weeks before the invasion, the FSB sponsored a poll of Ukrainians that showed a dissatisfied populace. Only 27 per cent of Ukrainians trusted the office of the President, and 67 per cent expressed distrust. The Ukrainian security structure polled similarly: 28 per cent trusted the police, and 23 per cent trusted domestic security services. The military polled significantly higher, with 68 per cent of those surveyed trusting the Ukrainian Army and 51 per cent expressing confidence that the army could repel an invasion force, although most did not believe Russia would invade. These polling results are particularly remarkable as the poll was conducted at a time when Russian military forces surrounded Ukraine’s northern and eastern borders and occupied Crimea. Forty percent of respondents, most located in the east and south, expressed unwillingness to serve in the military or otherwise resist a foreign invasion to defend Ukraine. The poll gave the FSB insights into Ukrainians’ attitudes and likely fed assessments that Ukrainians would welcome a Russian overturn of the unpopular government.⁵

Ukraine-based Russian sources

Sources recruited inside Ukraine also informed the FSB’s assessment. Russia’s annexation of Crimea and initiation of a separatist insurgency in eastern Ukraine prompted an increase in the attention that Russian intelligence services paid to Ukraine, and investigations in Ukraine since the beginning of the invasion have revealed numerous Russian agents recruited in the year leading up to the full-scale invasion. The FSB is the most common Russian service to which Ukrainian authorities attribute intelligence activities inside Ukraine, even more than the GU, which would logically be expected to be heavily involved in a military action such as an invasion of Ukraine.

The Security Service of Ukraine (SBU) has publicized dozens of cases of Ukrainians being recruited as sources before the war and caught since the war began – as of January 2023, the SBU claimed to have exposed over 600 Russian agents since the beginning of the invasion.⁶ The FSB tasked its sources with a range of tasks, from collecting political and military information to facilitating covert assassinations. According to SBU press announcements, many were recruited by the FSB to report on Ukrainian military preparedness and defensive measures. However, after the war, their services were redirected toward collecting tactical combat intelligence.

Operations in Ukraine

Russian services did conduct operational/tactical collection before the 2022 invasion, connected closely to the insurgency in Ukraine, although it was mingled with strategic collection. Since the beginning of the full-scale invasion, Ukrainian authorities have arrested numerous agents that Russian intelligence services had recruited previously. They are a mix of GU and FSB operations, with the FSB playing the dominant role in human intelligence (HUMINT) collection and the GU in technical intelligence. Some pre-invasion operations were already active before February 2022 but subsequently increased their tactical collection targeting, particularly low-level observations of military movements.

On the technical side, soon after the beginning of the Russian-sponsored separatist insurgency in eastern Ukraine in 2014, the Ukrainian military began using an Android application to calculate artillery targeting data, reducing targeting time from minutes to 15 seconds. However, the GU successfully infected the application with malware that allowed the GU to receive the targeting information that the Ukrainian forces were developing.⁷ The GU infiltration of the targeting application led both to the geolocation of Ukrainian artillery for counterbattery strikes and to the foreknowledge of Ukrainian strikes to allow Russian units to relocate.

The week before the February 2022 invasion, the Ukrainian Ministry of Defense and several banks experienced a distributed denial of service attack, briefly interrupting their computer systems. The attack was small in scale, and the UK government publicly attributed it to the GU. It may have been a test of attack capabilities and a probe of Ukraine’s computer networks, similar to attacks that took place in 2015 and 2016, in preparation for the full-scale invasion that was to follow soon thereafter.⁸

The FSB, on the other hand, recruited primarily human sources. Less than two weeks after the full-scale invasion began, the Ukrainian SBU arrested a man whom the FSB had recruited as early as 2011. Before the invasion, he reported the numbers and types of military aircraft at the Lutsk airfield and personal information about Ukrainian military personnel. He continued to report to his Russian handlers after 24 February 2022, providing information about the number of aircraft taking off and adjusting artillery fire onto the airfield.⁹ Another was a Russian Air Force airman, who had regularly visited relatives in Ukraine in the years leading up to the full-scale invasion, moved to the Zaporizhzhia region of Ukraine in early February 2022, just a few weeks before the full-scale invasion began. Ukrainian authorities suspect that he was sent to observe and adjust Russian artillery fire and report on the locations of Ukrainian forces.¹⁰ The SBU did not specify which Russian service was running him, but his collection closely corresponded with Russian military operations.

