Protecting Undersea Infrastructure from Russian Sabotage

Subsea communication cables are the invisible backbone of our digital world, carrying 95% of global internet traffic and linking economies, militaries, and societies. As geopolitical tensions escalate, these vital systems are becoming increasingly high-value targets for sabotage.

When suspicious activity emerged around one of Europe’s most critical cable networks, Windward’s maritime intelligence platform uncovered a coordinated pattern in minutes – one that raises serious national security concerns and would have taken weeks to detect using traditional methods.

In this case study, we examine how the pattern was identified, the behaviors that distinguish it, and why they indicated a deliberate, coordinated risk beneath the surface. 

Step 1: Asking the Right Question

It started with a simple query in Windward’s maritime intelligence platform:

Show me Russia-flagged vessels that have loitered for more than an hour over European subsea communication cables in the last 60 days (May 28–July 27, 2025).

Seven vessels matched – all general cargo or pleasure vessels with no operational reason to be anywhere near undersea cables, let alone loitering above them. Three were already flagged as high or moderate risk for smuggling. It was enough to warrant a closer look.

Step 2: Investigating the Vessels

Case A: A Vessel with a History

The first result, Vessel A, was a cargo vessel that had been flagged as high risk since January 2025, with a profile full of warning signs:

• Uneconomical behavior
• Course deviations
• Repeated loitering in sensitive areas

Tracing the ownership exposed an even more troubling reality. The vessel is owned, managed, and operated by a Russian company sanctioned by the Office of Foreign Assets Control (OFAC) for its role in harmful foreign activities.

The ship has been named in open-source reporting for transporting stolen Ukrainian grain, smuggling weapons, and offloading cargo in Venezuela. It’s also listed in the EU’s 14th sanctions package.

On June 10, the vessel loitered for 134 hours, more than 5 days, directly above the Sea Me We 5 cable. That’s not an idle drift, it’s a potential threat.

Case B & C: Two Vessels, One Owner, One Target

Two other cargo vessels also stood out, each loitering over a different cable, in separate regions:

• Vessel B: 9 hours above the Asia-Africa-Europe 1 cable in early July, just south of Sharm el-Sheikh

Using Windward’s Visual Link Analysis, we confirmed that the same Russian company owns both. Of the six vessels owned by this operator, three are flagged high risk, and two have recently loitered over separate cables. This ownership link placed the behavior in a broader, more coordinated context. 

Case D: Old Ship, New Tricks

The fourth vessel, Vessel D, raised red flags for a different reason. It was a 35-year-old cargo ship flagged as high risk for border security on June 2, 2025. Its profile showed:

• Three instances of dark activity
• A major deviation from its typical operating pattern
• 182 days of AIS silence over the past year
• 101 hours of total dark activity

Tracing its background revealed ties to two Russian entities sanctioned by OFAC for links to the Kremlin.

Its behavior was suspicious, too. In late May, the vessel loitered for three hours near Italy, directly above a subsea cable. In early July, it returned to the exact location, repeating the pattern.

Step 3: Seeing the Pattern

When you connect the dots, a clear modus operandi emerges:

• Russian-flagged vessels with no legitimate purpose are loitering over critical European cables
• Some are sanctioned, some share ownership links, and all are behaving in ways that raise serious red flags
• The loitering is repeating behaviors, targeting the same cable infrastructure

The pattern suggests a deliberate method of sabotage, indicating the need for new strategies to safeguard these vital systems beneath the surface. 

Defending Below the Surface

With Windward, what could have taken weeks of manual research became clear in minutes:

• Behavioral anomalies were flagged instantly
• Ownership and sanctions data were surfaced automatically
• Connections were revealed through visual link analysis

These insights turned vessel movements into a clear picture of potential threats, enabling faster and more decisive action. In an environment where sabotage can be silent, prolonged, and state-driven, defending critical maritime infrastructure starts with knowing what’s happening beneath the surface in time to respond.

Discover the Threat Before It Strikes