Two of the world’s most prolific state-linked cybercrime groups — Russia’s Gamaredon and North Korea’s Lazarus collective — have been spotted sharing resources, new research showed on Thursday. Experts at cybersecurity firm Gen Digital found overlapping tactics and shared infrastructure between the two groups. The discovery is “unprecedented,” said Director of Threat Intelligence at Gen Digital Michal Salat. “I don’t recall two countries working together on [Advanced Persistent Threat] attacks,” he said, referring to attacks that are sophisticated, long-term campaigns often conducted by nation-state actors. If confirmed, it would mark a new level of coordination between Moscow and Pyongyang. The Gamaredon cybercrime group is linked to Russia’s Federal Security Service and has aggressively targeted Ukrainian government networks since the start of the invasion in 2022, mostly for intelligence collection. Lazarus, a well-known North Korean threat group, conducts everything from espionage to financially motivated cybercrime. While tracking Gamaredon’s use of Telegram channels to share the servers controlling its malware, analysts discovered that one of those servers was also being used by Lazarus. One Gamaredon-run server was also found hosting a hidden version of malware linked to Lazarus. The file closely matched Lazarus’ typical tools. Nation-state hacking groups rarely host or distribute one another’s malware. Researchers believe the findings indicate the two groups are likely sharing systems, and could very well be cooperating directly. At a minimum, it shows that one group is deliberately imitating the other. Salat added that Gamaredon may be studying Lazarus’ methods, too. Lazarus is known for using fake job offers to trick victims and for stealing cryptocurrency, a key revenue source for North Korea, which is under heavy global sanctions. Moscow and Pyongyang have increased cooperation, including among their militaries, in previous years. Western security services believe Pyongyang has sent thousands of North Korean soldiers to Russia to support the war in Ukraine. Ukrainian authorities last month said North Korean troops were flying drones across the border, and Ukrainian military intelligence said last week North Korea would send thousands of workers to Russia to manufacture drones.

Elisabeth Braw is a senior fellow at the Atlantic Council, the author of the award-winning “Goodbye Globalization” and a regular columnist for POLITICO. Over the past two years, state-linked Russian hackers have repeatedly attacked Liverpool City Council — and it’s not because the Kremlin harbors a particular dislike toward the port city in northern England. Rather, these attacks are part of a strategy to hit cities, governments and businesses with large financial losses, and they strike far beyond cyberspace. In the Gulf of Finland, for example, the damage caused to undersea cables by the Eagle S shadow vessel in December incurred costs adding up to tens of millions of euros — and that’s just one incident. Russia has attacked shopping malls, airports, logistics companies and airlines, and these disruptions have all had one thing in common: They have a great cost to the targeted companies and their insurers. One can’t help but feel sorry for Liverpool City Council. In addition to looking after the city’s half-million or so residents, it also has to keep fighting Russia’s cyber gangs who, according to a recent report, have been attacking ceaselessly: “We have experienced many attacks from this group and their allies using their Distributed Botnet over the last two years,” the report noted, referring to the hacktivist group NoName057(16), which has been linked to the Russian state. “[Denial of Service attacks] for monetary or political reasons is a widespread risk for any company with a web presence or that relies on internet-based systems.” Indeed. Over the past decades, state-linked Russian hackers have targeted all manner of European municipalities, government agencies and businesses. This includes the 2017 NotPetya attack, which brought down “four hospitals in Kiev alone, six power companies, two airports, more than 22 Ukrainian banks, ATMs and card payment systems in retailers and transport, and practically every federal agency,” as well as a string of multinationals, causing staggering losses of around $10 billion. More recently, Russia has taken to targeting organizations and businesses in other ways as well. There have been arson attacks, including one involving Poland’s largest shopping mall that Prime Minister Donald Tusk subsequently said was definitively “ordered by Russian special services.” There have been parcel bombs delivered to DHL; fast-growing drone activity reported around European defense manufacturing facilities; and a string of suspicious incidents damaging or severing undersea cables and even a pipeline. The costly list goes on: Due to drone incursions into restricted airspace, Danish and German airports have been forced to temporarily close, diverting or cancelling dozens of flights. Russia’s GPS jamming and spoofing are affecting a large percentage of commercial flights all around the Baltic Sea. In the Red Sea, Houthi attacks are causing most ships owned by or flagged in Western countries to redirect along the much longer Cape of Good Hope route, which adds costs. The Houthis are not Russia, but Russia (and China) could easily aid Western efforts to stop these attacks — yet they don’t. They simply enjoy the enormous privilege of having their vessels sail through unassailed. The organizations and companies hit by Russia have so far managed to avert calamitous harm. But these attacks are so dangerous and reckless that people will, sooner or later, lose their lives. There have been arson attacks, including one involving Poland’s largest shopping mall that Prime Minister Donald Tusk subsequently said was definitively “ordered by Russian special services.” | Aleksander Kalka/Getty Images What’s more, their targets will continue losing a lot of money. The repairs of a subsea data cable alone typically costs up to a couple million euros. The owners of EstLink 2 — the undersea power cable hit by the Eagle S— incurred losses of nearly €60 million. Closing an airport for several hours is also incredibly expensive, as is cancelling or diverting flights. To be sure, most companies have insurance to cover them against cyber attacks or similar harm, but insurance is only viable if the harm is occasional. If it becomes systematic, underwriters can no longer afford to take on the risk — or they have to significantly increase their premiums. And there’s the kicker: An interested actor can make disruption systematic. That is, in fact, what Russia is doing. It is draining our resources, making it increasingly costly to be a business based in a Western country, or even a city council or government authority, for that matter. This is terrifying — and not just for the companies that may be hit. But while Russia appears far beyond the reach of any possible efforts to convince it to listen to its better angels, we can still put up a steely front. The armed forces put up the literal steel, of course, but businesses and civilian organizations can practice and prepare for any attacks that Russia, or other hostile countries, could decide to launch against them. Such preparation would limit the possible harm such attacks can lead to. It begs the question, if an attack causes minimal disruption, then what’s the point of instigating it in the first place? That’s why government-led gray-zone exercises that involve the private sector are so important. I’ve been proposing them for several years now, and for every month that passes, they become even more essential. Like the military, we shouldn’t just conduct these exercises — we should tell the whole world we’re doing so too. Demonstrating we’re ready could help dissuade sinister actors who believe they can empty our coffers. And it has a side benefit too: It helps companies show their customers and investors that they can, indeed, weather whatever Russia may dream up.