The FSB recruited a former Ukrainian police officer when he crossed the Ukrainian-Russian border in 2019. He was held in reserve until the invasion, when his handler contacted him and tasked him with providing the precise geolocation of the Kharkiv Oblast Administration building. The FSB promised to relocate the agent to Russia if his information led to a successful attack. The SBU arrested him before he left for Russia; however, not before a rocket hit the building in March 2022.¹¹

The FSB also recruited sources with higher-level accesses before the invasion. In March 2022, the SBU arrested two individuals accused of providing information to the FSB. Anatoliy Bay was a staffer in the Secretariat of the Cabinet of Ministers of Ukraine who openly expressed opposition to the Ukrainian government in 2015 and a desire to emigrate to Russia. He approached a former colleague, Vitaliy Gordina, who had moved to the Chamber of Commerce of Ukraine, to assist with contacting the Russian government. He made the contact, and the FSB recruited Bay, using Gordina as a courier. Gordina was later recruited as a source as well. The Ukrainian prosecutor accused them of passing defense, industrial, energy, and law enforcement data to their FSB handlers. During their trial, both Bay and Gordina denied all the charges and claimed that the SBU had tortured them for the confession. However, videos of interrogations showed no sign of torture.¹²

In June 2022, the SBU arrested Vasiliy Mekheda, another staffer in the Secretariat of the Cabinet of Ministers of Ukraine. He was accused of providing Russia information about the status of Ukraine’s defense readiness and the defense of the Ukrainian border and personal information about border guards. Mekheda worked in the section of the Cabinet of Ministers office that monitored the fulfillment of the Prime Minister’s decisions, and thus had access to a wide range of classified information. The FSB reportedly contacted him as early as 2007, and he operated with some breaks until his arrest. A Ukrainian court convicted him of espionage in August 2022. His FSB handler, Anton Yershov, whom Ukrainian authorities suspected of working in the Fifth Service’s Department of Operational Information, was tried in absentia.¹³

Russian collection was also focused on assassination and sabotage operations. Ukrainian authorities arrested SBU general Valeriy Shaytanov in April 2020 for providing information to the FSB about Chechen fighters operating in eastern Ukraine alongside Ukrainian forces, as well as information to support a Russian assassination of Ukrainian minister of internal affairs Arsen Avakov and Adam Osmayev, the leader of the Chechen fighters.¹⁴ The assassination of Avakov did not take place, although Osmayev had been targeted previously, likely by the FSB. Shaytanov was sentenced to 12 years in prison in 2023.

Like Shaytanov, others attempted to penetrate the SBU itself. The SBU announced in November 2022 that it had arrested a woman whom the FSB had recruited in 2019 to portray herself as a Ukrainian patriot and become a trusted agent of the SBU. After the invasion began, she reported tactical information about military movements and equipment in the Luhansk area to her FSB handler, which precipitated her arrest.¹⁵

Ukrainian authorities have investigated thousands of treason cases since February 2022—as of November 2023, the Ukrainian Prosecutor General’s office listed over 2,800.¹⁶ An analysis by the Ukrainian investigative journalist organization Antikor concluded that Russian services had actively recruited Ukrainians before the invasion so that the Ukrainians could assume positions in a new, Russian-sponsored Ukrainian government. They found plenty of willing candidates due to the dissatisfaction of many Ukrainians.¹⁷ The result, according to then-Minister of Internal Affairs Denys Monastyrskyi, was that Russian forces appeared to know the locations of Ukrainian forces before the invasion began.¹⁸

Sources in Europe

Since the invasion began, European countries have seen a sudden upsurge in the number of individuals arrested for espionage in support of Russia. In most cases, those operations began before 24 February 2022 but were caught later, likely due to increased counterintelligence cooperation and sharing across international boundaries in direct reaction to Russia’s invasion. These arrests, accompanied by hundreds of Russian intelligence officers expelled from diplomatic positions in Europe, have likely significantly reduced Russia’s access to strategic intelligence.

In December 2022, the German government announced the arrest of Carsten Linke, an employee in the German foreign intelligence service (BND) signals intelligence organization. Linke reportedly met Arthur Eller, a Russian-born German, at a social event in 2021, and Eller subsequently acted as a courier to carry Linke’s information to the FSB. Both had served in the German military, which created a bond between them, although Eller had left military service in 2015 to become a businessman. His business took him to Moscow, where the FSB may have recruited him as a talent spotter. The German government learned of the penetration of the BND from a Western ally, the British Government Communications Headquarters (GCHQ), according to investigative journalists, that noticed BND documents in Russia’s possession.¹⁹ There is a connection between the Linke case and the Ukrainian war: Eller admitted passing information to the FSB during fall 2022, and some press speculation suggested that Linke leaked data about the locations of Western-supplied HIMARS missile systems in Ukraine. However, the recruitment came before the invasion and before any decision to provide HIMARS missiles to Ukraine, indicating that, based on Linke’s broad access to strategic intelligence, it was initially focused on other topics.²⁰

Several days before Linke’s arrest in Germany, the Austrian government revealed a GU operation involving a Greek citizen of Russian descent, possibly named Aleksey or Alexandros, who was the son of a former Russian GU officer who had served previously under diplomatic cover in Germany and Austria. Austrian authorities searched the individual’s house and found a variety of espionage-related equipment, including signal detectors capable of detecting listening devices and hidden cameras. Despite having no visible employment, the individual traveled across Europe and former Soviet states and bought property in Austria, Russia, and Greece. Between 2018 and 2022, the individual collected information about foreign policy and the security situation in Vienna. He traveled to Moscow just prior to the invasion of Ukraine. Despite the coincidence in time, there does not appear to be a connection between the arrests of Linke and Eller in Germany and the Austrian case, as one involved the FSB and the other the GU. In both cases, the neutralization operations were made possible by international counterintelligence cooperation.²¹

Pursuit of Russian Émigrés abroad

Russian intelligence activities abroad have also included the pursuit of Russian oppositionists, which had been an FSB mission since long before the invasion of Ukraine. The FSB inherited many responsibilities from the Soviet-era KGB, including pursuing oppositionists and traitors abroad. The FSB has been involved in multiple extraterritorial operations to pursue Russian targets, such as the assassinations of over 20 Chechen militants and propagandists, as well as Aleksandr Litvinenko and the attempted assassination of Sergey Skripal in the UK.

