On September 26, 2022, the Nord Stream 1 and 2 pipelines began leaking gas in the exclusive economic zones (EEZs) of Sweden and Denmark. It quickly became clear that the leak was not a technical fault but the result of explosions. In the months and weeks before the leak, Germany, the main importer of the Russian gas carried by Nord Stream, had completely cut its Russian gas imports.¹“Bundesnetzagentur Veröffentlicht Zahlen zur Gasversorgung 2022,” Bundesnetzagentur, January 6, 2023, https://www.bundesnetzagentur.de/SharedDocs/Pressemitteilungen/DE/2023/20230106_RueckblickGasversorgung.html It had also declined to certify Nord Stream 2, the second pipeline, which was full of gas and ready to commence operations.²“Certification Procedure for Nord Stream 2 Suspended,” Bundesnetzagentur, November 16, 2021, https://www.bundesnetzagentur.de/SharedDocs/Pressemitteilungen/EN/2021/20211116_NOS2.html Nord Stream AG—Nord Stream 1’s owner—had, in turn, scheduled maintenance suspensions, some of which were not part of standard maintenance. The two pipelines, conceived of during the peak of globalization but long opposed by the Baltic states and Poland, had become so geopolitically fraught that the explosions were quickly interpreted as an act of state-linked sabotage. Most analysts reasoned that Russia must have orchestrated the explosions as an act of revenge against Western countries slashing their imports of Russian gas.

Almost precisely one year later, on October 8, 2023, the Balticconnector pipeline connecting Finland and Estonia began leaking gas in the Gulf of Finland, the easternmost part of the Baltic Sea.³Anne Kauranen and Terje Solsvik, “Finland Says ‘Outside Activity’ Likely Damaged Gas Pipeline, Telecoms Cable,” Reuters, October 10, 2023, https://www.reuters.com/markets/commodities/finnish-government-hold-news-conference-suspected-pipeline-leak-media-2023-10-10/ Investigators soon established that the pipeline had been hit by the Hong Kong-flagged, Chinese-owned boxship Newnew Polar Bear.⁴“National Bureau of Investigation Has Clarified Technically the Cause of Gas Pipeline Damage,” Police of Finland, October 24, 2023, https://poliisi.fi/en/-/national-bureau-of-investigation-has-clarified-technically-the-cause-of-gas-pipeline-damage So had an undersea data cable. Even though different countries and outfits launched individual responses, the Newnew Polar Bear managed to sail through the Baltic Sea and along Norway’s coast before reaching Russian waters, where it was completely out of investigators’ reach.

Just over a year later, the Baltic Sea region was struck by another suspicious undersea incident. On November 17, 2024, a data cable connecting Sweden and Lithuania was damaged. So was a data cable connecting Finland and Germany, the only cable connecting Finland with the European continent. Authorities quickly identified a suspect, the Chinese-owned and Chinese-flagged bulk carrier Yi Peng 3.⁵Elisabeth Braw, “Suspected Sabotage by a Chinese Vessel in the Baltic Sea Speaks to a Wider Threat,” Atlantic Council, November 21, 2024, https://www.atlanticcouncil.org/blogs/new-atlanticist/suspected-sabotage-by-a-chinese-vessel-in-the-baltic-sea-speaks-to-a-wider-threat/ Vessels from different Baltic Sea states shadowed the bulker, but they could not detain it because it was sailing in EEZs, not territorial waters. After sailing through the Danish Straits—which count as international waters, not territorial ones—the ship stopped in Denmark’s EEZ.⁶Ibid. It remained there with China, the flag state, blocking Danish and other local investigators from boarding the ship. On December 20, the Chinese authorities allowed investigators from Denmark, Sweden, Finland, and Germany to board, but only under Chinese supervision and only for a truncated visit.⁷Louise Rasmussen, “China Lets Sweden, Finland, Germany and Denmark Board Ship in Cable Breach Case,” Reuters, December 20, 2024, https://www.reuters.com/world/europe/swedish-police-go-board-yi-peng-3-vessel-invitation-china-2024-12-19/ The following day, the bulker left.

A few weeks later, on Christmas Day, the Cook Islands-flagged tanker Eagle S struck one interconnector (power cable) and four data cables in the Gulf of Finland.⁸Michelle Wiese Bockmann, “Russia-Linked Cable-Cutting Tanker Seized by Finland ‘Was Loaded with Spying Equipment,’” Lloyd’s List, December 27, 2024, https://www.lloydslist.com/LL1151955/Russia-linked-cable-cutting-tanker-seized-by-Finland-was-loaded-with-spying-equipment Because the tanker was a shadow vessel known to the Finnish and Estonian authorities, both had been monitoring it.