MILAN — Nothing about the sand-colored façade of the palazzo tucked behind Milan’s Duomo cathedral suggested that inside it a team of computer engineers were building a database to gather private and damaging information about Italy’s political elite — and use it to try to control them.   The platform, called Beyond, pulled together hundreds of thousands of records from state databases — including flagged financial transactions and criminal investigations — to create detailed profiles on politicians, business leaders and other prominent figures.  Police wiretaps recorded someone they identified as Samuele Calamucci, allegedly the technical mastermind of the group, boasting that the dossiers gave them the power to “screw over all of Italy.”  The operation collapsed in fall 2024, when a two-year investigation culminated in the arrests of four people, with a further 60 questioned. The alleged ringleaders have denied ever directly accessing state databases, while lower-level operatives maintain they only conducted open-source searches and believed their actions were legal. Police files indicate that key suspects claimed they were operating with the tacit approval of the Italian state.  After months of questioning and plea bargaining, 15 of the accused are set to enter their pleas at the first court hearing in October.   The disclosures were shocking, not only because of the confidentiality of the data but also the high-profile nature of the targets, which included former Prime Minister Matteo Renzi and Ignazio La Russa, co-founder of the ruling Brothers of Italy party and president of the Senate.  The scandal underscores a novel reality: that in the digital era, privacy is a relic. While dossiers and kompromat have long been tools of political warfare, hackers today, commanded by the highest bidder, can access information to exploit decision-makers’ weaknesses — from private indiscretions to financial vulnerabilities. The result is a political and business class highly exposed to external pressures, heightening fears about the resilience of democratic institutions in an era where data is both power and liability.  POLITICO obtained thousands of pages of police wiretap transcripts and arrest warrants and spoke with alleged perpetrators, their victims and officials investigating the scheme. Together, the documents and interviews reveal an intricate plot to build a database filled with confidential and compromising data — and a business plan to exploit it for both legal and illegal means.  On the surface, the group presented itself as a corporate intelligence firm, courting high-profile clients by claiming expertise in resolving complex risk management issues such as commercial fraud, corruption and infiltration by organized crime.   Banca Mediolanum, said it had paid “€3,000 to Equalize to gather more public information regarding a company that could have been the subject of a potential deal, managed by our investment bank.” | Diego Puletto/Getty Images Prosecutors accuse the gang of compiling damaging dossiers by illegally accessing phones, computers and state databases containing information ranging from tax records to criminal convictions. The data could be used to pressure and threaten victims or fed to journalists to discredit them.  The alleged perpetrators include a former star police investigator, the top manager of Milan’s trade fair complex and several cybersecurity experts prominent in Italy’s tech scene. All have denied wrongdoing.  SUPERCOP TURNED SUPERCROOK  When the gang first drew the attention of investigators in the summer of 2022, it was almost by accident.  Police were tracking a northern Italian gangster when he arranged a meeting with retired police inspector Carmine Gallo at a coffee bar in downtown Milan. Gallo, a veteran in the fight against organized crime, was a familiar face in Italy’s law enforcement circles. The meeting raised suspicions, and authorities put Gallo under surveillance — and inadvertently uncovered the gang’s wider operations.  Gallo, who died in March 2025, was a towering figure in Italian law enforcement. He helped solve high-profile cases such as the 1995 murder of Maurizio Gucci — carried out by the fashion mogul’s ex-wife Patrizia Reggiani and her clairvoyant — and the 1997 kidnapping of Milanese businesswoman Alessandra Sgarella by the ‘ndrangheta organized crime syndicate.  Yet Gallo’s career was not without controversy. Over four decades, he cultivated ties to organized crime networks and faced repeated investigations for overstepping legal boundaries. He ultimately received a two-year suspended sentence for sharing official secrets and assisting criminals.  When he retired from the force in 2018, Gallo illegally carted off investigative material such as transcripts of interviews with moles, mafia family trees and photofits, prosecutors’ documents show. His modus operandi was to tell municipal employees to “get a coffee and come back in half an hour” while he photographed documents, he boasted in wiretaps.  Still, Gallo’s work ethic remained relentless. In 2019, he co-founded Equalize — the IT company that hosted the Beyond database — with his business partner Enrico Pazzali, presenting the firm as a corporate risk intelligence company.  Gallo’s years as a police officer gave him a unique advantage: He could leverage relationships with former colleagues in law enforcement and intelligence to get them to carry out illegal searches on his behalf. Some of the information he obtained was then repackaged as reputational dossiers for clients, commanding fees of up to €15,000.  Gallo also cashed in his influence for favors, such as procuring passports for friends and acquaintances. Investigators recorded conversations in which he bragged of sourcing a passport for a convicted mafioso under investigation for kidnapping, who planned to flee to the United Arab Emirates.  The supercop-turned-supercriminal claimed that Equalize had a full overview of Italian criminal operations, extending even to countries like Australia and Vietnam.  When investigators raided the group’s headquarters, they found thousands of files and dossiers spanning decades of Italian criminal and political history. The hackers even claimed to have — as part of what they called their “infinite archive” — video evidence of the late Prime Minister Silvio Berlusconi’s so-called bunga bunga parties, which investigators called “a blackmail tool of the highest value.”   Enrico Pazzali cultivated close ties to right-wing politicians, including Attilio Fontana, president of the Lombardy region, and maintained a close association with high-level intelligence officials. | Alessandro Bremec/Getty Images Gallo’s sudden death of a heart attack six months into the investigation stirred unease among prosecutors. They noted that while an initial autopsy found no signs of trauma or injection, the absence of such evidence does not necessarily rule out interference. Investigators have ordered toxicology tests.  ‘HANDSOME UNCLE’  Gallo’s collaborator Pazzalli, a well-known businessman who headed Milan’s prestigious Fondazione Fiera Milano, the country’s largest exhibition center, was Equalize’s alleged frontman.  Pazzali, through his lawyer, declined to comment to POLITICO about the allegations.  The Fiera, a magnet for money and power, made Pazzali a heavy hitter in Milanese circles. Having built a successful career across IT, energy and other sectors, and boasting a full head of steely gray hair, he was known to some by the nickname “Zio Bello,” or handsome uncle.   Pazzali cultivated close ties to right-wing politicians, including Attilio Fontana, president of the Lombardy region, and maintained a close association with high-level intelligence officials. He would meet clients in a chauffeur-driven black Tesla X, complete with a blue flashing light on the roof — the kind typically reserved for high-ranking officials.  Since 2019, Pazzali held a 95 percent stake in Equalize. If Gallo’s role was sourcing confidential information, Pazzali’s was winning high-profile clients, the prosecutors allege. Leveraging his reputation and political connections, he helped secure business from banks, industrial conglomerates, multinationals, and international law firms, including pasta giant Barilla, the Italian subsidiary of Heineken, and energy powerhouse Eni.   Documents show that Eni paid Equalize €377,000. Roberto Albini, a spokesperson for the energy giant, told POLITICO that the firm had commissioned Equalize “to support its strategy and defense in the context of several criminal and civil cases.” He added that Eni was not aware of any illegal activity by the company.  Marlous den Bieman, corporate communications manager for Heineken, said the brewer had “ceased all collaboration with Equalize and is actively cooperating with authorities in their investigation of the company’s practices.”  Barilla declined to comment.  Italy’s third-largest bank, Banca Mediolanum, said it had paid “€3,000 to Equalize to gather more public information regarding a company that could have been the subject of a potential deal, managed by our investment bank.” The bank added, “Of course we were not aware that Equalize was in general conducting its business also through the adoption of illicit procedures.”  The group’s reach extended beyond Italy. In February 2023, it was hired by Israeli state intelligence agents in a €1 million operation to trace the financial flows from the accounts of wealthy individuals to the Russian mercenary network Wagner. In exchange, the Israelis promised to hand over intelligence on the illicit trafficking of Iranian gas through Italy — a commodity that, they suggested, might be of interest to Equalize’s client, the energy giant Eni.  Equalize rapidly grew into a formidable private investigation operation. Police reports noted that Pazzali recognized data as “a weapon for enormous economic and reputational gains,” adding, “Equalize’s raison d’être is to provide … Pazzali with information and dossiers to be used for the achievement of his political and economic aims.”  During the 2023 election campaign for the presidency of the Lombardy region, Pazzali ordered dossiers on close affiliates of former mayor of Milan, Letizia Moratti, who was challenging his preferred candidate, the far-right Fontana.  Prime Minister Matteo Renzi warned of a deeper political risk associated with the gang. | Vincenzo Nuzzolese/Getty Images A spokesman for Fontana called the allegation “science-fiction” and said “nothing was offered to the president of the region, he did not ask for anything, and he certainly did not pay anything.”   In 2022, Pazzali was in the running to manage Italy’s 2026 Winter Olympics as chief executive. Wiretaps suggested he ordered a dossier on his competitor, football club AC Milan’s Chairman Paolo Scaroni, but found nothing on him.  Business was booming, but Pazzali and Gallo were thinking ahead. They had become reliant on cops willing to leak information, and those officers could be spooked — or caught in the act. That was a vulnerability.  They started to envisage a more sophisticated operation: a platform that collated all the data the group had in its possession and could generate the prized dossiers with the click of a button, erasing the need for bribes and cutting manpower costs — a repository of high-level secrets that, once operational, would give Pazzali, Gallo, and their team unprecedented power in Italy.  