In July 2022, the Russian opposition news site Meduza ran a story about a young Russian named Vsevolod Ospiov, whom the FSB recruited in 2021, not long after he had participated in a rally in Moscow supporting Russian oppositionist Aleksey Navalny. The FSB tasked him to report on the activities of the Libertarian Party in Russia until October 2021, when it sent him to Georgia to monitor Russian émigrés there. He was there in February 2022 when Russia invaded Ukraine. The invasion persuaded him to defect, and in March, he tried to join the international brigade fighting Russian forces in Ukraine. He was not accepted because he is Russian, but he did succeed in contacting Meduza to tell his story.²² In his case, the invasion prompted him to leave Russia and his FSB mission entirely, as it has many others since.

In February 2023, UK authorities arrested five individuals using Bulgarian identities, accusing them of conducting ‘information gathering activities against several addresses and individuals on behalf of the Russian state’ and ‘assisting the Russian state in conducting hostile actions against specific targets including the potential abduction of these targets’. They were reported to have begun conducting intelligence operations in 2020, receiving their tasking from Jan Marsalek, an individual with multiple connections to Russian intelligence services, most recently to the FSB.²³ The mission of collecting information to support abduction operations, along with the connection to Marsalek, point toward the likelihood that the group was working for the FSB.

The number of targets for the FSB’s pursuit of émigrés since the invasion has dramatically increased. Within a month after the invasion began, the number of Russians leaving their country skyrocketed. The FSB reported that in the first three months of 2022, the number of people leaving for Georgia, Tajikistan, and Estonia was over four times as high as in the same period of 2021. The flow to Armenia and Uzbekistan was over three times higher.²⁴ A new wave left the country when the Russian government announced a mobilization of reserves in September 2022. This exodus gives the FSB a huge target to pursue, while also potentially supplying others like Osipov to monitor them. These missions likely fall to the FSB’s First Service, the primary heir to the KGB’s Second Chief Directorate, responsible for counterintelligence.

Russian intelligence illegals

Russian intelligence illegals are a strategic asset used for strategic collection missions targeting primarily political information. Since February 2022, seven Russian illegals have been publicly compromised, and although not all their intelligence targets are known, the ones that are known were strategic. The operations were compromised after February 2022, but they all began their assignment before that, and their known targets fit Russia’s pre-invasion strategic intelligence priorities.

One of those operations involved Olga Kolobova, aka Maria Adela Kuhfeldt Rivera, who operated near the Joint Forces Command Naples, a major NATO command element. NATO is a perennial intelligence priority for Russia, and Kolobova’s travel in Italy and Bahrain, and more importantly, her arrival in Naples in 2015, allowed her to socialize with NATO personnel. She disappeared suddenly in 2018, just after the investigative journalist organizations Bellingcat and The Insider publicly named the GU officers involved in the Sergey Skripal assassination attempt in the UK.²⁵ Although nothing is publicly known about the specific intelligence she collected or sources she handled, her proximity to a NATO command was highly valuable for political intelligence collection.

Other illegals also achieved or came close to achieving priority accesses for Russian intelligence. Sergey Cherkasov, aka Victor Muller Ferreira, applied for and was offered an internship at the International Criminal Court (ICC) in The Hague. He submitted his application as early as 2020 after graduating from Johns Hopkins University in Washington, DC, and was accepted at the end of 2021 with a start date of mid-2022; the Dutch government disrupted the operation by refusing his entry in July 2022.²⁶ The ICC had been a Russian intelligence priority for several years leading up to Cherkasov’s application. Russia’s relationship with the ICC soured in 2016 after the court classified Russia’s 2014 annexation of Crimea as an occupation, resulting in Russia withdrawing its participation from the court.²⁷ That, along with a failed attempt by the UN Security Council in 2014 to refer the conflict in Syria to the ICC, with only Russia and China voting against, made the ICC a political target for Russia. Cherkasov’s application for an internship was likely related to that history. The ICC became an even higher priority target in March 2023 when the ICC issued arrest warrants for Putin and Maria Lvova-Belova, Commissioner for Children’s Rights in the Office of the President of the Russian Federation, for forcibly relocating Ukrainian children to Russia. But that was over two years after Cherkasov submitted his application.

Mikhail Mikushin, aka José Assis Giammaria, was more successful, arriving for a position as a researcher at the Tromsø Arctic University in Norway in December 2021. He worked there until October 2022, when Norwegian authorities arrested him as a Russian spy.²⁸ The position gave him access to policy discussions about Arctic security, a high priority for Russia. Although he likely did not have access to classified information, his position put him in contact with people who analyze and drive policy decisions, a valuable political collection target for an illegal.