There is no standard intergovernmental definition of “shadow vessel,” but the Atlantic Council’s Threats to the global maritime order project has developed this set of criteria.

After the Eagle S had struck the fifth cable and was approaching yet another cable, the Finnish police and coast guard dramatically boarded and detained it.⁹“Boarding of Eagle S ‘Serious Violation of Maritime Safety,’ Says Master,” Lloyd’s List, August 22, 2025, https://www.lloydslist.com/LL1154601/Boarding-of-Eagle-S-serious-violation-of-maritime-safety-says-master They did so in Finland’s EEZ—a highly controversial move because coastal states only have jurisdiction in their territorial waters, with limited rights in the EEZ.¹⁰Ibid. However, the Finnish authorities reasoned that they had no choice but to detain the ship in the EEZ, because not doing so would have resulted in even more cables being struck.¹¹Joshua Minchin, “Eagle S Could Have Cut More Cables, Says Finnish Police,” Lloyd’s List, January 14, 2025, https://www.lloydslist.com/LL1152219/Eagle-S-could-have-cut-more-cables-says-Finnish-police

The following month, the Maltese-flagged bulk carrier Vezhen struck a data cable connecting Sweden and Latvia. When the bulker approached Sweden, authorities escorted it into Swedish territorial waters, then seized it.¹²Alexander Martin, “Sweden’s Elite Armed Police Used Helicopter to Board Suspected Sabotage Ship,” Record, January 29, 2025, https://therecord.media/sweden-vezhen-ship-armed-police-boarded-helicopter However, because the prosecutor couldn’t prove that the bulker’s crew had intentionally released the anchor, the investigation was shelved and the ship and crew were released.¹³“Misstankar om Sabotage Efter Kabelbrottet Avskrivna—Beslagtagna Fartyget Vezhen Släpps,” SVT Hyheter, February 3, 2025, https://www.svt.se/nyheter/lokalt/blekinge/beslagtagna-fartyget-slapps

Between and after these high-profile incidents, ships were spotted behaving suspiciously near undersea cables and pipelines. The sightings, and especially the incidents, have highlighted a troubling reality: governments and undersea-infrastructure operators can no longer assume that ships will only hit undersea installations by accident. On the contrary, they must now assume that the waters above the cables and pipelines are frequented by state and non-state actors wishing to damage these installations.

This matters because existing cables and pipelines are indispensable to the functioning of the countries they connect. What is more, the continuing digital transformation and the advance of artificial intelligence (AI) will require even more undersea data cables, and the green transition will require even more undersea power cables. These undersea power cables transport electricity between different countries, between countries and islands, and between offshore wind farms and the mainland. For Europe, the need to replace Russian gas imports makes undersea pipelines providing gas from Norway essential.

A coordination cell takes on saboteurs and the shadow fleet

Even though it has long been known that saboteurs could target undersea cables and pipelines, countries and organizations affiliated with them have historically refrained from doing so, if only because the United Nations Convention on the Law of the Sea (UNCLOS) bans deliberate damage of undersea installations. Terrorist organizations, for their part, have had little interest in conducting attacks that would not result in dramatic footage. Although some damage to undersea cables and pipelines over the decades has been attributed to criminals, nation-state involvement has been exceedingly rare.

That explains why, in September 2022, the Nord Stream explosions caught Baltic Sea nations and the rest of the world by surprise.¹⁴The countries with Baltic coasts are: Germany, Poland, Sweden, Denmark. Finland, Estonia, Latvia, and Lithuania. In addition, Russia’s Kaliningrad exclave has a Baltic coastline. Because the explosions occurred in the EEZs of Sweden and Denmark, the two countries launched investigations. As one of two countries connected by the pipelines, Germany also launched an investigation. Russia, the other country connected by the pipelines, repeatedly accused the three other countries of not sharing information about their investigations with Russian authorities.¹⁵“The Nord Stream Incident: Open Briefing,” Security Council Report, October 3, 2024, https://www.securitycouncilreport.org/whatsinblue/2024/10/the-nord-stream-incident-open-briefing.php These protestations were widely condemned and ridiculed by Western commentators, who assumed that Russia was behind the explosions.