Pazzali declined to comment on the investigation. He is due to plead before a judge at a preliminary hearing in October. ‘THE PROFESSOR’ AND THE BOYS   Enter Samuele Calamucci, the coding brain of the operation.  Calamucci is from a small town just outside Milan, and before he began his career in cybersecurity, he was involved in stonemasonry.   Unlike his partners Gallo and Pazzali, Calamucci wasn’t a known face in the city — and he had worked hard to keep it that way. He ran his own private investigation firm, Mercury Advisor, from the same offices as Equalize, handling the company’s IT operations as an outside contractor.  Calamucci knew his way around Italian government IT systems, too. In wiretapped conversations, he claimed to have helped build the digital infrastructure for Italy’s National Cybersecurity Agency and to have worked for the secret services’ Department of Information for Security.  Known within the gang as “the professor,” Calamucci’s role was to recruit and manage a team of 30 to 40 programmers he called the ragazzi — the boys.  With his best recruits he began to build Beyond in 2022, the platform designed to be the digital equivalent of an all-seeing eye.  To populate it, Calamucci and his team purchased data from the dark web, exploited access through government IT maintenance contracts and siphoned intelligence from state databases whenever they could, prosecutors said.  Beyond gave Pazzali, Gallo, and their gang a treasure trove of compromising information on political and business figures in a searchable platform. Wiretaps indicated the plan was to sell access via subscription to select clients, including international law firm Dentons and some of the Big Four consultancies like Deloitte, KPMG, and EY. | Aleksander Kalka/Getty Images In one police-recorded conversation, Calamucci boasted of a hard drive holding 800,000 dossiers. Through his lawyer, Calamucci declined to comment.  “We all thought the requested reports served the good of the country,” said one of the hackers, granted anonymity to speak freely. “Ninety percent of the reports carried out were about energy projects, which required open-source criminal records or membership in mafia syndicates, given that a large portion concerned the South.” Only 5 percent of the jobs they carried out were for individuals to conduct an analysis of enemies or competitors, he added.  The hackers were also “not allowed to know” who was coming into Equalize’s office from the outside. Meetings were held behind closed doors in Gallo’s office or in conference rooms, the hacker told POLITICO, explaining that the analysts were unaware of the company’s dynamics and the people it associated with.  Beyond gave Pazzali, Gallo, and their gang a treasure trove of compromising information on political and business figures in a searchable platform. Wiretaps indicated the plan was to sell access via subscription to select clients, including international law firm Dentons and some of the Big Four consultancies like Deloitte, KPMG, and EY.  Dentons declined to comment. Deloitte and EY did not respond to a request for comment. Audee Van Winkel, senior communication officer for KPMG in Belgium, where one of the alleged gang members worked, said the consultancy did not have any knowledge or records of KPMG in Belgium working with the platform.   ‘INTELLIGENCE MERCENARIES’  In Italy’s sprawling private investigation scene, Equalize was a relative newcomer. But Gallo, Pazzali and their associates had something going for them: They were well-connected.  One alleged member of the organization, Gabriele Pegoraro, had worked as an external cybersecurity expert for intelligence services and had previously made headlines as the IT genius who helped capture a fugitive terrorist.  Pegoraro said he “carried out only lawful operations using publicly available sources” and “was in the dark about how the information was used.”  According to wiretaps, Calamucci and Gallo had worked with several intelligence agents to provide surveillance to protect criminal informants.   On one occasion, Calamucci explained to a subordinate that the relationship with the secret services “was essential” to continue running Equalize undisturbed. “We are mercenaries for [Italian] intelligence,” he was heard saying by police listening in on a meeting with foreign agents at his office.   The services also helped with data searches for the group and created a mask of cover for the gang, prosecutors believe. A hacker proudly claimed that Equalize had even received computers handed down from Italy’s foreign intelligence agency, while law enforcement watched from bugs planted in the ceiling.  THE PROSECUTION  In October 2024, the music stopped.  Prosecutors placed four of the alleged gang members, including Gallo and Calamucci, under house arrest and another 60 people under investigation. They brought forward charges including conspiracy to hack, corruption, illegal accessing of data and the violation of official secrets.  Franco Gabrielli, a former director of Italy’s civil intelligence services, warned that even the toughest of sentences are unlikely to put an end to the practice. | Alessandro Bremec/Getty Images “Just as the Stasi destroyed the lives of so many people using a mixture of fabricated and collected information, so did these guys,” said Leonida Reitano, an Italian open-source investigator who studied the case. “They collected sensitive information, including medical reports, and used it to compromise their targets.”  News of what the gang had done dropped like a bombshell on Italy’s political class. Foreign Minister Antonio Tajani told reporters at the time that the affair was “unacceptable,” while Interior Minister Matteo Piantedosi warned the parliament that the hackers were “altering the rules of democracy.”  The Equalize scandal “is not only the most serious in the history of the Italian Republic but represents a real and actual attack on democracy,” said Angelo Bonelli, MP and member of the opposition Green Europe.  Prime Minister Renzi warned of a deeper political risk associated with the gang. “It is clear that Equalize are very close to the leaders of the right-wing parties, and intended to build a powerful organization, although it is not yet certain how deep an impact they had,” he told POLITICO. Renzi is seeking damages as a civil plaintiff in the eventual criminal trial.  Equalize was liquidated in March, and some of the alleged hackers have since taken on legitimate roles within the cybersecurity sector.  There are many unresolved questions around the case. Investigators and observers are still trying to determine the full extent of Equalize’s ties to Italian intelligence agencies, and whether any clients were aware of or complicit in the methods used to compile sensitive dossiers. Interviews with intelligence officials conducted during the investigation were never transcribed, and testimony given to a parliamentary committee remains classified. Police documents are heavily redacted, leaving the identities of key figures and the full scope of the operation unclear.  While Equalize is unprecedented in its scale, efforts to collect information on political opponents have “become an Italian tradition,” said the political historian Giovanni Orsina. Spying and political chicanery during and after the Cold War has damaged democracy and undermined trust in public institutions, made worse by a lethargic justice system that can take years if not decades to deliver justice.   “It adds to the perception that Italy is a country in which you can never find the truth,” Orsina said.  Franco Gabrielli, a former director of Italy’s civil intelligence services, warned that even the toughest of sentences are unlikely to put an end to the practice. “It just increases the costs, because if I risk more, I charge more,” he said.   “We must reduce the damage, put in place procedures, mechanisms,” he added. “But, unfortunately, all over the world, even where people earn more there are always black sheep, people who are corrupted. It’s human nature.” 

BRUSSELS — First it was telecom snooping. Now Europe is growing worried that Huawei could turn the lights off. The Chinese tech giant is at the heart of a brewing storm over the security of Europe’s energy grids. Lawmakers are writing to the European Commission to urge it to “restrict high-risk vendors” from solar energy systems, in a letter seen by POLITICO. Such restrictions would target Huawei first and foremost, as the dominant Chinese supplier of critical parts of these systems. The fears center around solar panel inverters, a piece of technology that turns solar panels’ electricity into current that flows into the grid. China is a dominant supplier of these inverters, and Huawei is its biggest player. Because the inverters are hooked up to the internet, security experts warn the inverters could be tampered with or shut down through remote access, potentially causing dangerous surges or drops in electricity in Europe’s networks. The warnings come as European governments have woken up to the risks of being reliant on other regions for critical services — from Russian gas to Chinese critical raw materials and American digital services. The bloc is in a stand-off with Beijing over trade in raw materials, and has faced months of pressure from Washington on how Brussels regulates U.S. tech giants. Cybersecurity authorities are close to finalizing work on a new “toolbox” to de-risk tech supply chains, with solar panels among its key target sectors, alongside connected cars and smart cameras. Two members of the European Parliament, Dutch liberal Bart Groothuis and Slovak center-right lawmaker Miriam Lexmann, drafted a letter warning the European Commission of the risks. “We urge you to propose immediate and binding measures to restrict high-risk vendors from our critical infrastructure,” the two wrote. The members had gathered the support of a dozen colleagues by Wednesday and are canvassing for more to join the initiative before sending the letter mid next week.   According to research by trade body SolarPower Europe, Chinese firms control approximately 65 percent of the total installed power in the solar sector. The largest company in the European market is Huawei, a tech giant that is considered a high-risk vendor of telecom equipment. The second-largest firm is Sungrow, which is also Chinese, and controls about half the amount of solar power as Huawei. Huawei’s market power recently allowed it to make its way back into SolarPower Europe, the solar sector’s most prominent lobby association in Brussels, despite an ongoing Belgian bribery investigation focused on the firm’s lobbying activities in Brussels that saw it banned from meeting with European Commission and Parliament officials. Security hawks are now upping the ante. Cybersecurity experts and European manufacturers say the Chinese conglomerate and its peers could hack into Europe’s power grid.  “They can disable safety parameters. They can set it on fire,” Erika Langerová, a cybersecurity researcher at the Czech Technical University in Prague, said in a media briefing hosted by the U.S. Mission to the EU in September.  Even switching solar installation off and on again could disrupt energy supply, Langerová said. “When you do it on one installation, it’s not a problem, but then you do it on thousands of installations it becomes a problem because the … compound effect of these sudden changes in the operation of the device can destabilize the power grid.”  