Overview of state espionage and influencing

Russia is diversifying its modes of operation in intelligence gathering

Russia is the principal intelligence threat to Finland. The Russian intelligence services take an interest in, among other things, the Finnish foreign policy, changes caused by NATO membership, the Finnish border policy, and Finland’s critical and military infrastructure.

Over the past few years, European countries, including Finland, have significantly weakened the operating conditions of Russian human intelligence by expelling intelligence officers operating under diplomatic cover. Therefore, Russia is making efforts to increase, on the one hand, professional human intelligence activities based on Russian soil and, on the other hand, the use of proxy actors for easy-to-perform intelligence gathering. Remotely recruited individuals, who are currently being used more often for acts of sabotage and vandalism than intelligence operations in Europe, are not even always aware that they are working for the Russian intelligence services. 

Despite the expulsions, the Russian intelligence services continue their efforts to place intelligence officers in Russian diplomatic missions in Finland and elsewhere in Europe, as diplomatic immunity provides excellent protection from legal proceedings and a natural opportunity for building relations with people of interest to the Russian intelligence services. It is also likely that Russia is already preparing for opportunities potentially opening up for it in the next few years – either through peace in Ukraine or war-weariness of the Western countries – to dismantle restrictions imposed against it and thus restore its human intelligence capacity in Europe. 

If Russia’s economic and political relations with Finland and other European countries were even partially restored, the intelligence threat posed by Russia would diversify. Alongside former methods used, new modes of operation proven effective in conflict situations will emerge, such as extensive exploitation of proxy actors and information gathering from bases on Russian soil. At the same time, it is likely that Russia will redeploy some of the intelligence resources it has now deployed in Ukraine to other parts of Europe, including Finland.

The EU sanctions policy and the opportunities to have it alleviated are also of interest to Russian intelligence services. In addition to intelligence, the Russian intelligence services seek to procure products subject to sanctions and export restrictions through Finland and other EU countries through complex supply chains. Russia will continue its active efforts to acquire Western expertise by illegal means. Russia is falling behind in development in several high-tech sectors, and the country is very likely to continue investing in its military readiness.

Not all suspicious actions are about Russian influencing

Often, public debate draws a picture of Russia as a superior actor capable of influencing wide-ranging matters across Europe. In reality, Russia currently has a large share of its resources deployed in Ukraine. Except for the situation on the border, neither Finland nor the Nordic countries have been at the focus of Russian influencing activities. Furthermore, no acts of sabotage have been targeted against Finland, unlike against some other European countries.

The Russian influencing against Finland appears to be extensive, as different events and incidents are interpreted as signs of Russian influencing – which works in favour of Russia. A good example of this are drones observed in Finland. The incidents have been carefully investigated in cooperation between the authorities, and almost all of them have been found to be caused by other flight operations. 

Finland’s NATO membership and the higher visibility of Finnish foreign and security policy leaders in international arenas have increased the volume and aggressiveness of Russia’s information influencing against Finland. The main objectives of such actions are to intimidate and limit the room for manoeuvre of Finland’s foreign policy leaders. However, in the latter in particular, Russia has not succeeded. Since the relations between our countries have broken, Russia has lost its ability to gain understanding for its own interests and thus influence Finland’s political decision-making. Restoring this understanding will be one of the key objectives of Russian influencing activities, should opportunities for that arise at some point, following partial restoration of contacts, for example. Russia is likely to make efforts to invest in political influencing performed especially by intelligence officers and to expand its networks needed for it. 

Russia has actively continued its cyber espionage of against Finland, and the way it has been targeted has reflected Russia’s need of intelligence on Finland’s political decision-making and foreign and security policy. Besides targeting the central government and foreign and security policy actors, Russia has also targeted its cyber intelligence acquisition at products and innovations suited also for defence and military applications. Russia is seeking to gather information to support its war of aggression in Ukraine. Russian intelligence services have also surveyed the structures and security arrangements of the network and physical infrastructure of the information systems used by Finnish organisations. 

Russia uses hacktivist groups against the West

Finland is increasingly often among the countries targeted by extensive multinational cyber operations of Russian intelligence services. Russia has focused its broadly based information gathering activities on Western intelligence communities, foreign policy experts and journalists, among others. Russia’s active cyber intelligence gathering constitutes a major intelligence risk in international politics and for civil servants, experts and researchers working on Russia-related themes. 

Russia’s increased interest in exploiting supply chains as part of cyber espionage reflects the opportunistic but also methodological developments in the field. In its cyber operations targeted at Finland and Western countries, Russia has exploited the weaknesses in the supply chains of information systems commonly used by Western countries. For example, from the perspective of cyber espionage, cloud services offer a good input-output ratio: an intrusion method developed for an organisation in the cloud supply chain can provide a route to the data of numerous clients using the same cloud service. 

Russian intelligence services also regularly use Finnish infrastructure in operations against third countries. Russia has also been found to have adopted modes of operation customarily used by China to compromise consumer network devices as part of its anonymization infrastructure. The compromised consumer network devices make it possible to disguise harmful cyber activities as conventional network traffic, while also making it difficult to identify and trace the perpetrator. Compromised consumer routers offer yet another possibility to gather cyber intelligence outside the reach of the target organisations’ Security Operations Centre: for example, a compromised home router may provide access to network traffic between a remote worker and the target organisation’s systems.

Russia utilises information obtained through cyber espionage in its influencing activities targeting Western countries, including Finland. For example, Russia seeks to defame and harass target countries, individuals or organisations by leaking illegally acquired and partly distorted data through so-called hack & leak operations, falling in the middle ground between cyber and information influencing. 

