Russia’s intelligence services are running a coordinated campaign to acquire Western technology through fake companies, cyberattacks and recruited intermediaries and Sweden’s defense industry is explicitly in the crosshairs. Christoffer Wedelin, Deputy Head of Operations at the Swedish Security Service (SÄPO), confirmed the targeting to AP News, naming advanced machine tools, factory equipment and dual-use research as priority acquisition categories.
“They really know what they need, and are putting serious effort into acquiring advanced machine tools, factory equipment, research and dual-use technology,” Wedelin told AP. “All of the security and intelligence services in Russia are helping out on the state’s efforts to get this.”
That last point matters. This is not a single agency operating opportunistically. According to Wedelin, the FSB, SVR and GRU are all contributing to the same procurement effort. The coordination is deliberate and the resourcing is substantial.
Four Years of Sanctions Have Not Stopped the Supply Chain, They Have Changed It
Western sanctions imposed after February 2022 have blocked Russia’s direct access to European machinery, semiconductors and defense-related components. Moscow’s response has been to route procurement through third countries, shell companies and intermediaries who obscure the end destination. The Centre for Strategic and International Studies assessed in 2024 that sanctions have degraded Russia’s defense production capacity in specific categories but have not stopped it. The American Enterprise Institute’s semiconductor sanctions analysis reached a similar conclusion, shortages are real but workarounds are active.
The practical consequence for European exporters is that a legitimate-looking buyer may be a cut-out. Due diligence that would have been adequate in 2021 is not adequate now.
Sweden Is a Specific Target, Not a General One
SÄPO’s public statements have named Sweden’s defense industry and high-end research as specific targets. The Gripen fighter jet programme has been cited in Swedish security reporting as a collection priority for Russian intelligence. That is not a surprise given Gripen’s export reach and the volume of proprietary systems integration work that goes through Swedish suppliers but it confirms that Russian targeting of Sweden is capability-driven, not opportunistic.
Sweden joined NATO in March 2024. That accession raised Sweden’s intelligence value to Moscow and almost certainly, the intensity of Russian collection efforts against Swedish defense contractors and research institutions. SÄPO has been explicit about this connection in its annual threat assessments.
The agencies at AP News that reported Wedelin’s statements have not published a named list of targeted Swedish companies. I would treat any vendor-issued list of specific targets with scepticism until SÄPO or MSB corroborates it. The pattern of targeting is confirmed. The specific current victims are not publicly identified.
The Cyber Component Is a Door-Opener, Not the End Goal
Cyberattacks in this context are primarily reconnaissance and access tools. The objective is technology transfer including getting schematics, production specifications, supplier lists and research data out of targeted organizations. Spearphishing against engineers and researchers, credential theft against company networks and intrusion into supplier portals are all consistent with this objective.
The fake company vector is at least as significant as the cyber intrusion vector and probably harder to defend against. A Russian-controlled front company approaches a Swedish precision engineering firm with a credible purchase order. The Swedish firm has no obvious reason to refuse. The goods or the technical data exchanged during the sales process, reach Russia through a third-country intermediary. No malware required.
This is why technical cybersecurity controls alone are insufficient here. The threat is partly a commercial due diligence problem, not purely an IT security problem. Export control compliance teams need to be involved, not just CISO offices.
What Defense Sector Suppliers Should Check This Week
Any Swedish company that supplies components, materials, software or research services to the defense sector should treat unfamiliar inbound inquiries from new customers as elevated risk until verified. Specifically:
- Verify beneficial ownership of any new business partner, not just the registered company name. Shell company structures are the primary evasion method. Sweden’s Bolagsverket beneficial ownership register is a starting point, it is not sufficient on its own for high-risk counterparties.
- Check whether your products or technical data are subject to export controls under EU Dual-Use Regulation 2021/821. If in doubt, contact the Swedish Inspectorate of Strategic Products (ISP). They have a pre-inquiry function for exactly this reason.
- Unusual interest in production specifications, tolerances or supplier networks during a sales process is a collection indicator, not just aggressive procurement. Flag it internally and report it to SÄPO if the pattern repeats.
- Segment internal networks so that engineering file servers and CAD repositories are not reachable from corporate email infrastructure. This is basic, but SÄPO’s public guidance consistently identifies poorly segmented networks as the entry point in technology theft cases.
SÄPO’s business protection service, Säkerhetspolisens näringslivsskydd provides direct briefings to companies in sensitive sectors. If your organization has not had one in the past 18 months, request one. The service exists precisely for this threat picture.
References
- Russia’s spies seek Western technology as sanctions bite
- Russian Spies Are Aggressively Seeking Western Technology as Sanctions Bite
- Out of Stock? Assessing the Impact of Sanctions on Russia’s Defense Industry
- The Impact of Semiconductor Sanctions on Russia
- European Parliament: Sanctions on the Russian Digital Sector
This post is also available in:
Svenska
Related News
Dutch Police Dismantle 17 Million Device Botnet Tied to ASOCKS Proxy Service
Dutch authorities have dismantled a botnet that had recruited 17 million devices into criminal infrastructure without their owners' knowledge. The operation targeted ASOCKS, a residential…
June 1, 2026 
Daemon Tools Hackers Used Valid Certificates to Hide Backdoor for Month
Chinese-speaking attackers compromised Daemon Tools software installers and went undetected for nearly a month. The supply chain attack began on April 8, 2026, with trojanized…
May 7, 2026 