Surges in electricity supply can trigger wider blackouts, as seen in Spain and Portugal in April. | Matias Chiofalo/Europa Press via Getty Images Surges in electricity supply can trigger wider blackouts, as seen in Spain and Portugal in April. Some governments have already taken further measures. Last November, Lithuania imposed a ban on remote access by Chinese firms to renewable energy installations above 100 kilowatts, effectively stopping the use of Chinese inverters. In September, the Czech Republic issued a warning on the threat posed by Chinese remote access via components including solar inverters. And in Germany, security officials already in 2023 told lawmakers that an “energy management component” from Huawei had them on alert, leading to a government probe of the firm’s equipment. CHINESE CONTROL, EU RESPONSE  The arguments leveled against Chinese manufacturers of solar inverters echo those heard from security experts in previous years, in debates on whether or not to block companies like video-sharing app TikTok, airport scanner maker Nuctech and — yes — Huawei’s 5G network equipment. Distrust of Chinese technology has skyrocketed. Under President Xi Jinping, the Beijing government has rolled out regulations forcing Chinese companies to cooperate with security services’ requests to share data and flag vulnerabilities in their software. It has led to Western concerns that it opens the door to surveillance and snooping. One of the most direct threats involves remote management from China of products embedded in European critical infrastructure. Manufacturers have remote access to install updates and maintenance. Europe has also grown heavily reliant on Chinese tech suppliers, particularly when it comes to renewable energy, which is powering an increasing proportion of European energy. Domestic manufacturers of solar panels have enough supply to fill the gap that any EU action to restrict Chinese inverters would create, Langerová said. But Europe does not yet have enough battery or wind manufacturers — two clean energy sector China also dominates. China’s dominance also undercuts Europe’s own tech sector and comes with risks of economic coercion. Until only a few years ago, European firms were competitive, before being undercut by heavily subsidized Chinese products, said Tobias Gehrke, a senior policy fellow at the European Council on Foreign Relations. China on the other hand does not allow foreign firms in its market because of cybersecurity concerns, he said. The European Union previously developed a 5G security toolbox to reduce its dependence on Huawei over these fears. It is also working on a similar initiative, known as the ICT supply chain toolbox, to help national governments scan their wider digital infrastructure for weak points, with a view to blocking or reduce the use of “high-risk suppliers.” According to Groothuis and Lexmann, “binding legislation to restrict risky vendors in our critical infrastructure is urgently required” across the European Union. Until legislation is passed, the EU should put temporary measures in place, they said in their letter.  Huawei did not respond to requests for comment before publication. This article has been updated.

BRUSSELS — The EU’s most influential solar panel lobbying group reinstated Huawei’s membership just months after it expelled the Chinese company over its alleged involvement in a bribery and corruption scandal.  As part of the reinstatement, SolarPower Europe’s top executive insisted that Huawei would not be allowed to “actively participate” in the lobbying group’s activities to not run afoul of the EU’s ban on meeting with Huawei lobbyists.  The conditions were imposed on Huawei to “ensure that SPE maintains unrestricted access to authorities and other stakeholders and can conduct its activities without limitation,” SolarPower Europe CEO Walburga Hemetsberger said in an email to SPE’s members that was seen by POLITICO. “This includes not participating in SPE workstreams or the Advocacy Committee,” which sets the lobby’s key policies. But at the same contentious Sept. 29 meeting during which Huawei was reinstated, SPE’s board of directors also failed to adopt an externally written position paper recommending the European Union limit Huawei’s access to the bloc’s energy grid, according to two current and one former official working for separate solar panel manufacturers who spoke on condition of being granted anonymity over fears of retaliation for speaking out.  Hemetsberger told POLITICO that Huawei was reinstated “following further clarifications provided by the European Commission and Huawei,” adding the company is now a “passive member.”  The Commission did not respond to a request for comment ahead of publication on whether these restrictions create enough distance to continue meeting with SPE amid the ban on Huawei lobbyists.  The lobby denied the energy grid position paper was rejected, saying that the board instead reconfirmed its support for an internally produced report on the cybersecurity risks to Europe’s grid.  However, that report did not include any mention of China in its executive summary, while an earlier draft seen by POLITICO laid out risks the country and its companies are said to pose to the energy grid.  The conflict over Huawei’s lobbying role in Brussels is part of a much broader concern about the influence that Chinese companies — and the Chinese government — wield over crucial technologies like renewable energy, 5G telecom infrastructure, electric vehicle batteries and more. The EU has been trying to limit that influence, particularly after the United States blacklisted Huawei and designated it a national security threat.  Huawei did not respond to a request for comment ahead of publication.   In March, Huawei was banned from the European Parliament and from meeting with the European Commission after Belgian authorities accused the company of conducting a cash-for-influence scheme, bribing MEPs with gifts, luxurious trips and cash to ensure the policymakers would support Huawei’s interests as it faced pushback across the continent.  As part of the investigation, authorities raided 21 addresses in March and charged four people on counts of corruption and criminal organization.  Huawei maintained it has a “zero-tolerance stance against corruption” and fired two employees over their alleged involvement in the bribery investigation.  A NATIONAL SECURITY THREAT While Huawei is best known for its work in the telecommunication sector, it’s also a leader in manufacturing inverters, which transform variable electricity current from solar panels into alternating current that can be fed into the grid. Researchers estimate that Chinese companies control 65 percent of the EU’s solar power, with Huawei holding the biggest market share.  Cybersecurity experts and European manufacturers say Huawei and others could use the devices to hack into Europe’s power grid — and potentially turn it off.  “The Chinese have remote access to all these devices. And remote access means they can completely control the device remotely from China, and they can shut it down,” Erika Langerová, the head of cybersecurity research at the Prague-based UCEEB energy institute with the Czech Technical University, said in a media briefing hosted by the U.S. Mission to the EU in September.  By introducing malicious firmware, a company could disable safety protections or cooling fans and other measures, Langerová said.  NEW SECTOR, OLD TRICKS Huawei was a regular fixture in Brussels’ lobbying circles for over a decade, throwing lavish parties, and was seen as a friendly entity in European policy circles. That changed in 2019, when Huawei came under the microscope over security and espionage concerns in its 5G mobile networks.   To counter the shifting attitudes, Huawei offered six-figure salaries to lure in journalists and politicians to lobby on its behalf, but failed to stop the Commission from taking a more cautious approach to using Huawei’s 5G equipment.  Huawei hit back against the move, saying there is no evidence its equipment poses a security threat.  As part of the fallout from the cash-for-influence allegations, the Commission announced in April that it would no longer meet with organizations lobbying on Huawei’s behalf, leading to the company’s expulsion from SolarPower Europe.  CONTINUED ACCESS In September, SPE’s board moved to readmit the company, but set guidelines for its role in the lobby.  While Huawei is not actively participating in the group’s work, one of the manufacturing officials said minutes are created and disseminated after every meeting with the Commission and other policymakers, which remain available to Huawei.  “They have full access to the reports,” the person said, adding that other companies that are distributors for the Chinese firm are still allowed to participate and advocate for Huawei’s interests.  SPE said in a response to POLITICO that Huawei “will not be entitled to receive any documents or other information prepared for or exchanged during meetings with representatives of any European Institution.”  During the Sept. 29 meeting, a group of Western solar panel manufacturers and distributors put forward the external position paper, seen by POLITICO, they had written that included a call for Europe to duplicate the 5G “toolbox” — measures to stop the 5G telecom networks from being hacked — for the solar industry “to reduce China’s influence in the electricity grid.”   The European Commission is currently reviewing the EU energy security framework to tackle hacking and other cyber risks in the energy grid and is soliciting feedback until Oct. 13. The Western manufacturers wanted the position paper to be included in SolarPower Europe’s consultation with the Commission.  The SPE’s decision to not adopt the position paper on risks to the energy grid wasn’t the first time the lobby’s actions favored the powerful Chinese company.  SPE also commissioned a study on the solar industry’s cybersecurity risks. An earlier draft of that report, seen by POLITICO, lays out the close ties between companies and the Chinese government, with the firms acting at the behest of government officials, including in carrying out cyberattacks. The draft warned that just one compromised company connected to Europe’s grid could turn off a sizeable portion of the EU’s power.  The final report removed all mention of China in the executive summary.  The second manufacturing official said the solar cybersecurity report was “helpful in pointing to the general problem,” but the “interpretation and framing of it was politically watered down by the board to not point at China as the main problem.”   The solar lobby maintains Huawei has no influence over its policy positions.  SPE’s board of directors include European companies that have partnerships with Huawei, companies that count China as their largest market or are distributors of Huawei’s inverters.   Of SPE’s 20 directors, eight have direct connections with Huawei or close Chinese ties. One board member is the director of Chinese solar panel manufacturer TrinaSolar.   As one of three top-tier members of SPE, Huawei pays €60,000 a year in membership fees. But that’s not the only money it spends.  It can funnel money “through the sponsorship of events organized by SolarPower Europe,” the third manufacturing official said. “So they have clout through funding.” 