Correspondingly, the boundary between cyber criminals and state cyber espionage actors has faded in recent years. The role of proxy actors is estimated to have grown in intelligence gathering and influencing taking place in the cyber environment. Distributed Denial-of-service (DDoS) attacks against Finland and other Western countries by pro-Russian hacktivist groups, which have become the most prominent phenomenon in cyber activity in recent years, have also continued. 

Cyber operations – an easy way of gaining visibility – are congruent with cyber-influencing that serves Russian interests. Malicious cyber assaults, or Denial-of-service (DoS) attacks, are very likely to continue in the future. In most cases, the effects of such activities remain minor, but efforts to generate greater real-world impacts can also be detected.

Intelligence concerning Finland is important to China

China has a continuous and long-term intelligence interest in Finland. China targets both human intelligence and cyber espionage operations at Finland, with an aim to strengthen the country’s position in global policy. Internal development in China highlights the importance of intelligence actors, as the strong focus on security encompassing the Chinese society as a whole also affects the role played by intelligence actors in the country. 

From China’s point of view, Finland as an EU and NATO country is an interesting target for intelligence activity focused on political decision-making. In addition, cutting-edge technology, Arctic issues and groups that the government of China views as a threat continue to interest the Chinese intelligence in Finland. Through intelligence activities, China seeks to acquire information related to both Finland and, more broadly, to NATO, for example. As far as human intelligence is concerned, the focus is on a broad range of experts and societal actors with access to information that is of interest to China or opportunities to influence decision-making in accordance with China’s wishes. 

China makes global efforts to steer the debate on China in a direction favouring Chinese views. In Finland too, China aims to guide policymaking and debate concerning China in a direction that is congruent with Chinese objectives and to avoid any discussion of topics that are undesirable from the perspective of China. In Finland, the targets of influencing may include policymakers, public opinion and individuals of Chinese origin living in Finland. China uses Chinese communities outside China as channels of influencing, for example, through various organisations linked to them. 

China guards its public image very carefully and responds quickly when it feels that its interests are being violated. This becomes particularly emphasised in situations where, for example, a negative news item attracts international media attention. When China is mentioned in an unfavourable light, Chinese parties may react to the situation even without being guided to do so by the state. 

China practises refugee espionage in Finland, seeking to monitor and control its former and current citizens living in Finland who it views as a national threat. In case of refugee espionage, China may pressure and harass the targeted individuals or their family members or friends in different ways. 

Chinese intelligence services are flexible at exploiting different modes of operation

The Chinese intelligence services are using online platforms in their efforts to establish contacts with target individuals. When targets are approached online or via social media platforms, the approaches cannot always be clearly linked to China. For example, a regular professional recruitment process can be used as a cover for attempts of Chinese intelligence to approach their target. This means a Chinese intelligence service establishing a contact with the person of interest disguised as a recruiter or using a recruitment company. 

China uses different kinds of contact persons in its intelligence activities. The contact persons serve as a link between the intelligence officer and the actual target of intelligence, making it more difficult to detect the intelligence activities and connect them to Chinese intelligence organisations. In the future, the Chinese intelligence services will probably seek to develop their practices to make it increasingly difficult to link individual approaches or contacts to China or Chinese intelligence organisations.  

If an individual is requested for sensitive information or invited to China, these may indicate that the party behind the contact is a Chinese intelligence service.

China’s cyber operations are increasingly focused on Western critical infrastructure

China engages in cyber operations globally, targeted also at Finland. While foreign and security policy themes continue to play a significant role in the targeting of cyber activities, in recent years, Chinese cyber operations have increasingly focused on Western critical infrastructure. China actively seeks to create opportunities for practising cyber influencing in Western countries. 

The speed, intensity and scale of Chinese cyber operations are largely determined by China’s extensive cyber ecosystem. Using legislative obligations and financial incentives, China has integrated education, research and business sectors into producing the skills, services, tools and vulnerabilities needed for cyber operations. 

In particular, the Chinese intelligence services exploit the national cyber enterprises to acquire cyber infrastructure, vulnerabilities, intrusion tools and expertise. Correspondingly, the obligation posed by Chinese legislation to report new software and hardware vulnerabilities first to state authorities has ensured that Chinese intelligence organisations have excellent starting points for exploiting such vulnerabilities in cyber operations. The centralised management of vulnerabilities has partly defined which targets the Chinese intelligence services select. On the other hand, it has also made the exploitation of vulnerabilities more efficient and made it harder to identify the attacker, as all Chinese intelligence organisations are using the same vulnerabilities and software in their own cyber operations.  

China continues to actively use the Finnish infrastructure, such as servers leased from data centres and compromised consumer network devices, in its cyber operations targeted against third countries. In recent years, the most prominent trend characterising China’s cyber operations has appeared to be intrusions into poorly protected home routers and their integration into so-called shadow networks. For the Chinese intelligence services, the shadow networks have enabled not only very comprehensive information gathering and improved opportunities to cover their tracks but also means of exerting influence. Shadow networks, together with the extensive use and popularity of Chinese network devices, reflect China’s ambitions to build global signal intelligence capabilities.

The control of supply chains built by China makes Western countries increasingly dependent on Chinese technology. The growing dependence of the West on China reduces the room for manoeuvre in foreign policy and makes it more difficult to counter China’s cyber espionage operations. 

Other authoritarian states also practice espionage and influencing

The espionage and influencing operations authoritarian states, such as Iran, target especially at their own citizens is also a matter of importance from the perspective of Finland’s national security. The purposes for engaging in refugee espionage may vary, but one of the key motives of state actors is to control dissidents and suppress any activity with potential to harm the regime. In its state-sponsored operations in Europe, Iran also uses proxy actors to be able to deny any links to the State of Iran, if necessary.