French investigations into suspected sabotage and espionage attempts point to a widening security problem for Europe: Russia-linked operations are increasingly targeting transport infrastructure and defence industry inside EU and NATO states.

French authorities are investigating several suspected Russia-linked sabotage and espionage cases, including incidents involving railway infrastructure and a military drone manufacturer supplying equipment to French and Ukrainian forces.

The cases underline a growing concern among European security services: that Russia’s covert activity in Europe is no longer limited to traditional intelligence collection, cyber operations or influence campaigns, but increasingly includes low-cost sabotage attempts, surveillance of defence production and the recruitment of disposable proxies.

One investigation concerns a suspected attempt to damage railway infrastructure. Another centres on a Belarus-born man detained near Toulouse after allegedly filming a drone prototype at a factory linked to French and Ukrainian military supply. A separate case has examined the discovery of a device capable of interfering with a ferry’s controls.

The cases remain subject to legal process, and the suspected Russian connection has not been established in court. However, French counterintelligence officials are reportedly treating them as part of a broader pattern of hostile activity aimed at testing Europe’s internal security and disrupting support for Ukraine.

The drone-factory case is particularly sensitive because it involves the defence-industrial chain. European support for Ukraine now depends not only on political decisions and military aid packages, but also on the ability of factories, suppliers, testing facilities and logistics sites to operate without interference. A small act of arson, surveillance or disruption can have consequences beyond the immediate damage if it delays production or exposes technical information.

This is why the suspected filming of a drone prototype has attracted attention. Drones have become central to the war in Ukraine, and European companies supplying them are potential targets for espionage. Russia has a direct military interest in identifying designs, production lines, supply routes and vulnerabilities in systems being delivered to Kyiv.

France is not alone in facing this problem. Several European states have warned over the past two years that Russia has intensified hybrid operations, including sabotage, cyber activity, disinformation, intimidation, GPS interference and attacks on infrastructure. The suspected use of individuals recruited through online channels, including Telegram, has made attribution more difficult while lowering the cost of operations.

Such methods allow hostile services to distance themselves from the act while exploiting individuals who may be motivated by money, ideology, coercion or confusion. The operational threshold is low: photographing a sensitive site, placing an incendiary device, damaging a rail component or disrupting communications does not require a trained intelligence officer. But the effect can still be useful if it forces governments to divert resources, increases anxiety around critical infrastructure or slows military supply.

The rail case shows the civilian side of the same threat. Transport networks are essential to the movement of people, goods, military equipment and industrial inputs. A successful attack on a transformer or signalling system can cause disruption disproportionate to the simplicity of the act. It also creates uncertainty over whether similar sites are adequately protected.

The ferry-related investigation illustrates another dimension: the vulnerability of transport systems to technical interference. European security planning has often treated cyber, maritime and transport risks as separate categories. Recent cases suggest those categories are increasingly overlapping, with hostile actors looking for weak points in systems that connect ports, vessels, railways and logistics networks.

For NATO and the EU, the operational challenge is that many of the targets are not military bases. They are factories, rail links, warehouses, ports, telecoms infrastructure, repair sites and transport nodes. Protecting them requires coordination between intelligence services, police, private companies, transport operators and local authorities. It also requires a clearer definition of what counts as a security-sensitive industrial site.

The issue has now reached the level of European policy. EU leaders meeting in Brussels on 18–19 June condemned recent hybrid attacks against the Union and its member states, and called for urgent efforts to strengthen resilience and critical-infrastructure protection.

That language reflects a shift in how European governments view internal security. The threat is no longer confined to events at Europe’s borders or to cyber incidents that can be handled by specialist agencies. It is increasingly physical, decentralised and connected to the war in Ukraine.

France’s investigations do not yet amount to a single proven campaign in court. But they fit a pattern that European governments can no longer treat as isolated incidents. As support for Ukraine becomes more industrialised and long-term, the factories and transport systems behind that support are becoming part of the security contest.

The practical question for Europe is whether protection of the defence supply chain can keep pace with the threat. Police investigations after an incident are necessary, but they are not enough. The harder task is to identify vulnerable sites before they are targeted, limit access to sensitive facilities, improve reporting from industry, and treat sabotage risk as a routine part of defence planning.

Russia does not need a large operation to create disruption. A small number of low-cost actions, if aimed at the right infrastructure, can force European governments into expensive defensive responses. That is the logic of hybrid activity, and it is why the French cases matter beyond France itself.