BRUSSELS — Crafty hacking groups backed by hostile states have increasingly targeted European public institutions with cyber espionage campaigns in the past year, the European Union’s cybersecurity agency said Wednesday. Public institutions were the most targeted type of organization, accounting for 38 percent of the nearly 5,000 incidents analyzed, the ENISA agency said in its yearly threat landscape report on European cyber threats. The EU itself is a regular target, it added. State-aligned hacking groups “steadily intensified their operations toward EU organizations,” ENISA said, adding that those groups carried out cyber espionage campaigns on public bodies while also attempting to sway the public through disinformation and interference.  The report looked at incidents from July 1, 2024 to June 30, 2025. Multiple European countries said in August that they had been affected by “Salt Typhoon,” a sprawling hacking and espionage campaign believed to be run by China’s Ministry of State Security. In May, the Netherlands also attributed a cyber espionage campaign to Russia, and the Czech government condemned China for carrying out a cyberattack against its foreign ministry exposing thousands of unclassified emails. These incidents underlined how European governments and organizations are increasingly plagued by cyber intrusions and disruption. Though state-backed cyber espionage is on the rise, ENISA said the most “impactful” threat in the EU is ransomware, a type of hack where criminals infiltrate a system, shut it down and demand payment to allow victims to regain control over their IT. Another type of attack, known as distributed denial-of-service (DDoS), was the most common type of incident, ENISA said. DDoS attacks are most commonly deployed by cyber activists. ENISA said different types of hacking groups are increasingly using each others’ tactics, most notably when state-aligned groups use cyber-activist techniques to hide their provenance. The agency also highlighted the threat to supply chains posed by cyberattacks, saying the interconnected nature of modern services can amplify the effect of a cyberattack.   Passengers at Brussels, Berlin and London Heathrow airports recently experienced severe delays due to a cyberattack on supplier Collins Aerospace, which provides check-in and boarding systems. “Everyone needs to take his or her responsibilities seriously,” Hans de Vries, the agency’s chief operations officer, told POLITICO. “Any company could have a ripple effect … We are so dependent on IT. That’s not a nice story but it’s the truth.”

Moldova’s deputy prime minister has blamed Russia for a cyberattack targeting the country’s electoral commission this week, just days before a crucial parliamentary election. Doina Nistor, the country’s deputy prime minister and digital minister, told POLITICO in an interview on Thursday that the country’s Central Electoral Commission has now been secured. “This was a vulnerability that was identified and is now fixed,” she said. The cyberattack is part of a wider hybrid campaign by Russia against Moldova that was planned “months in advance” and seeks “to destabilize our democracy,” Nistor said on a visit to Brussels. Moldovans will go to the polls on Sunday in an election mired in meddling attempts that Western security officials and cyber intelligence firms say originate in Russia. Moldovan President Maia Sandu told the European Parliament on Monday that Russia is spending “hundreds of millions of euros” to subvert the election. In one of the most recent attacks, hackers hijacked Wi-Fi routers to attempt to overload the servers of Moldova’s Central Electoral Commission, the country’s police chief Viorel Cernăuțeanu told local media on Wednesday, in what is known as a distributed denial-of-service attack. Like Ukraine, Moldova is a “laboratory” for confronting “some of the most advanced hybrid threats of our times,” Nistor said. “This makes us a natural test bed for Europe, a place where we can test new tools [and] new policies.”  According to Stanislav Secrieru, national security adviser to Sandu, “The scale of Russian interference today far exceeds what we saw in 2024.” “We’re seeing unprecedented efforts: more money to buy votes, more AI-driven disinformation amplified by troll networks, and more resources dedicated to orchestrating street violence. Russia is pulling out all the stops to tip this election,” he told POLITICO. Support for Moldova from the United States has waned, in part when it dismantled its development agency USAID earlier this year, putting more of the burden on Europe.  The European Commission has rushed to deploy a cyber reserve — a team of private-sector cybersecurity experts — to Moldova. It’s the first deployment of the reserve since it was created under the EU’s new Cyber Solidarity Act.  Access to the reserve is a “huge milestone,” Nistor said, adding that support from Europe on cyber “is first and foremost the most important one.” However, the U.S. is still offering some support via its embassy, she said.  Moldova is also working directly with countries including Romania, Sweden, Estonia and the United Kingdom to get structural help in the future, she said.  Gabriel Gavin contributed to this report.

From the SWAP: A Secret History of the New Cold War by Drew Hinshaw and Joe Parkinson. Copyright © 2025 by Drew Hinshaw and Joe Parkinson. Published by Harper, an imprint of HarperCollins Publishers. In the third week of March 2023, Vladimir Putin dialed onto a video call and reached for a winning tactic he had been honing since his first weeks as president. He approved the arrest of another American. By then, Russia’s president was running the world’s largest landmass from a series of elaborately constructed, identical conference rooms. As far as the CIA could tell, there were at least three of them across Russia, each custom-built and furnished to the exact same specifications, down to the precise positioning of a presidential pencil holder, engraved with a double-headed eagle, the state symbol tracing back five centuries, on the lacquered wooden desk. Neither the 10 perfectly sharpened pencils inside nor any other detail in the windowless rooms, with their beige-paneled walls and a decor of corporate efficiency, offered a clue to Putin’s true location. Russia’s president refused to use a cell phone and rarely used the internet. Instead, he conducted meetings through the glow of a large screen monitor, perched on a stand rolled in on wheels. The grim-faced officials flickering onto the screen, many of whom had spent decades in his close company, often were not aware from which of the country’s 11 time zones their commander in chief was calling. Putin’s staff sometimes announced he was leaving one city for another, then dispatched an empty motorcade to the airport and a decoy plane before he appeared on a videoconference, pretending to be somewhere he was not. From these Zoom-era bunkers, he had been governing a country at war, issuing orders to front-line commanders in Ukraine, and tightening restrictions at home. Engineers from the Presidential Communications Directorate had been sending truckloads of equipment across Russia to sustain the routine they called Special Comms, to encrypt the calls of “the boss.” The computers on his desks remained strictly air-gapped, or unconnected to the web. Some engineers joked nervously about the “information cocoon” the president was operating in. But even from this isolation, the president could still leverage an asymmetric advantage against the country his circle called their “main enemy.” One of the spy chiefs on the call was proposing an escalation against America. Tall, mustachioed, and unsmiling, Major General Vladislav Menschikov ranked among one of the siloviki, or “men of strength” from the security services who had risen in Putin’s slipstream. The president trusted him enough to run Russia’s nuclear bunkers and he played ice hockey with his deputies. Few people outside a small circle of Kremlinologists had heard of Menschikov, head of the First Service of the Federal Security Service, or FSB, the successor to the KGB. But everybody in America had watched the spectacular operation he had pulled off just a few months earlier. An elite spy agency under his command orchestrated the arrest of an American basketball champion, Brittney Griner. Hollywood stars and NBA legends including Steph Curry and LeBron James demanded President Joe Biden ensure her swift return, wearing “We Are BG” shirts on court. Menschikov helped oversee her exchange in a prisoner swap for Viktor Bout, an infamous Russian arms dealer nicknamed “the Merchant of Death,” serving 25 years in an Illinois penitentiary. This account is based on interviews with former and current Russian, U.S. and European intelligence officials, including those who have personally been on a video call with Putin, and the recollections of an officer in the Russian leader’s Presidential Communications Directorate, whose account of Putin’s conference call routine matched publicly available information. Those sources were granted anonymity to discuss the sensitive details of the president’s calls. Trading a notorious gunrunner for a basketball player was a stunning example of Russia’s advantage in “hostage diplomacy,” a form of statecraft that died with the Cold War only for Putin to resurrect it. In penal colonies across Russia, Menschikov’s subordinates were holding still more Americans, ready to swap for the right price. They included a former Marine, mistaken for an intelligence officer, who had come to Moscow for a wedding, and a high school history teacher whose students had included the CIA director’s daughter, caught in the airport carrying medical marijuana. Disappointingly, neither of their ordeals had yet to bring the desired offer from Washington. Menschikov’s proposal was to cross a threshold Moscow hadn’t breached since the Cold War and jail an American journalist for espionage. A young reporter from New Jersey — our Wall Street Journal colleague and friend Evan Gershkovich — was flying from Moscow to Yekaterinburg to report on the increased output of a local tank factory. If the operation went to plan, the reporter could be exchanged for the prisoner Putin referred to as “a patriot,” an FSB officer serving a life sentence in Germany for gunning down one of Russia’s enemies in front of a Berlin coffee shop called All You Need Is Love. The murderer had told the police nothing, not even his name. From the moment Putin gave his assent, a new round of the game of human poker would begin that would see a cavalcade of spies, diplomats and wannabe mediators including oligarchs, academy award-winning filmmakers and celebrities seek to help inch a trade towards fruition. The unlikely combination of Hillary Clinton and Tucker Carlson would both step in to advance talks, alongside the