All seven illegals revealed in 2022 and 2023 arrived in their positions before February 2022, and their accesses aligned with Russian strategic political priorities. Their arrests were probably the result of increased international counterintelligence cooperation in response to Russia’s invasion of Ukraine, showing the damage that Russia’s own actions did to its strategic collection.

Sanctions evasion and technology collection

Another strategic collection target of Russian intelligence collection is science and technology. Like illegals, those arrested since the invasion for collecting technology began their activities earlier. In fact, the invasion has probably harmed Russian technology collection, as countries worldwide have stepped up efforts to prevent technology from reaching Russia’s military. A study published in Politico in September 2022 indicated that Russia has scrambled to fill its technology collection goals since the invasion.²⁹ Arrests and expulsions related to sanctions evasion and technology collection have occurred in the Netherlands, Norway, and the United States, with additional arrests in Estonia, France, Germany, Italy, Latvia, and Sweden on U.S. warrants.

In March 2022, the Dutch government announced the expulsion of 17 Russian GU and SVR officers for a range of intelligence activities, two of which were collecting information about computer electronics. Although available information does not specify for which service the technology collectors worked, press reporting claims that they were collecting computer technology for the Russian military, which implies GU.³⁰ The fact that they were expelled so soon after the initiation of the invasion suggests they were active for some time and the Dutch government was already aware of them. They were among over 700 officials expelled from Russian embassies in 34 countries, mostly in Europe, since February 2022. Two-thirds of those expulsions occurred in the first six weeks after the invasion, implying already existing counterintelligence knowledge about Russian collection operations and officers.

The United States has stepped up its investigations of Russian sanctions evasion. In October 2022, German, Italian, and Latvian authorities arrested Russians based on U.S. warrants, and Estonian authorities did the same in December 2022. All were related to the illegal export of high-technology devices used in the manufacture of Russian military hardware. The activities had been ongoing since 2018 or 2019, but the invasion and the intensified sanctions that followed prompted the U.S. Department of Justice to raise the priority of such investigations and arrest the perpetrators.³¹

A similar arrest occurred in Sweden in November 2022, also with U.S. support. Swedish authorities arrested Sergey Skvortsov, a naturalized Swedish citizen from Russia, for supplying embargoed technology to the GU. The Swedish indictment alleged that Skvortsov had been operating since 2013 to collect information and electronic items, most originating in the United States, that were prohibited for export to Russia. Skvortsov and his wife, Elena Koulkova, moved to Sweden in the 1990s, and it is unclear when his association with Russian intelligence began. But it was clearly before the full-scale invasion of Ukraine and even predated the Russian annexation of Crimea.³² Skvortsov was released from custody in October 2023 awaiting trial.³³

Russian intelligence activities have anticipated war since long before the February 2022 invasion. Many of the arrests announced since then revealed activities that had been ongoing for several years, in some cases for over a decade. Although it is unclear exactly when the order was given to invade, intelligence activities were already well underway.

Intelligence in war

Since the invasion, Russian intelligence has focused predominantly on operational/tactical collection topics, such as target selection for missile attacks; strength, equipment, and morale of Ukrainian forces; direction of Ukrainian force movements, and shipments of weapons into Ukraine, as indicated by arrests of Russian agents in Ukraine and elsewhere. That shift in focus is the result of several factors: the obvious need for military intelligence in a wartime environment and the loss of hundreds of officers expelled from European countries, the United States, and Japan. Other countries may have also expelled Russian personnel without publicity.

The loss of officers from Europe-based embassies likely damaged Russian collection, as so many of Russia’s strategic collection priorities are directed at European Union and NATO countries. The expulsions affected primarily the SVR and GU, and at least some expelled GU officers were probably transferred to conduct lower-lever wartime operations. But expulsions have not impacted the FSB nearly as much, because the FSB does not place as many officers in foreign embassies. In October 2023, Lieutenant General Kirill Budanov, director of the Ukrainian military intelligence service, the Main Intelligence Directorate of the Ministry of Defense, stated in an interview that Russian intelligence was working at its highest pace since the invasion began, including its technical and computer-based intelligence capabilities. When asked who the most dangerous Russian general was, Budanov named General Sergey Beseda, the chief of the FSB’s Fifth Directorate.³⁴

In addition to activating agents recruited in Ukraine before the invasion, the FSB has increased its recruitment of Ukrainians since the invasion began, directing them to collect predominantly tactical military information. The investigative journalist organization Antikor assessed that Ukrainians recruited since the invasion have been drawn to cooperation with Russia by a mix of ideology and money. A Ukrainian law enforcement official told Antikor,

As sad as it is to admit, we have people who are nostalgic for the Soviet past or are simply brainwashed [by propaganda] and want to be part of Russia because they think Russia is cool. 99.9% are marginalized people who have not been able to prove themselves to Ukrainian authorities, who are offended by Ukraine for something and therefore gladly accept the opportunity to take revenge on our state.³⁵

