Finland’s intelligence service warned that state-backed cyber espionage remains a persistent threat to the country, with Russia and China actively targeting government networks, technology firms, and research institutions. In its latest national security assessment, the Finnish Security and Intelligence Service (Supo) said cyber operations have become a key tool for foreign intelligence services seeking to steal sensitive information and monitor decision-making processes within Finnish institutions.
In its ‘National Security Overview 2026’ report, Supo notes that Russia has increasingly relied on cyber espionage to compensate for declining traditional intelligence capabilities, using intrusions into information systems to collect data on individuals and organizations. “Besides targeting the central government and foreign and security policy actors, Russia has also targeted its cyber intelligence acquisition at products and innovations suited also for defence and military applications. Russia is seeking to gather information to support its war of aggression in Ukraine. Russian intelligence services have also surveyed the structures and security arrangements of the network and physical infrastructure of the information systems used by Finnish organizations.”
Chinese cyber activity targeting Finland also remains active, with authorities warning that attackers sometimes exploit Finnish network infrastructure and poorly secured devices to conduct cyber operations, including campaigns directed at third countries. The report added that while foreign and security policy themes continue to play a significant role in the targeting of cyber activities, in recent years, Chinese cyber operations have increasingly focused on Western critical infrastructure. China actively seeks to create opportunities for practising cyber influence in Western countries.
Supo reported that Finland is increasingly often among the countries targeted by extensive multinational cyber operations of Russian intelligence services. Russia has focused its broadly based information gathering activities on Western intelligence communities, foreign policy experts and journalists, among others. Russia’s active cyber intelligence gathering constitutes a major intelligence risk in international politics and for civil servants, experts and researchers working on Russia-related themes.
“Russia’s increased interest in exploiting supply chains as part of cyber espionage reflects the opportunistic but also methodological developments in the field,” according to the National Security Overview 2026 report. “In its cyber operations targeted at Finland and Western countries, Russia has exploited the weaknesses in the supply chains of information systems commonly used by Western countries. For example, from the perspective of cyber espionage, cloud services offer a good input-output ratio: an intrusion method developed for an organization in the cloud supply chain can provide a route to the data of numerous clients using the same cloud service.”
Russian intelligence services also regularly use Finnish infrastructure in operations against third countries. Russia has also been found to have adopted modes of operation customarily used by China to compromise consumer network devices as part of its anonymization infrastructure.
The compromised consumer network devices make it possible to disguise harmful cyber activities as conventional network traffic, while also making it difficult to identify and trace the perpetrator. Compromised consumer routers offer yet another possibility to gather cyber intelligence outside the reach of the target organizations’ Security Operations Centre. For example, a compromised home router may provide access to network traffic between a remote worker and the target organization’s systems.
The National Security Overview 2026 also mentioned that Russia utilizes information obtained through cyber espionage in its influence activities targeting Western countries, including Finland. For example, Russia seeks to defame and harass target countries, individuals or organizations by leaking illegally acquired and partly distorted data through so-called hack and leak operations, falling in the middle ground between cyber and information influencing.
Correspondingly, the boundary between cyber criminals and state cyber espionage actors has faded in recent years. The role of proxy actors is estimated to have grown in intelligence gathering and influencing taking place in the cyber environment. Distributed-Denial-of-Service (DDoS) attacks against Finland and other Western countries by pro-Russian hacktivist groups, which have become the most prominent phenomenon in cyber activity in recent years, have also continued.
The report identified that cyber operations, which provide an easy way of gaining visibility, are aligned with cyber-influencing activities that serve Russian interests. Malicious cyber assaults, or Denial-of-Service (DoS) attacks, are very likely to continue in the future. In most cases, the effects of such activities remain minor, but efforts to generate greater real-world impacts can also be detected.
The National Security Overview 2026 recognizes that the speed, intensity and scale of Chinese cyber operations are largely determined by China’s extensive cyber ecosystem. Using legislative obligations and financial incentives, China has integrated education, research, and business sectors into producing the skills, services, tools and vulnerabilities needed for cyber operations.
In particular, the Chinese intelligence services exploit the national cyber enterprises to acquire cyber infrastructure, vulnerabilities, intrusion tools and expertise. Correspondingly, the obligation posed by Chinese legislation to report new software and hardware vulnerabilities first to state authorities has ensured that Chinese intelligence organizations have excellent starting points for exploiting such vulnerabilities in cyber operations.
The centralized management of vulnerabilities has partly defined which targets the Chinese intelligence services select. On the other hand, it has also made the exploitation of vulnerabilities more efficient and made it harder to identify the attacker, as all Chinese intelligence organizations are using the same vulnerabilities and software in their own cyber operations.
“China continues to actively use the Finnish infrastructure, such as servers leased from data centres and compromised consumer network devices, in its cyber operations targeted against third countries,” according to the National Security Overview 2026. “In recent years, the most prominent trend characterising China’s cyber operations has appeared to be intrusions into poorly protected home routers and their integration into so-called shadow networks. For the Chinese intelligence services, the shadow networks have enabled not only very comprehensive information gathering and improved opportunities to cover their tracks, but also means of exerting influence. Shadow networks, together with the extensive use and popularity of Chinese network devices, reflect China’s ambitions to build global signal intelligence capabilities.”
The report mentioned that control of supply chains built by China makes Western countries increasingly dependent on Chinese technology. The growing dependence of the West on China reduces the room for manoeuvre in foreign policy and makes it more difficult to counter China’s cyber espionage operations.
Recently, a white paper from the Cyber Defense Assistance Collaborative (CDAC) found that since Russia’s full-scale invasion of Ukraine began in 2022, Ukraine has faced a persistent and evolving wave of cyberattacks targeting government systems and critical services, with Russian cyber hackers attempting to exploit the digital domain alongside conventional military operations to disrupt state functions and weaken the country’s ability to govern during wartime. Four years into the conflict, governments, private cybersecurity firms, and research institutions are increasingly studying Ukraine’s experience to draw lessons for future cyber defense assistance models, with the report examining how support from foreign governments, private-sector partners, and coordinating organizations has been structured and delivered to strengthen Ukraine’s cyber resilience.