Saudi Crown Prince Mohammed bin Salman, Turkey’s President Recep Tayyip Erdogan, former Google CEO Eric Schmidt, and Rupert Murdoch, the media mogul who would wrestle with whether to fly to Moscow to personally petition Putin. All told, CIA officers would fly thousands of miles to orchestrate a deal that would come to encompass 24 prisoners. On the Russian side: hackers, smugglers, spies and Vadim Krasikov, the murderer Putin had set out to free were all released. In return, the U.S. and its allies were able to free dissidents, westerners serving draconian sentences, former Marine Paul Whelan, and journalists that included the Washington Post’s Vladimir Kara-Murza, Radio Free Europe’s Alsu Kurmasheva, and our newspaper’s Gershkovich. Looking back, what is remarkable is how well it all went for the autocrat in the Kremlin, who would manage to outplay his fifth U.S. president in a contest of taking and trading prisoners once plied by the KGB he joined in his youth. An adage goes that Russia, in the 21st century, has played a poor hand well. The unbelievable events that followed also raise the question of how much blind luck — and America’s own vulnerabilities — have favored the man in the “information cocoon.” The prisoner game continues even under President Donald Trump, who in his second term’s opening months conducted two swaps with Putin, then in May discussed the prospect of an even larger trade. It is a lesser-known item of the Russian president’s biography that he grabbed his first American bargaining chip just eight days after his March 2000 election, when the FSB arrested a former naval officer, Edmond Pope, on espionage charges. It took a phone call from Bill Clinton for the youthful Putin to pardon Pope, an act of swift clemency he would never repeat. Twenty-three years later, on the videoconference call with General Menschikov, Putin was in a far less accommodating mood. He wanted to force a trade to bring back the FSB hitman he privately called “the patriot” — he’d been so close to Krasikov, they’d fired rounds together on the shooting range. Some CIA analysts believed he was Putin’s personal bodyguard. In the previous months, before he approved Gershkovich’s arrest, three Russian spy chiefs asked the CIA if they could trade Krasikov, only to hear that rescuing a Russian assassin from a German jail was a delusional request of the United States. Days before the call, one of Putin’s aides phoned CIA Director Bill Burns and asked once more for good measure and was told, again, the entire idea was beyond the pale. Menschikov’s officers would test that point of principle. His men would arrest the reporter, once he arrived in Yekaterinburg. -------------------------------------------------------------------------------- It was just after 1 p.m. in The Wall Street Journal’s small security office in New Jersey, and Gershkovich’s tracking app was no longer pinging. The small team of analysts monitoring signals from reporters deployed across the front lines of Ukraine and other global trouble spots had noticed his phone was offline, but there was no need to raise an immediate alarm. Yekaterinburg, where the Russia correspondent was reporting, was east of the Ural Mountains, a thousand miles from the artillery and missile barrages pummeling neighboring Ukraine. Journal staff regularly switched off their phones, slipped beyond the reach of cell service, or just ran out of battery. The security team made a note in the log. It was probably nothing. A text came in to the Journal’s security manager. “Have you been in touch with Evan?” The security manager had spent the day monitoring reporters near the Ukrainian front lines, or others in Kyiv who’d taken shelter during a missile bombardment. But he noticed Gershkovich had missed two check-ins and was ordering the New Jersey team to keep trying him. “Shit,” he texted back, then fired off a message to senior editors. The Journal’s headquarters in Midtown Manhattan looked out through a cold March sky onto Sixth Avenue. Within minutes, staff gathering in the 45-story News Corporation Building or dialing in from Europe were scrambling to reach contacts and piece together what was happening in Russia. The paper’s foreign correspondents with experience in Moscow were pivoting from finalizing stories to calling sources who could locate their colleague. One reached a taxi driver in Yekaterinburg and urged him to stop by the apartment where Gershkovich was staying. The chauffeur called back minutes later, saying he’d found only dark windows, the curtains still open. “Let’s hope for the best,” he said. Though there were still no news reports on Gershkovich’s disappearance nor official comment from Russia’s government, the data points suggested something had gone badly wrong. The Journal scheduled a call with the Russian ambassador in Washington but when the hour came was told, “He is unfortunately not available.” The problem reached the new editor- in-chief, Emma Tucker, who listened quietly before responding in a voice laced with dread. “I understand. Now what do we do?” Only eight weeks into the job — in a Manhattan apartment so new it was furnished with a only mattress on the floor — Tucker was still trying to understand the Journal’s global org chart, and had met Gershkovich just once, in the paper’s U.K. office. Now she was corralling editors, lawyersand foreign correspondents from Dubai to London onto conference calls to figure out how to find him. A Pulitzer Prize finalist and Russia specialist on her staff made a grim prediction. If the FSB had him, it wasn’t going to be a short ordeal: “He’s going to spend his 30s in prison.” And when editors finally located the Journal’s publisher to inform him of what was going on, they hoped it wasn’t an omen. Almar Latour was touring Robben Island, the prison off the coast of Cape Town, South Africa, where Nelson Mandela served 18 of his 27 years of incarceration. There was a reporter nobody mentioned, but whose face was engraved into a plaque on the newsroom wall. Latour had once sat next to Daniel “Danny” Pearl, the paper’s intrepid and gregarious South Asia correspondent. In 2002, the 38-year-old was lured into an interview that turned out to be his own abduction, and was beheaded on camera by Khalid Sheikh Mohammed, a mastermind of the terrorist attacks of September 11, 2001 — leaving behind a pregnant wife and a newsroom left to report the murder of their friend. Paul Beckett, the Washington bureau chief and one of the last reporters to see Pearl alive, had thought of him immediately. He managed to get Secretary of State Antony Blinken on the phone. America’s top diplomat knew exactly who Evan was; just that morning he had emailed fellow administration officials the reporter’s latest front-page article, detailing how and where Western sanctions were exacting long-term damage on Russia’s economy. It was an example, Blinken told his office, of the great reporting still being done in Russia. “Terrible situation,” Blinken told Beckett, before adding a promise America would pay a steep price to keep: “We will get him back.” -------------------------------------------------------------------------------- The Biden White House’s first move after learning of Gershkovich’s arrest was to call the Kremlin — an attempt to bypass the FSB. The arrest of an American reporter was a major escalation and if National Security Advisor Jake Sullivan could reach Yuri Ushakov, Vladimir Putin’s top foreign policy specialist, Sullivan hoped he could convince Ushakov to step back from the brink. At best, he assessed his odds of success at 10 percent, but this was a crisis that seemed likely to either be resolved with a quick call or drag on for who knows how long, and at what cost. “We’ve got a big problem,” Sullivan told Ushakov. “We’ve got to resolve this.” The answer that came back was swift and unambiguous. “This is a legal process,” Ushakov said. There would be no presidential clemency — only a trial, and if Washington wanted a prisoner trade, they were going to have to arrange it through what the Russians called “the special channel.” In other words, the CIA would have to talk to the FSB. Sullivan hung up, and his team braced themselves to brief the Journal: the newspaper was going to need to be patient. The White House was trapped in a rigged game, facing the crude asymmetry between the U.S. and Russia, whose leader, in power for a quarter-century, could simply order foreigners plucked from their hotel rooms and sentenced to decades on spurious charges. Griner, the basketball champion, hadn’t even returned to the basketball court in the three months since her exchange for “the Merchant of Death,” yet already, the Russians had scooped up another high-profile chip. The CIA and its European allies had been quietly trying to fight back in this game of human poker. They had spent enormous energy tracking and rounding up the Russians Putin valued most: deep-cover spies, or “illegals,” who spent years building false lives undercover, taking on foreign mannerisms and tongues. Norwegian police, with U.S. help, had nabbed an agent for Russia’s GRU military intelligence agency, posing as a Brazilian arctic security professor in Norway’s far north. Poland had arrested a Spanish-Russian freelance journalist: His iCloud held the reports he’d filed for the GRU, on the women — dissidents and journalists — he’d wooed across Central and Eastern Europe. It had taken the spy service of the Alpine nation of Slovenia, known as Owl, nearly a year to find, then jail, a carefully hidden pair of married spies, pretending to be Argentines running an art gallery — sleeper agents working for Moscow’s SVR foreign intelligence agency. Not even their Buenos Aires-born children, who they spoke to in fluent Spanish, knew their parents’ true nationality or calling. Yet for all that work, none of these prisoners worked for the agency that mattered most in Russia and ran the “special channel” — the FSB. Putin himself had once run Russia’s primary intelligence agency, and now it was in the hands of his siloviki, the security men he’d known for decades who included Menschikov. There was, the CIA knew, only one prisoner the FSB wanted back: Krasikov, the FSB officer serving life in a German prison. America was stuck. Every stick it could beat Russia with was already being wielded. The world’s financial superpower was drowning Putin’s elite in sanctions, and almost every week Sullivan authorized another carefully designed shipment of weaponry to the battlegrounds of Ukraine, whose government complained bitterly it was being given just enough to perpetuate a war, not enough to win. And yet America’s government had to worry about the conflict tipping into a nuclear exchange. What else is there in our toolbag? Sullivan asked himself. We’re doing everything we can. But the game was rigged. Which is why Putin kept playing it.