Ukrainian investigations have identified an even greater number of Ukrainians since the invasion began than before the war, whose pro-Russian views make them willing to work for a Russian intelligence service. Antikor noted an instance of a 62-year-old Russian woman who worked at a weapons factory in Dnipro who ‘waited for the arrival of the “Russian world” (“русский мир”) to the Dnipro area and showed her pro-Russian views in social media’.³⁶ In another case, a Ukrainian man working at an Antonov aircraft plant openly tried to persuade his colleagues to give up and cooperate with Russians by giving them classified information.³⁷ Some Ukrainians, like the FSB, expected a quick Russian victory and offered their services in the hope of receiving a government position in a Russian-dominated government. The plight of Ukrainian citizens living in Russian-occupied portions of Ukraine often leads them to collaboration.³⁸

FSB operations have targeted such people by reaching out to them over social media accounts or through direct text messaging, noting the target’s pro-Russian posts and offering money for information. The availability of Internet-connected devices on or near the battlefield has changed the face of war in Ukraine, giving Russian services immediate remote access to people with whom it can develop transactional relationships. The information sought is often low-level observations of military movements, the locations of infrastructure targets and anti-air defense assets, and information to correct artillery fire. For example, Ukrainian authorities arrested a man in July 2022 whom the FSB had contacted over a closed pro-Russian chat group. The FSB gave a direct pitch, asking if he wanted to earn money by providing artillery spotting. The man asked simply, ‘How much do you pay?’³⁹

Operational/tactical collection in Poland

For several years prior to the invasion, Poland aggressively countered Russian intelligence activities; in March 2022, the Polish government announced the expulsion of 45 personnel from the Russian embassy in Warsaw, all of whom the Polish counterintelligence service, ABW, identified as intelligence officers.⁴⁰ Since the invasion, the targets of intelligence collectors in Poland have been directly related to the war. Suspected Russian activities have predominantly focused on NATO force deployments and shipments of military equipment through Poland to Ukraine.

Polish military counterintelligence arrested a Russian and Belarusian in April 2022 for collecting intelligence on the Polish armed forces, reporting on morale and operational readiness, and cooperation with NATO forces stationed in northeastern Poland.⁴¹ Northeastern Poland is a high priority for Russian collection. The NATO Multinational Division Northeast Headquarters is located in Elblag, Poland, near the Polish border with the Russian Kaliningrad region. A NATO Enhanced Forward Presence battlegroup, which is under U.S. command, protects the Suwałki Gap, which forms the border between Poland and Lithuania, through which NATO forces would transit in the event of a Russian invasion of the Baltic States. The two arrested men were accused of focusing on Polish armed forces located along the border with Belarus at the eastern end of the Suwałki Gap.

In March 2023, ABW arrested nine people, six of whom it referred to vaguely as ‘foreigners from across the eastern border’. The group was alleged to have monitored rail and air cargo shipments carrying weapons from NATO countries transiting Poland into Ukraine. Investigators found cameras, electronic equipment, and GPS transmitters that they suspected the group planned to emplace on vehicles transporting equipment to Ukraine. Cameras were found at the Rzeszow-Jasionka airport in southeastern Poland, where U.S. military personnel are involved in the supply mission.⁴² Polish press announced the arrest of three more people in the Lublin area in April, accused of conducting similar operations. The group had reportedly already installed 50 monitoring devices on bridges and viaducts along major roads leading into Ukraine.⁴³

Less than a week after the March arrests in southeastern Poland, the Polish military counterintelligence agency arrested a Belarusian citizen in Gdansk for collecting information on critical infrastructure and security-related facilities in the northern Pomorskie and Kujawsko-Pomorskie provinces of Poland. Polish press stated that the individual admitted during interrogations that he had been recruited in January 2023 and was reporting information to Russian intelligence, likely the GU.⁴⁴ Reports provided few details of specific targets in the Gdansk case; however, a few weeks later Polish officials announced a 200-meter exclusion zone surrounding the Swinoujscie Liquified Natural Gas terminal on the Baltic coast of Poland near the German border, citing concerns about Russian intelligence collection⁴⁵

The Belarusian arrestee was likely among a group of Belarusians and Ukrainian refugees whom the GU recruited to monitor Polish ports, position cameras along rail lines, and emplace trackers on shipments of military equipment arriving in Poland. Potential recruits were contacted via a Russian-language Telegram channel that advertised house rental opportunities and job announcements, including one that offered small amounts of money for distributing anti-U.S. and anti-NATO propaganda. Such pitches show a Russian recruitment effort involving initial contact to identify potentially cooperative people that can lead to candidates being tested for higher priority collection operations.⁴⁶ A similar operation was revealed in August 2023, when two individuals were arrested for placing recruitment posters for the Wagner group in Warsaw and Kraków.⁴⁷

Polish officials also announced the arrest of two Russians in June 2023, one of whom was accused of monitoring military facilities and seaports, with few further details. That individual had lived in Poland since 2019.⁴⁸ The second was Maksim Sergeyev, a Russian professional ice hockey player, who was accused of identifying critical infrastructure facilities in the Silesia region of southwestern Poland and passing the information to Russian intelligence in exchange for money. Sergeyev had been in Poland since 2021. It is unclear when or how either was recruited for intelligence collection purposes.⁴⁹

