Sabotage on the Warsaw–Lublin railway line: Kremlin's hybrid warfare becomes tangible

The sense of growing threat did not appear out of nowhere. From the migration crisis on the Polish–Belarusian border in 2021, through Russia’s full-scale aggression against Ukraine in February 2022, Poland has gradually become one of the main targets of actions „below the threshold of war.” At first these were primarily disinformation and polarizing operations; later came reconnaissance of soft targets; and finally a series of arsons at depots, warehouses and logistics facilities.

Investigations carried out by Polish services have shown that the perpetrators of these actions are often people recruited via messaging apps — including members of the Ukrainian and Belarusian diasporas — motivated by the simple promise of financial reward. Poland is not an exception to this phenomenon. Similar schemes have been uncovered in other European countries supporting Ukraine. In practice this means that Poland, like other NATO states, has found itself in the zone of an informally waged hybrid war in which Russia combines traditional intelligence tools with modern technologies and the outsourcing of operatives.

Infrastructure - a natural target

Poland’s critical infrastructure — energy, railways, bridges, pipelines, logistics warehouses — is by nature extensive, partly open and difficult to protect fully. A mixed ownership structure (state–private sector), uneven security standards, a shortage of personnel and chronic underfunding of physical protection mean that the level of security is uneven and responses to incidents are often delayed or fragmentary. Added to this are complex supply chains, numerous subcontractors and loosely supervised segments of infrastructure, which multiply the number of potential points of compromise.

These structural weaknesses are compounded by a sharp increase in hybrid threats — the war in Ukraine, geopolitical tensions and a series of sabotage cases in Europe mean that infrastructure has become one of the main instruments of pressure. Many technical and IT systems were developed at a time when risk levels were lower, and their later „connection to networks” did not always come with a commensurate upgrade of security standards. Organizational gaps and human error can in this context be as dangerous as the absence of fencing or surveillance.

Russian diversion: cheap, indirect, no signature

Russian sabotage activities serve three principal functions:

• They raise the costs of support for Ukraine — by disrupting logistics for the delivery of weapons and equipment.
• They test NATO states' resilience to low-intensity operations — forcing them into continuous, costly protection of infrastructure.

They exert psychological pressure — a series of fires or explosions, even without casualties, heightens the sense of threat and can undermine support for further engagement on Kyiv’s side.

Specialized GRU and FSB structures are responsible for such operations, operating with a precise division of roles. The GRU carries out physical actions in the field; the FSB focuses on penetration and disruption of infrastructure in cyberspace.

Increasingly, however, the „dirty work” is carried out by intermediaries — local criminals, migrants, people seeking quick earnings — recruited through closed messaging channels. This model lowers costs, increases the reach of operations and dramatically complicates attribution: the detained perpetrator often has no idea who actually commissioned the task.

Systemic weaknesses: Law, practice, coordination

From Poland’s perspective, the discrepancy between the scale of the threat and the state’s real response is particularly worrying. Under Article 130 § 7 of the Penal Code, sabotage on behalf of a foreign intelligence service carries a penalty of at least 10 years« imprisonment or life imprisonment, but case law shows a different reality.

In the high-profile case of the „sabotage-terrorist group” responsible for a series of arsons in Poland and other EU countries, sentences of 5.5 years, 2.5 years and 1 year and 4 months of imprisonment were imposed. In another case concerning preparations for diversion in Wrocław, the sentence was ultimately reduced on appeal to 3 years« imprisonment.

Experts speak frankly of a „prevention gap.” The law formally provides for severe sanctions, but courts often impose penalties at the lower end of the scale, especially where the act remained at the preparation stage or the perpetrator’s role was auxiliary or financially motivated. For a person recruited online, a few years in prison in exchange for a few tens of thousands of euros may be an acceptable risk — especially if they believe the chance of detection is low.

Additionally, the system remains largely reactive. Various services — the police, ABW (Internal Security Agency), CBŚP (Central Bureau of Investigation), the prosecutor’s office — operate in parallel, which hinders coordination, slows information exchange and blurs lines of responsibility. There is a lack of a single, cross-party security strategy that would integrate counterintelligence, police and military actions into a coherent model for responding to hybrid war.

Systemic gap: Status of the Railway Protection Guard

Against the backdrop of growing threats, the problem of the Railway Protection Guard (Straż Ochrony Kolei, SOK) appears particularly serious. SOK — formally responsible for protecting railway infrastructure, including hundreds of kilometers of track, bridges, stations and traffic control equipment — is not a state service but a formation subordinate to the company PKP PLK S.A. It does not have the status of a uniformed service and is not an element of the national security system.

In practice this means that the entity responsible for protecting infrastructure crucial to NATO troop mobility, the transport of raw materials and economic security operates outside the state’s crisis response system. SOK functions with limited resources, inconsistent procedures and without access to central channels of information distribution.

When Russia strikes at the railway as the „logistical lifeblood of the West,” this is a gap of fundamental importance. Rail remains one of the easiest targets for sabotage — dispersed, hard to monitor and often poorly protected. Increasingly the question is asked whether SOK in its current form is capable of responding to the new scale of threats.

It is increasingly obvious that SOK should be — like the Border Guard or the State Fire Service — a full-fledged element of the national security system, operating to standards of unified training, communications and cooperation with ABW, the Police, the Military Police and analytical centers. Only then can one speak of a real capability to counter railway diversion, which is one of the cheapest and most effective tools of Russia’s hybrid war.

The grand deficit: No national information community

The key weakness remains the absence of a statutorily enshrined „information community” — a structure integrating civilian, police and military services working on common data and analyses. Without it, the state operates in departmental silos, producing conflicting or fragmentary assessments.

Meanwhile the nature of the threats has fundamentally changed: Russia bases its intelligence on influence operations, disinformation, social polarization and locally commissioned sabotage. Classical counterintelligence tools are not sufficient. What is needed are:

• permanent information-fusion centers,
• a common analytical cycle for the services,
• unified priorities,
• rapid, joint situational assessments for decision-makers.

A reliable, cross-party audit of Russian influence in Poland has still not been carried out. Political disputes and ad hoc initiatives have taken its place, leaving room for the adversary.

An additional risk is the lack of systemic vetting of large Russian- and Belarusian-speaking diasporas, among which — alongside opponents of Russia — there are also people susceptible to financial pressure or sympathetic to it. In conditions of ongoing hybrid war, much stricter standards for access to sensitive information and cyclical personnel vetting are required.

What's next? From fighting fire to tangible deterrence

Sabotage threats are long-term in nature and require deep systemic changes from Poland. It is necessary to modernize and standardize protective measures for critical infrastructure to eliminate the weakest links and ensure a uniform level of protection.

At the same time the state should consistently apply high sanctions for sabotage inspired by foreign services so that the law performs a real deterrent function. Equally crucial is the establishment of a national information community that would integrate the actions of civilian, police and military services, providing decision-makers with a coherent picture of the situation.

This requires rebuilding staff in the fields of intelligence, counterintelligence, cybersecurity and data analytics, as well as systemic vetting of people with access to sensitive information. A fundamental element of reform regarding railway infrastructure should also be consideration of raising the status of the Railway Protection Guard and integrating it into the national security system so that the protection of railway infrastructure corresponds to the real scale of threats.

No-less important is building society’s resilience to disinformation and influence operations, without an aware society even the best technical protections will prove insufficient.

The war of sabotage is already underway — on railway tracks, in warehouses, in power networks and logistics chains. Therefore the essential question is not whether Russia will renew attacks, but whether Poland will be able to create a system that will realistically raise the cost of such operations for their principals before the first victims appear.