LONDON — Late last month, British intelligence, alongside allies like the United States, called out government-linked Chinese companies for a global campaign of cyber attacks. It was the latest step in a decade-long diplomatic dance. Britain only attributes cyber attacks to four countries: Iran, Russia, North Korea and China — known as the “Big Four.” Three are deemed hostile states, and Britain has an uneasy relationship with the latter. But these are are not the only countries that hack, sell hacking technology, or turn the other cheek to groups breaching devices and infrastructure in the U.K. Some are allies — but they have their blushes spared. Calling out allies in public remains a risky move when ministers and officials are in a race to sign trade deals and strengthen relations across the globe. At the same time, Britain is trying to place itself at the forefront of efforts to hold back the spyware arms race, as countries look to buy commercial cyber expertise and technology to hack neighbors, enemies and partners. This leaves Britain increasingly at odds with the U.S., which is now looking to utilize spyware it had previously blocked. POLITICO spoke to cybersecurity and intelligence figures from inside the U.K. government and the private sector to map which of Britain’s strategic allies are involved in the proliferation of cyber attacks — and how the U.K. is struggling to clamp down on a lucrative global industry. Some were granted anonymity to speak about sensitive national security matters. FLOODGATES OPEN In 2013, Edward Snowden, a former contractor for America’s National Security Agency (NSA), blew open the previously secretive world of Western digital surveillance and hacking. In leaking thousands of classified documents, he revealed that the Five Eyes intelligence partnership — which includes Britain and America — had spied on allies including France, Germany, the EU and the United Nations. In the decade since, other nations have been playing catch-up, with tech companies providing the ammunition for states wanting to rival Western nations that had been hacking for years. As the rest of the world started hacking back, Britain’s allies took the unprecedented step of calling out those it suspected of committing cyber attacks against them. In 2014, the Barack Obama administration in the U.S. put its head over the parapet to attribute a cyber attack to China. “The first time we were told about the U.S. attribution of 2014, privately the British government thought the Americans had gone mad and that it was really risky,” one former senior intelligence official told POLITICO. In 2013, Edward Snowden, a former contractor for America’s National Security Agency (NSA), blew open the previously secretive world of Western digital surveillance and hacking. | Jörg Carstensen/Picture Alliance via Getty Images “[It was thought] it wouldn’t achieve anything and it might get us into trouble and that they [China] might start arresting people. As it turns out, the Americans were right and we were wrong,” they said, adding: “I don’t think there’s a shred of evidence that any Western country has come to any harm as a result of attribution.” It took Britain until 2018 to start pointing the finger publicly — this time at Russia — while countries such as France did not take this step until earlier this year. The U.K.’s process for attribution involves a two-step judgment, whereby intelligence officials prepare an assessment for a minister when a cyber attack is thought, to a very high degree of confidence, to have come from a nation threat. It is then up to the minister to publicly call out the activity or not. The rationale for naming the origin of an attack is, in part, a comms exercise: “If you’re representing the British government in public and there’s been a major nation state cyber attack, and you’re not prepared to say who it was, then you look either incompetent or duplicitous,” the same former intelligence official said. They noted that although the Russians “don’t seem to care” whether Britain publicly calls them out, China does. “Let’s say, for example, that things were pretty tense with China, and we wanted to de-escalate — we might choose not to do an attribution purely for policy reasons.” Earlier this year in Manchester, officials from Britain’s National Cyber Security Centre (NCSC) — an arm of the GCHQ digital intelligence agency — were asked in a briefing whether there are nation state threats outside of the Big Four that Britain now sees as a developing threat. After a deep pause, one senior NCSC official replied in the affirmative. “Obviously states do procure capability and there are other state threats out there,” they said. “It would be odd if I said there weren’t.” They declined, however, to name any of these states. ‘EVERYONE’S PRETTY SURE IT EXISTS’ Though cyber activity from the Big Four is thought to make up the majority of hostile activity in Britain, it’s not the full picture. “That these four are the only ones that are repeatedly attributed is, for me, a real problem,” said James Shires, a cybersecurity academic and researcher, adding: “That means that most of the public conversation implies that those are the only actors, and that’s just not the case.” In fact, close allies make up some of these cyber powers, with leaked information often stepping in to fill the information void. In the 2010s, researchers claimed to have traced a piece of malware known as “Babar” back to French intelligence, while a hacking group called Careto was thought to have been linked to the Spanish government. “When you have allied, friendly, non-intelligence partnership states that you have good diplomatic relations with doing this kind of activity, there’s no way they’re going to be publicly outed,” Shires added. Hacking and cyber intrusion has uses for the Big Four beyond simply snooping on Britain and its allies. Backdoors into government and commercial networks can provide key information about dissidents, activists and political opponents who have fled a regime — and these four states are not the only ones with overseas critics. India, though a sometimes close ally of Britain, has been called out for its cyber activity by Canada, Britain’s intelligence partner in the Five Eyes partnership. Last year, Canada’s spy agency accused India of tracking and surveilling activists and dissidents, as well as stepping up attacks against government networks. This year it went further and accused India of foreign interference. Britain’s approach to India has been different, choosing diplomacy with joint schemes like a Technology Security Initiative. Lindy Cameron — the former head of the NCSC — has been placed as the British High Commissioner to India. In the Middle East, Israel has become one of the most prominent players in international espionage, with cyber a core component of its intelligence arsenal.  Though it has long avoided admitting it has conducted offensive cyber operations, researchers have suggested Israel played a role in hacking the venue for Iran’s nuclear negotiations. More recently, the conflict with Iran has given the world a glimpse into the capabilities of the Israeli state and state-aligned hacktivist groups. “For Israeli cyber espionage in the U.K., it’s one of those things where everyone’s pretty sure it exists, but there’s no clear indication of it,” Shires said. A 2022 report by the Citizen Lab research centre in Canada claimed that between 2020 and 2021 there were multiple infections of “Pegasus” spyware — created and sold by the Israeli company NSO Group — on U.K. government devices. | Omar Marques/Getty Images The same former intelligence official quoted previously said that “even in the current circumstances” of tricky relations with Israel, it would be “improbable to foresee a British government attributing a cyber operation” to them. They added that though Canada accused India of interference, Britain would have to “judge that case and its merits” for any similar activity in U.K. cyberspace. Despite the emergence of new top-level cyber nations, experts told POLITICO that the main driver for future threats to the security of U.K. citizens and infrastructure comes from the private sector, through the selling of sophisticated spyware technology. Shires said: “The big concern from the U.K. is not just cyber operations run directly by states. It’s not just which state has developed their own internal capability, but where they are relying on third parties to deliver that for them.” He noted that spyware companies have given rise to a “far wider set of states having access to capabilities because they don’t need to make the investment to develop their own internal capabilities, they can buy in a point, click and compromise service that they can then use to target whoever they want.” Melissa DeOrio, who leads cyber threat intelligence at cybersecurity and corporate intelligence consultancy S-RM, added: “It is very challenging to know exactly what capabilities lie in what countries, which are independent actors hacking of their own volition