The GU has monitored shipments of military equipment into Ukraine for nearly a decade, even conducting covert operations to stop them. The Czech government accused the GU of sabotaging two warehouses filled with weapons destined for Ukraine in 2014, and the Bulgarian government investigated an attempt by GU officers to poison a Bulgarian arms dealer who was involved in shipping weapons to Ukraine in 2015.⁵⁰ These shipments involved older Soviet-era weapons destined to fight Russian-sponsored separatist insurgents in eastern Ukraine. Recent efforts to monitor arms shipments in Poland have become more widespread and have involved numerous people, mostly low-level observers. The flow of modern NATO-supplied weapons makes this collection requirement even a higher priority than it was in the Czechia and Bulgaria cases. The addition of infrastructure targets, such as port facilities, to the Russian collection indicates both that the GU is tracking the shipments from the moment they arrive in Poland and conducting contingency collection for future covert activities in Poland. However, such actions would be a significant escalation of the war and draw NATO directly into it.

Technical intelligence

The GU’s involvement in collecting intelligence in Ukraine also benefits from a range of space-based, airborne, and ground-based technical collection platforms that it can employ to identify targets in Ukraine. Airborne collection platforms, such as the IL-20 ‘Coot’ and the TU-214 R, carry electronic intelligence (ELINT), communications intelligence (COMINT), and side-looking synthetic aperture radar (SAR) capabilities that pinpoint targets and communicate the data directly to fire complexes. According to Russian media, the Russian military inventory has two TU-214 R aircraft, one of which has been deployed to support Ukraine operations.⁵¹

A study by the Royal United Services Institute concluded, based on interviews of Ukrainian officials, that the opening salvo of Russian air and missile attacks in Ukraine demonstrated excellent knowledge of Ukraine’s air defense locations, suggesting successful ELINT collection. Pre-war collection led to an accurate target list to execute as soon as the invasion began. The locational data for targets was of sufficient precision to allow most Russian missiles to hit their targets, although some targets had moved by the time the missiles arrived. The first missile attacks were supported by electronic warfare assets that blinded and suppressed Ukraine’s counter-air capabilities.

However, both the IL-20 and the TU-214 R are stand-off capabilities that cannot fly into contested airspace, making targets further inside Ukraine less accessible after the active war started. According to Royal Air Force Air Marshal Johnny Stringer, ‘The transformation in US and NATO air power over the last five decades has no equivalent in the VKS [Russia’s air force], nor do the Russians have anything like the ISR-led strike capabilities of NATO Air Forces, nor the targeting processes to exploit them’.⁵² After the initial wave that followed pre-set plots, the GU’s intelligence, surveillance, and reconnaissance (ISR) capability was unable to keep up with moving targets, quashing the hope for a quick victory. That led to a shift to long-range stationary targets, such as infrastructure facilities, military training bases, defense production facilities, and prominent government buildings further into Ukraine. These were also identified and geolocated before the invasion and then hit by long-range and cruise missile attacks. These strikes were accompanied by an offensive computer-based campaign targeting infrastructure facilities, which was likely planned years before the invasion began as Russia had probed intensely since at least 2015.⁵³

The GU also runs imagery satellites to support damage assessments after missile strikes in Ukraine. However, there are indications that available imagery was insufficient to meet demands, as the Russian military began buying commercial imagery of Ukrainian territory and military facilities in April 2022.⁵⁴ To make up for that, Russia relies on HUMINT sources, of which Russian services, especially the FSB, has recruited many to provide locational data and artillery correction, according to Ukrainian arrest reports.

Russia is also considering deploying the A-50 Mainstay air command and control aircraft to the Ukraine theater, according to the UK Defence Ministry in November 2023. The A-50 is a tactical control system that carries a radar to track the movement of enemy aircraft. It gives the Russian military visibility on the fighter aircraft that NATO countries are planning to supply to Ukraine, and it coordinates the fire of anti-aircraft missiles. However, like other ISR aircraft, the A-50 is vulnerable. An A-50 parked at an airfield in Belarus was the topic of a March 2023 video recorded by a Belarusian opposition group that flew a drone and landed on the aircraft’s radome.⁵⁵ Although initial reports indicating that the drone damaged the aircraft were false, the video did show a glaring lack of force protection on the airfield.

Russian technical intelligence is not limited to warzone operational/tactical collection. Intelligence collection ships have also been active in the Baltic Sea mapping undersea infrastructure and offshore wind farms for potential warfare against the West, according to a Danish investigative documentary.⁵⁶ Russian ships have conducted this type of contingency collection for many years and targets are likely set in advance of an attack, similar to what Ukraine saw in the early days of the full-scale invasion.

Wartime strategic collection

Although data available is less definitive, the war has heavily impacted Russian strategic collection. Russia has faced a series of diplomatic challenges since the invasion, often the result of Russia’s own actions, such as allegations of war crimes in the Ukrainian city of Bucha in April 2022, multiple reports of the destruction of civilian infrastructure and housing, and allegations of the forced relocation of children from Ukraine to Russia.

