"This shift is significant because it likely signals increased focus outside of Ukraine, warning that pro‑Russia influence activity targeting the European Union (EU), North Atlantic Treaty Organization (NATO), and other top targeting priorities may intensify," said Google threat hunters James Sadowski and Alden Wahlstrom.
Google Threat Intelligence: from Ukraine back to the US and Europe
Four years into the Kremlin’s illegal invasion of its neighboring country, Google Threat Intelligence reports that Russian influence operations have refocused away from a near‑exclusive concentration on Ukraine and toward their former primary targets: the United States and Europe. The shift, flagged by James Sadowski and Alden Wahlstrom in a Monday report, centers on covert cyber‑operations intended to undermine political stability within those countries and to erode unity between them.
Five explicit strategic objectives identified by Google
According to the Googlers, pro‑Russia influence campaigns are structured around five concrete goals that serve Moscow’s military and political aims via psychological manipulation. Those goals are: undermining democracy; dividing Western coalitions; promoting Russia’s image and regional interests; maintaining domestic stability; and repressing political dissent within the country. The report says those aims guide the design and deployment of narratives, platforms, and operational tradecraft.
Tactics: content, channels, and destructive cyberactivity
The campaigns use a multi‑channel influence ecosystem that ranges from official government propaganda to covert intelligence operations, hacktivists, and pro‑Russian proxies. Google’s analysis notes the lines between these channels are often blurred, which complicates attribution and gives Moscow plausible deniability for cyber activity. Typical influence techniques include fake news websites offering fabricated political commentary and direct messages that push pro‑Russian narratives.
Crucially, influence activity frequently coincides with disruptive or destructive cyber operations. Google’s report links influence campaigns to incidents involving data‑wiping malware, other destructive cyberattacks, hack‑and‑leak campaigns, and direct cyber‑espionage — an ecosystem in which narrative operations and kinetic‑style cyber activity reinforce one another.
AI as a force multiplier: WithSecure and GreyVibe findings
Google’s team also highlights a forward trend: increased use of artificial intelligence for planning, reconnaissance, and content generation across pro‑Russia information operations. Independent research from WithSecure documented Russia‑linked cyber espionage crews leveraging AI tools to build malware, spin up infrastructure, and craft lures for attacks on Ukrainian targets. The group tracked by WithSecure is called GreyVibe.
WithSecure found GreyVibe used OpenAI's ChatGPT, Google's Gemini, and Ideogram AI across almost every stage of its operations since at least August 2025. Google’s analysts warn that such AI adoption makes cyber operations more efficient and expands the toolkit available to operators conducting influence and espionage campaigns.
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: expect influence campaigns to be intertwined with destructive cyber incidents and to exploit AI for faster content production and more convincing lures; defensive planning will need to consider narrative‑and‑cyber combined operations.
- Policymakers and regulators: the reported shift back to Western targets and the blurring of channels complicate attribution and response, increasing pressure to coordinate across diplomatic, cyber, and information‑security policy levers.
- Affected enterprises and procurement leaders: the trend toward AI‑enabled attackers and paired destructive cyberactivity signals a higher operational tempo and potentially more convincing social engineering — enterprise defenses and incident response playbooks should reflect multifaceted campaigns rather than isolated technical intrusions.
Google’s conclusion underscores the practical risk: “As Russia seeks to emerge from international isolation and reorients its influence ecosystem back toward global objectives, it is critical for defenders to understand how this ecosystem provides the Kremlin with a durable influence capability in order to better anticipate future Russian influence threats,” Sadowski and Wahlstrom wrote. Their warning frames a central problem for Western defenders — influence activity that is both durable and adaptable, now sharpened by lessons learned during the war in Ukraine and amplified by AI tools.
The record assembled by Google Threat Intelligence and by WithSecure’s GreyVibe tracking points to a clear operational pivot: influence campaigns that once concentrated on a neighboring battlefield are again aiming at democratic systems and alliances farther afield, and doing so with new tools. How quickly defenders adapt to that combination of narrative craft, cyber destructive capabilities, and AI‑driven scale will help determine whether the reported shift is merely tactical or a lasting strategic recalibration.