for financial opportunity, versus what activity is done either in favor of the state or ignored by the state and enabled by them in some way.” POINT, CLICK, COMPROMISE An explosion in hacking technology from private companies with explicit or implied state backing means the threat to countries — including Britain — can be harder to pinpoint. Sophisticated attacks are no longer just the domain of countries with established cyber capability. Britain’s NCSC has previously revealed that at least 80 countries have purchased commercial spyware — although it did not name them. Last year, researchers at the Atlantic Council think tank mapped spyware vendors around the world, covering 42 different countries and 435 entities in its data set. They identified three major clusters in Israel, India and Italy. Jen Roberts, associate director of the Cyber Statecraft Initiative at the Atlantic Council, told POLITICO: “All three of these jurisdictions have pretty permissive environments with more or less state involvement in some fashion. The Indian cluster is the most common for a ‘hack-for-hire’ market. The Italian cluster has the oldest history of spyware. The Israeli cluster is the biggest chunk and probably the most well known, and most capable. “The U.S. and the U.K. are two of the largest investors into this market, but a lot of these firms often target diplomats and citizens of the U.S. and the U.K.” Nayana Prakash, a research fellow at the Chatham House think tank, said a “large pool of very talented tech professionals, very low labor costs and big underground market for hacking services” has meant that “there’s loads of things in India that you can get done if you know the right people.” “For groups to thrive in a country like India, or Russia, there has to be some level of the state being somewhat lax in enforcing certain laws,” she added. Shires added: “These companies would say their technology is always for national security, law enforcement and serious crime purposes. Their opponents will say this generally turns out to be journalists, dissidents and political opposition.” A 2022 report by the Citizen Lab research centre in Canada claimed that between 2020 and 2021 there were multiple infections of “Pegasus” spyware — created and sold by the Israeli company NSO Group — on U.K. government devices. These included people in both Downing Street and the Foreign Office, with operators of the spyware linked to the UAE, India, Cyprus and Jordan. The Council of Europe said Pegasus is known to have been sold to at least 14 EU countries. It took Britain until 2023 to call this out. “There’s a lot of hesitance against attribution, because it’s such a big step, and because it throws your cards on the table,” Chatham House’s Prakash said. NSO has long asserted that its technology is sold “for the sole purpose of fighting crime and terror.” STOPPING THE ARMS RACE In February, France and Britain convened a high-level meeting in Paris. It was the second such meeting to discuss the Pall Mall Process — an international effort led by the two nations which aimed at clamping down on the “proliferation and irresponsible use” of spyware and other commercial cyber intrusion capabilities. It established a code of practice and a joint declaration for countries that signed up to it — but it remains a voluntary scheme with limited engagement from the same threats it is seeking to curtail. The 24 countries that have signed up to its code of practice do not include Israel, India or nations such as the UAE that have been accused of using spyware irresponsibly. Similarly, none of the major spyware vendors are represented. A summary report by the organisers ahead of the meeting — emblazoned with “NOT UK/FRANCE GOVERNMENT POLICY” — spoke of the risks of the sector without highlighting any country or company involved in the use of spyware. The same former U.K. intelligence figure quoted earlier said that managing to get two permanent members of the United Nations Security Council to host a major event on the issue is “better than nothing,” but it has proven “very hard to get any country anywhere to act against malicious cyber actors on their own territory.” James Shires said the optics of having major players in cyber espionage dictating what other countries can do has likely limited participation in the initiative. “You have these major states that not only have their own domestic capabilities, but also have a commercial industry, and they want to control access to that industry around the world.” One major signatory, the United States, has also used its economic and diplomatic muscle to go much further than a non-binding declaration of allies. In 2021 the U.S. blacklisted NSO’s Pegasus alongside other Israeli, Russian and Singaporean spyware companies. In 2023, then-President Joe Biden signed an executive order to ban federal agencies from using spyware which could pose a risk to American security. The U.S. government followed this up a year later by threatening to impose visa restrictions on individuals involved in commercial spyware misuse and sanctions against the Intellexa Consortium. “These are all pretty blunt, effective actions,” Shires said. “The U.K. could have done all of that, but hasn’t. The U.S. is such a big market, so it can move on its own and have a big impact where the U.K. perhaps can’t.” However, the new administration under Donald Trump has rowed back some of these moves, amid a renewed appetite for domestic surveillance tools. Agents with the U.S. Immigration and Customs Enforcement will have access to technology from Israeli company Paragon Solutions, after its contract was halted to comply with U.S. spyware rules. Paragon has previously come under scrutiny by the Italian government.  The Atlantic Council’s Jen Roberts said: “Right now, the U.K. and the French are being looked at as the leaders in the future, as the new U.S. administration figures out its stance on this policy issue, though we’ve seen some positive signaling, like the U.S. being a signatory on the Pall Mall Process Code of Conduct.” GHCQ and NCSC were contacted to contribute to this piece. The U.K. government has a long-standing policy of not commenting on intelligence matters.

The Bulgarian government on Thursday reversed course as it clarified it had no evidence that Russia jammed GPS signals to European Commission President Ursula von der Leyen’s plane when it landed at a local airport on Sunday — despite initially making the claim itself.  On Thursday, Bulgarian Prime Minister Rosen Zhelyazkov told parliament that the Commission president’s plane had not been disrupted but had only experienced a partial signal interruption, the kind typically seen in densely populated areas.  “After checking the plane’s records, we saw that there was no indication of concern from the pilot. Five minutes the aircraft hovered in the waiting area, with the quality of the signal being good all the time,” he told lawmakers.  The prime minister had previously said the disturbance was due to unintended consequences of electronic warfare in the Ukrainian conflict.  Deputy Prime Minister and Transport Minister Grozdan Karadzhov, also denied there was evidence of disruption to the GPS signal of the Commission president’s flight.  “According to empirical data, according to the radio detection, the records of our agencies, civilian and military, there is not a single fact supporting the claim to silence the GPS signal that affected the plane,” Karadzhov told Bulgarian broadcaster bTV on Thursday.  On Monday, the Financial Times reported that a Commission-chartered plane on a tour of “front-line states” in Europe reportedly lost access to GPS signals while approaching Bulgaria’s Plovdiv airport. The correspondent who was on the plane wrote that the aircraft landed using paper maps and quoted an official saying it circled the airport for an hour. Brussels and Sofia were quick to blame Russia, calling it “blatant interference.”  The incident made headlines across Europe and prompted reactions from U.S. President Donald Trump, NATO’s Secretary-General Mark Rutte and other top officials. In past days, analysts have questioned the details of the incident, pointing to flight-tracking data revealing that the GPS signal was never lost and that the plane’s landing was only delayed by nine minutes. Public data also showed the same aircraft had experienced GPS jamming the day before over the Baltics — but not in Bulgaria. European Commission spokesperson Arianna Podestà on Thursday said the institution was informed by Bulgarian authorities of GPS jamming, echoing a press release shared by the country’s governent authorities on Monday. “We have never been speaking of the targeting ourselves and I was very clear in saying that we had no informationin this sense. But we are extremely well aware that this is a matter that occurs in our skies and in our seas on a constant manner since the start of the war and therefore this is why its important to tackle it together with our member states,” she told reporters at a briefing in Brussels.