Even after the incident, Nord Stream’s extremely high profile led the three countries to believe the attack had been a one-off incident. NATO and the Baltic Sea nations did not see a need to establish protocols in case further attacks occurred, though NATO tasked Hans-Werner Wiermann, a retired German general, with mapping out what role the Alliance could play in coordinating the response to future incidents. Wiermann responded by establishing a coordination cell, based at NATO headquarters, which would function as a clearinghouse of information between different agencies in different member states. The coordination cell began operations in early 2023.¹⁶“NATO Stands Up Undersea Infrastructure Coordination Cell,” NATO, February 15, 2023, https://www.nato.int/cps/en/natohq/news_211919.htm

The coordination cell was, however, dependent on receiving all necessary information from authorities in NATO member states, and that stream of information was not yet fully functional when the Balticconnector began leaking gas. The lack of a NATO-wide protocol for such incidents meant that Finland and Estonia activated their national protocols, but that information was not systematically shared across NATO and national authorities. As a result, a few allies and NATO institutions independently discovered that an incident had taken place and began investigating. However, there was no regular coordination between the different entities. That meant that it took hours before the Newnew Polar Bear was identified as a suspect and, by that point, the boxship had left the EEZs of Finland and Estonia and struck a nearby data cable.¹⁷Roula Khalaf and Oliver Telling, “Chinese Vessel Spotted Where Baltic Sea Cables Were Severed,” Financial Times, November 19, 2024, https://www.ft.com/content/383516a5-02db-46cf-8caa-a7b26a0a1bb2 The authorities later realized that the Chinese-owned ship appeared to have cut a data cable in Sweden’s EEZ before hitting the Balticconnector.

Precisely because there were no NATO-wide protocols for such situations, and also because Sweden was not yet a member of NATO, the information did not reach the right authorities and officials quickly enough. That enabled the Newnew Polar Bear to make its way through the Baltic Sea, through the Danish Straits, along the Norwegian coast, and into Russian waters before the respective countries’ authorities—and NATO—could decide what actions to take. (The Newnew Polar Bear had, in coordination with Russian authorities, recently undertaken a pioneering journey through Russia’s Northern Sea Route.¹⁸Elisabeth Braw, “Finland Identifies Pipeline Sabotage Ship,” American Enterprise Institute, October 25, 2023, https://www.aei.org/foreign-and-defense-policy/defense/finland-identifies-pipeline-sabotage-ship/) “Where we were in 2023 was that damage to undersea cables and pipelines was in the risk scenarios, there was acknowledgement that these kinds of incidents could happen,” said Erkki Tori, Estonia’ national security advisor. “But I don’t think that we truly acknowledged the multinational nature of these incidents. What we learned in Estonia after the Newnew Polar Bear incident was that you need to have a very operational relationship with different nations that you share the undersea infrastructure with. And not only on one level, but on multiple levels: the government level, the agency level, but also on the level of the companies that use or co-own the infrastructure.”¹⁹Interview with the author, October 17, 2025.

Since then, communication protocols and coordination have improved. Tori added: “On a bilateral basis [with Finland], we have tried to maintain and enhance the relationships that we built as a response to the Newnew Polar Bear incident. If you move further from there onto a regional perspective, you need such relationships across the region as well, because even just one moving ship might be a problem for various critical undersea infrastructure objects. You need to have the same kind of awareness, the same kind of response protocol throughout the region as well.”²⁰Ibid.

A new NATO task force patrols the Baltic Sea

In March 2024, Sweden was finally admitted to NATO after Turkey dropped its opposition. A few months later, in October, Germany stood up Commander Task Force (CTF) Baltic.²¹“Commander Task Force Baltic Established,” Bundeswehr, October 21, 2024, https://www.bundeswehr.de/en/organization/navy/news/commander-task-force-baltic-established-5850832 While NATO has other CTFs, CTF Baltic took on special significance the moment it was created, as it was seen as another response to the undersea incidents, with a role completely different from that of NATO’s coordination cell.

CTF Baltic, based in the German port city of Rostock, has some ninety naval officers, most of them from the Bundeswehr, with others on loan from Baltic Sea nations and even southern European countries like Italy. It also commands a fleet of naval vessels and some aircraft, most of which belong to the Bundeswehr while others are on loan from allies.

While CTF Baltic’s official task is “to coordinate naval activities in the region with Germany’s allies and provide them with a current joint maritime situational picture around the clock,” its focus since its inception has been on the shadow fleet and threats to undersea installations. “The Baltic Sea may seem like a small ocean, but it’s a significant body of water to patrol,” said Brian Svendsen of the Danish Navy, CTF Baltic’s assistant chief of staff for current and future operations. “We focus on the shipping lanes, on ships that have previously been identified as a potential source of concern, and naturally monitoring the undersea installations.”²²Interview with the author, October 15, 2025.