The last of those allegations led to the International Criminal Court issuing a rare indictment for a sitting president of a country, Vladimir Putin, resulting in diplomatic complications around the world. The ICC is also considering an indictment against Putin alleging that Russia stripped Ukraine of its grain supply before the start of the invasion deliberately to cause food shortages in Ukraine. The investigation is considering indicting Putin for using starvation as a method of war.⁵⁷ Russian strategic collection is undoubtedly focused heavily on determining the views of each country in the world toward the ICC’s indictments. However, GU’s ability to fulfill that collection priority was damaged by the arrest of Sergey Cherkasov and the expulsion of Russian personnel from the Netherlands in March 2022 and February 2023.

Despite setbacks, Russia’s diplomatic record has not been entirely void of successes, and Russia’s diplomatic gains have certainly been supported by strategic intelligence collection. Collecting intelligence on other countries’ views toward the war, their inclinations toward Russia, and the names of foreign officials Russia could rely on for support is likely dominating Russia’s strategic collection since the invasion.

Since March 2022, the UN General Assembly has voted six times on resolutions related to Russia’s invasion of Ukraine. Those votes divide into two groups: votes that condemned Russia’s invasion and votes that demanded concrete actions from Russia. Condemnatory votes in March and October 2022 and February 2023 passed with large majorities of 141 to 143 votes in favor. However, votes that carried actual consequences succeeded by smaller margins. A vote in April 2022 that stripped Russia of its seat on the UN Human Rights Council drew only 93 votes in favor with 58 abstentions. A vote in November 2022 demanding that Russia pay war reparations drew 94 votes in favor and 73 abstentions. Russian intelligence collection likely preceded each vote, leading to intense Russian diplomatic pressure on countries to either vote against or abstain from the higher-consequence votes. Political collection about which direction a country might be leaning was vital to that effort.

Russia also enjoyed diplomatic success in July 2023, when 40 countries expressed interest in joining the BRICS bloc, of which Russia is a member. That number included, according to South Africa’s foreign minister, ‘all the major global south countries’.⁵⁸ Six of the interested countries joined the bloc at the BRICS summit in August. Although Russia’s invasion of Ukraine is not the sole factor in countries’ desire to join BRICS, the interest is a vote of diplomatic confidence in Russia despite the invasion. Russian intelligence services, especially the SVR, likely were working feverishly to feed Russian decision makers information to support diplomatic discussions preceding those announcements.

At about the same time as BRICS negotiations were occurring, the Brazilian government announced it would deny a U.S. extradition request for Sergey Cherkasov, whom Brazilian authorities had arrested after the Dutch government denied him entry into the Netherlands in June 2022. Until March 2023, the Brazilian government had cooperated with the United States and the Netherlands in the investigation and arrest of Cherkasov. But on 17 March 2023, the Russian government accused Cherkasov of ‘drug trafficking’ and submitted an extradition request to Russia. According to Brazilian officials, the Russian request arrived first – the U.S. indictment of Cherkasov was issued a week after the Russian request – despite U.S. Department of Justice allegations that Russia’s request was based on false information.⁵⁹ A Russian intelligence service, probably the SVR, undoubtedly collected intelligence about the legal process in Brazil and was aware of the timing of the U.S. extradition request, allowing it to pre-empt it and persuade the Brazilian government to cooperate with Russia instead.

Conclusion

Russian intelligence collection since the invasion has been heavily influenced by tactical urgencies and upholding Russia’s image in the world despite the invasion. Pre-war intelligence collection gave Russia a tactical decision advantage in the early days of the full-scale invasion of Ukraine. However, that advantage quickly faded, partially because of the FSB’s faulty forecast of a quick victory for Russia and misreading of Ukrainian resolve, and partially because of the unanticipated unified reaction from NATO and the EU. Since then, the war in Ukraine has transformed Russian intelligence activities in several ways. It has drawn the bulk of Russian intelligence collection resources, both inside Ukraine and further afield, to focus on war-related, often low-level operational/tactical targets. Even strategic collection is related to the war and Russia’s global reputation; Russia has had some success, which is at least partially a result of political and military intelligence flowing into Moscow. However, it has also led to the dismantling of a large portion of Russia’s intelligence apparatus, including both human and signals intelligence, especially in Europe, just when it is needed the most. It has prompted greater scrutiny and international counterintelligence cooperation against Russian intelligence activities than has been seen since the 1980s. Russia’s own actions have drawn those reactions.

Nevertheless, Russian intelligence services are resilient and persistent. They learn from mistakes and adapt to changing circumstances. The fact that the FSB and GU have actively sought and have succeeded in recruiting pro-Russian Ukrainians for low-level collection missions shows that the FSB’s initial failed assessment has not sidelined those operations in Ukraine. The SVR is still working globally to support Russia’s reputation and foreign and economic policies, and the GU is seeking recruits across Europe to monitor, and possibly disrupt, weapons shipments into Ukraine. Russian intelligence services cannot be counted out until a new regime is in place in Russia that changes the philosophy of using intelligence capabilities to attack other countries.

Disclosure statement

No potential conflict of interest was reported by the author.

