Between War and Peace: Hybrid Attacks and Their Impact on Critical Infrastructure
Drone overflights at airports and Bundeswehr sites, digital espionage, covert influence operations and “disposable agents”: traditional military conflicts are increasingly being replaced by subtle, multilayered forms of threat. Since the beginning of Russia’s war of aggression against Ukraine, Germany has been confronted with a growing number of such incidents. Companies and operators of Critical Infrastructure now face the challenge of fundamentally transforming their security architectures. GIT SECURITY International spoke with Prof. Dennis‑Kenji Kipker, founder and Research Director of the Cyberintelligence Institute.
GIT SECURITY International: Professor Kipker, in recent times we often hear that the boundaries between peace and war are becoming increasingly blurred. What is your view on this?
Dennis‑Kenji Kipker: It describes the growing dissolution of traditional distinctions between clearly defined military conflicts and periods of formal peace. What is meant is that states and non-state actors deploy measures that are conflict‑oriented but deliberately remain below the threshold of an openly declared military attack. This includes covert, asymmetric, digital and psychologically effective methods that can be flexibly combined. This approach creates a grey zone in which civilian and military spheres overlap, exposing those affected to a permanent state of latent threat.
There have recently been several worrying cases of drone deployments – for example at the airports in Copenhagen and Munich. Could you give us a situational overview?
Dennis‑Kenji Kipker: Since the beginning of the Russian war of aggression against Ukraine, Germany has seen a clear increase in unauthorized drone overflights. The documented figures already exceed several hundred incidents, with more than 440 overflights recorded above Bundeswehr sites alone in 2023. The range spans from large, high‑performance military drones that are presumably controlled from greater distances – such as from ships in the North or Baltic Sea – to commercially available quadcopters operated at close range by individuals.
What exactly are hybrid attacks?
Dennis‑Kenji Kipker: Hybrid attacks describe the strategic combination of various physical, digital, intelligence‑based and psychological tools aimed at destabilizing states, societies or companies without triggering an open military escalation.
These attacks include acts of sabotage, cyber operations, traditional espionage as well as information and influence operations. The combination of different attack vectors makes it difficult to identify the perpetrator and complicates appropriate political or international‑law responses. Proxy groups, cover identities or non‑state organizations are often used for concealment. Due to their multidimensionality, hybrid attacks simultaneously affect operational, structural and psychological levels, creating an environment of persistent uncertainty.
Since the attack on Ukraine, Russian diplomats have repeatedly been expelled. With intelligence officers lacking on the ground, “disposable agents” are now being hired. How exactly does that work?
Dennis‑Kenji Kipker: Following the mass expulsion of Russian intelligence officers across Europe, the FSB and GRU have increasingly shifted to a model of short‑term, digitally recruited “disposable agents.” These individuals are often contacted via social media, receive instructions exclusively through encrypted messenger applications, and act primarily in exchange for payment. Many have a criminal background or a high willingness to take risks, or simply lack awareness of what they are getting involved in. They are used for sabotage operations, explosive attacks or simple espionage tasks.
The link between handlers and agents remains largely anonymous, minimizing the risk for Russian intelligence. Recruitment mechanisms are based on financial incentives, ideological messaging, psychological manipulation or - more rarely - blackmail. Operational control is divided across several intermediaries and layered communication channels. This approach complicates detection and attribution while deliberately amplifying psychological effects such as uncertainty and intimidation.
How well prepared are German companies and Critical Infrastructures for all this?
Dennis‑Kenji Kipker: The preparedness of German companies and Critical Infrastructure operators is currently undergoing major transformation processes. The planned KRITIS Umbrella Act and the European requirements of the NIS2 Directive will create a comprehensive framework intended to harmonize security requirements and significantly raise the level of protection. Many organizations have already begun implementing expanded risk management, reporting and security requirements. Nevertheless, gaps remain in many areas, particularly in physical protection, defense against human attack vectors, and the integration of hybrid threat scenarios into security architectures.
The maturity level varies considerably depending on industry, resource access and the established security culture.
It is now widely accepted that one must prepare for cyberattacks, correct?
Dennis‑Kenji Kipker: The need for action in the field of cybersecurity is widely recognized in the corporate sector. That said, the threat landscape remains dynamic and requires constant adaptation. The NIS2 Directive obliges affected organizations to introduce and continually develop comprehensive technical, organizational and procedural protective measures. This includes, among other things, risk management and reporting obligations.
In many industries, corresponding standards have become established, and especially NIS2‑affected entities, such as large companies and Critical Infrastructure operators, already possess relatively well‑developed cyber‑defense structures. However, SMEs, municipal administrations or educational institutions often still have catching up to do given the scale of the threats.
What about drone attacks?
Dennis‑Kenji Kipker: Compared with cyberattacks, there are significantly greater uncertainties in the field of drone security. A uniform regulatory framework is still lacking, and the planned KRITIS Umbrella Act will only provide concrete specifications through an additional legal ordinance. Technically identifying and countering drones is complex, legally sensitive and often associated with high costs. As a result, many companies and Critical Infrastructures currently possess only limited capabilities to systematically detect, classify or effectively prevent drone activities. The gap between the threat situation and available protective measures is particularly pronounced in this area.
What can companies and Critical Infrastructure operators ideally do? What would an optimal setup look like – and what can they achieve if they do everything right?
Dennis‑Kenji Kipker: An ideal security posture is based on an integrated, multilayered approach that combines technical, organizational and personnel measures. Key components include a systematic understanding of the threat landscape at leadership level, regular awareness and training programs for employees, and a comprehensive risk analysis that incorporates hybrid attack vectors. Building on this, holistic security concepts should be established, incorporating robust early‑warning mechanisms, clear reporting chains, defined response procedures and recurring exercises. Organizations that implement this consistently achieve significantly higher responsiveness in crisis situations and reduce the effectiveness of the psychological impact associated with hybrid attacks. They can minimize operational disruptions, reduce attack surfaces and, ideally, identify vulnerabilities before they can be exploited.
