Skip to content
    Back to News
    Intelligence 13 July 2026

    Daily Security Brief — 13 July 2026

    GRU-linked actors confirmed targeting Western European energy grid control systems; NATO Steadfast Cobalt exercise exposes CBRN response gaps across four member states; Sahel evacuation corridor activated for third-country nationals in Burkina Faso.

    GRU-linked actors have been confirmed by AIVD and BfV joint assessment as conducting active reconnaissance against Western European energy grid control systems, with the Netherlands, Germany, and Belgium identified as primary targets. The activity pattern — scanning industrial control interfaces, probing substation SCADA access points, and mapping grid topology via open-source and direct technical means — is consistent with pre-positioning for disruptive operations rather than immediate kinetic action. Separately, NATO's Steadfast Cobalt exercise — the alliance's largest annual CBRN readiness drill — concluded on 11 July with after-action findings documenting response gaps in four member states.

    Intelligence Brief — 13 July 2026

    Sources cross-checked: Reuters, BBC World, Breaking Defense, The Defense Post, War on the Rocks, The Record, AIVD/BfV joint advisory, NATO press releases. Coverage window: 24 hours prior to 08:00 CET. Pro-EU and NATO-aligned sources only.

    Global Threat Landscape

    • GRU-linked actors pre-positioning against Western European energy grids [corroborated] — A joint AIVD–BfV threat assessment confirms that GRU-linked cyber actors are conducting systematic reconnaissance against energy grid control systems in the Netherlands, Germany, and Belgium. The activity includes direct SCADA interface scanning, targeted phishing against operational technology (OT) engineers, and physical surveillance of unguarded substation perimeters. Attribution is assessed with high confidence based on tooling overlap with previous Sandworm incidents. The finding has direct implications for security managers at energy operators and their supply-chain contractors: access control to OT environments, personnel vetting, and physical perimeter integrity all require immediate review. Organisations without a documented OT security posture are operating with unacceptable exposure.
    • Sahel evacuation corridor activated — Burkina Faso deterioration [corroborated] — The Dutch Ministry of Foreign Affairs activated a formal evacuation corridor for third-country nationals in Burkina Faso following a sustained junta-aligned militia offensive in the Sahel central corridor. France, Belgium, and Germany issued parallel updated travel advisories, all at the highest restriction level. Commercial security operators with personnel or client assets in Burkina Faso, Mali, or Niger should treat overland extraction as the primary route — the Ouagadougou airport has experienced access disruptions. Operators who have not completed in-country route validation in the last 60 days should not assume previous corridors remain open. Relevant capability: hostile-environment safety planning.
    • Taiwan Strait: People's Liberation Army Navy grey-zone escalation — PLA Navy vessels conducted a coordinated 18-hour grey-zone operation in the Taiwan Strait on 12 July, crossing the median line repeatedly without triggering a kinetic response. The operation included electronic jamming, simulated close-pass engagements, and coordinated commercial vessel positioning consistent with intelligence collection protocols. The incident is operationally relevant to security managers for European firms with Taiwan-based manufacturing operations or logistics chains transiting the Strait — contingency planning for supply-chain disruption should be current.

    NATO & Allied Sphere

    • NATO Steadfast Cobalt exercise reveals CBRN response gaps [corroborated] — NATO's Steadfast Cobalt 2026 exercise — the alliance's largest annual CBRN readiness drill — concluded 11 July with after-action findings documenting critical response gaps in four unidentified member states. Specific gaps flagged: detection equipment interoperability failures between national CBRN units and NATO standardised kit, insufficient decontamination corridor throughput for mass-casualty scenarios, and command authority ambiguity under Article 5 activation conditions. The findings are classified but were partially disclosed in a NATO SC press release. For security managers: this confirms that allied CBRN response cannot be assumed to function seamlessly in a real incident. Organisations with exposure to CBRN scenarios should not rely on national emergency services as the primary response — their own CBRN preparedness is the only layer they can control.
    • EU Parliament emergency debate — energy infrastructure security directive — The European Parliament held an emergency plenary debate on 12 July on accelerating the legislative timeline for the proposed Critical Energy Infrastructure Protection Directive following the GRU assessment disclosure. Committee chairs from ITRE and LIBE submitted a joint motion requesting expedited first reading. The legislative outcome is uncertain but the political signal is clear: energy sector operators who have not yet engaged with NIS2 OT requirements should expect the regulatory floor to move upward before year-end. Security procurement timelines must be planned accordingly.
    • Dutch MIVD publishes Q2 counterintelligence threat report — The MIVD's Q2 2026 counterintelligence threat report, published 11 July, identifies six active foreign intelligence collection operations targeting Dutch governmental, academic, and defence-adjacent organisations. Three are assessed as Russian state-linked, two Chinese state-linked, one as yet unattributed. The report specifically flags increased physical surveillance activity — human assets conducting reconnaissance around identified personnel — alongside the digital collection already documented in the AIVD sector advisory. Personnel identified in the MIVD's protected categories should ensure their communications security and physical security posture are current.

    Active Operational Environments

    • Iraq: Green Zone access restrictions extended through Q3 — The Iraqi Ministry of Interior has formally extended Green Zone access restrictions for foreign private security contractors through 30 September 2026, following an IED incident near the Zone's southern checkpoint on 10 July. Permits currently under review are subject to an indefinite processing hold. European diplomatic missions and NGOs with operations in Baghdad should confirm their security provider's access status now — restricted contractor access materially changes close-protection configurations and requires contingency planning for personnel movements outside the Zone. Relevant capability: close protection deployment.
    • Colombia: ELN splinter factions targeting foreign mining executives — Three separate targeting incidents against foreign mining company executives in Meta and Caquetá departments were corroborated by Reuters and The Defense Post across the 10–12 July window. ELN splinter factions operating outside the national peace process are assessed as responsible. The incidents follow a pattern of advance surveillance, suggesting targeting packages are being developed before each operation. Foreign nationals in extractive industry roles in Colombia's conflict-affected departments should conduct immediate movement-pattern reviews and avoid predictable routines — including fixed departure times, preferred routes, and routine social media check-ins.

    Request a Tailored Threat Briefing

    Mission Support delivers classified-grade threat assessments for governmental and Tier-1 corporate clients operating in high-risk environments. Relevant capability: Cyber & Technical Security and CBRN Defence Training.