Additional information

Notes on contributors

Kevin Riehle

Kevin Riehle is a lecturer in intelligence and international security at Brunel University London. He spent over 30 years in the U.S. government as a counterintelligence analyst studying foreign intelligence services, retiring as an associate professor of strategic intelligence at the National Intelligence University in 2021. He subsequently spent two years as an associate professor at the University of Mississippi, Center for Intelligence and Security Studies before moving to Brunel. He received a PhD in War Studies from King’s College London, an MS of Strategic Intelligence from the Joint Military Intelligence College, and a BA in Russian and Political Science from Brigham Young University. He has written on a variety of intelligence and counterintelligence topics, focusing on the history of Soviet and Eastern Bloc intelligence services. His next book, The Russian FSB: A Concise History of the Federal Security Service, will be published in early 2024.

Notes

1. Walker, ”Is Russia spying more?”

2. Soldatov and Borogan, ”Putin Began Purges.”

3. Porter, ”A senior Russian official.”

4. Miller, ”Russian Spies Misread.”

5. Reynolds and Watling, ”Ukraine Through Russia’s Eyes.”

6. Security Service of Ukraine, ”SSU Exposes over 600 Russian Agents.”

7. Crowdstrike Global Intelligence Team, ”Use of Fancy Bear Android Malware.”

8. ”Ukraine defence ministry website”; Foreign, Commonwealth and Development Office and National Cyber Security Centre, ”UK assesses Russian involvement.”

9. Karlovskiy, ”The SBU Detained a Traitor.”

10. Romanenko, ”BBR Discovered a Russian Airman.”

11. Kizilov, ”Russian Agent Caught.”

12. Arunyan, ”Agents ‘Gavrilov’ and ‘Kanatoxodets’”

13. Romanenko, ”The SBU Uncovered Spies”; Kizilov, ”Court Gave a Spy from the Cabinet of Ministers”; Romanenko, ”Shmigal Provided Details”; and Volykovska, ”Ex-clerk of the Cabinet of Ministers.”

14. Rofé, ”Former SBU General”; Titoff, ”SBU General Shaytanov.”

15. Lozovenko, ”She Wanted to Become a ‘Mole’”

16. Prosecutor General’s Office, ”Crimes Committed.”

17. Butsko, ”Revealed Traitors.”

18. Karlovksiy, ”Russians Hit Ukrainian Forces.”

19. Dobrokhotov, Weiss, and Grozev, ”The far-right Bundestag aide.”

20. Chiappa, ”Former German intelligence officer”; ”Russia “Breaks Into” German Intelligence Agency”; Callery, ”Youth football coach.”

21. ”Espionage in Vienna”; ”Austria detains diplomat’s son.”

22. ”’They bought it’”

23. Stephens, ”Ex-Wirecard boss”.

24. ”Nearly 4 M Russians Left Russia.”

25. Grozev, ”Socialite, Widow, Jeweller, Spy.”

26. Corera, ”Russian GRU spy.”

27. ”Russia withdraws from International Criminal Court treaty.”

28. Henley and Sauer, ”Norway arrests ‘Brazilian researcher’”

29. Sheftalovich and Cerulus, ”The chips are down.”

30. ”The Russians Expelled from the Netherlands.”

31. U.S. Department of Justice, ”Five Russian Nationals”; U.S. Department of Justice, ”Justice Department Announces Charges.”

32. ”Russian-Swede Accused”; Hivert, ”The Russian spy couple.”

33. ”A Russian-born Swede accused.”

34. ”In Ukraine the Most Dangerous General.”

35. Butsko, ”Revealed Traitors.”

36. Security Service of Ukraine, ”The SBU exposed a traitor.”

37. Karlovksiy, ”Russians Hit Ukrainian Forces.”

38. Security Service of Ukraine, ”The SBU neutralized.”

39. ”’How Much Do You Want.”

40. ”Poland expels 45 Russian diplomats.”

41. Wight”,Warsaw’s secret war.”

42. ”Entire Russian spy network dismantled in Poland,” March 16, 2023. https://www.bbc.co.uk/news/world-europe-64975200.

43. Zasada, ”Spy network in Poland.”

44. ”The military services detained the spy.”

45. ”Poland sets exclusion zone.”

46. ”Russian Special Services Recruited.”

47. ”Poland detains two Russians.”

48. ”Poland detains Russian spy.”

49. ”Poland arrests Russian ice-hockey player.”

50. Eckel, Bedrov, and Komarova, ”A Czech Explosion.”

51. ”Russia is Using the Intelligence TU-214 R.”

52. Martin, ”Russia’s air campaign.”

53. Bronk, Reynolds, and Watling, ”The Russian Air War”, 27–28.

54. Zabrodskyi, et al, ”Preliminary Lessons in Conventional Warfighting,” 25.

55. Dangwal, ”A-50 AWACS Attack.”

56. ”The Shadow War”; Bueger, ”Russian ‘spy ship’ raises concerns.”

57. Rai, ”Putin could face new war crime case.”

58. Cocks, ”More than 40 nations interested.”

59. U.S. District Court for the District of Columbia, ”United States of America v. Sergey Vladimirovich Cherkasov.”