Although CTF Baltic is a German entity, it undertakes its activities on behalf of NATO’s Maritime Command (MARCOM). It does so not only by patrolling selected parts of the Baltic Sea, but also by monitoring ship movements from land, including through radar. When the leaders of NATO’s Baltic littoral states announced the creation of Baltic Sentry in January 2025, it was not a matter of a new organization but rather a new component for CTF Baltic.²³“NATO Launches ‘Baltic Sentry’ to Increase Critical Infrastructure Security,” NATO, January 14, 2025, https://www.nato.int/cps/en/natohq/news_232122.htm Baltic Sentry essentially added more vessels, patrol aircraft, and staff to the setup already in place in Rostock.²⁴Ibid. “We had found that in order to show that we take the threat to undersea installations seriously, we need allied presence on top of our national presence,” Tori said. “And by we, I don’t mean just Estonia and Finland. On a national basis, we already have ships patrolling. Baltic Sentry is there to show solidarity and as a very practical measure, a way of demonstrating vigilance.”²⁵Interview with the author, October 17, 2025.

Around the same time that NATO allies launched Baltic Sentry, the Joint Expeditionary Force (JEF) activated Nordic Warden, a monitoring system that “harnesses AI to assess data from a range of sources, including the Automatic Identification System (AIS) ships use to broadcast their position, to calculate the risk posed by each vessel entering areas of interest.”²⁶“Joint Expeditionary Force Activates UK-Led Reaction System to Track Threats to Undersea Infrastructure and Monitor Russian Shadow Fleet,” Government of the United Kingdom, press release, January 6, 2025, https://www.gov.uk/government/news/joint-expeditionary-force-activates-uk-led-reaction-system-to-track-threats-to-undersea-infrastructure-and-monitor-russian-shadow-fleet Nordic Warden was also integrated into CTF Baltic’s operations. (The United Kingdom-led JEF also comprises Denmark, Estonia, Finland, Iceland, Latvia, Lithuania, the Netherlands, Norway, and Sweden.)

Only a few weeks after CTF Baltic was launched, the Yi Peng 3 incident occurred, and the Eagle S and Vezhen incidents occurred after that, but the Baltic Sea has not experienced any suspicious undersea incidents since January 2025. “That is a sign that the deterrence we provide is working,” Svendsen said. As with all deterrence, it is impossible to ascertain whether the deterrent has worked or whether no further incidents were being planned, but mounting deterrence is better than testing one’s luck without it.

Either way, the Baltic Sea countries today have in place collaboration, monitoring, and response options that are a far cry from where they were when the Newnew Polar Bear struck the Balticconnector in October 2023. When shadow vessels approach undersea cables and pipelines, CTF Baltic monitors them. Should another vessel start behaving suspiciously around undersea installations, the task force will detect that too. Also, coastal states’ coast guards and navies conduct regular patrols, and the countries’ authorities systematically share updates in a manner that simply was not in place in mid-2023 and earlier. Their efforts also show how NATO member states can succeed in addressing regional threats without the entire Alliance needing to become involved.

In addition, Tori noted, the European Union (EU) is also part of the efforts to restore order in the Baltic Sea, not just through its sanctions on specific shadow vessels. EU officials also engage with counterparts in the countries that flag the shadow vessels. Today such countries—flags of extreme convenience, to use the phrase coined by this author—include the Gambia, Sierra Leone, and Comoros. In a noteworthy development that reflects European outreach, Barbados, Gabon, and the Cook Islands—which had been popular flag states for shadow vessels—have announced they will de-flag ships sanctioned by Western governments.²⁷Braw, “The Threats Posed by the Global Shadow Fleet—and How to Stop It”; “Top 7 Geopolitical Disruptions in Q3 2025,” Windward, last visited October 28, 2025, https://windward.ai/knowledge-base/top-7-geopolitical-disruptions-q3-2025/ While incidents involving undersea infrastructure are not limited to shadow vessels, the fact that shadow vessels skirt rules and have opaque ownership structures makes them more likely candidates for suspicious incidents than conventional ships.

In addition, the EU is implementing its Action Plan on Cable Security, which it passed in February 2025. Among other measures, the plan involves steps to further develop information exchange and strengthen joint repair capabilities.²⁸“Joint Communication to the European Parliament and the Council: EU Action Plan on Cable Security,” European Commission, February 21, 2025, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52025JC0009

If, or when, another suspicious incident involving undersea cables or pipelines occurs, it is less clear how NATO, the EU, or the nations and entities now involved in the efforts to protect this infrastructure would respond. “We’d deploy there straight away, and it’s important to remember that the Baltic Sea is bigger than it seems,” Svendsen explained. “We can’t be everywhere all the time. In case of an incident, we’d deploy to the site and monitor it, but the response is up to the coastal state because it decides what can be done depends on that country’s legal system. And it’s important to remember that the owners of cables and pipelines have primary responsibility for their security. CTF Baltic and NATO are there to assist, but not to provide all-round security.”²⁹Interview with the author, October 15, 2025.

As a military alliance, NATO is also not in charge of responding to suspected underwater sabotage; coastal states are. In the Baltic Sea, vessels seconded to CTF Baltic can return to national command if needed in incident response. But the question remains how the coastal states and NATO would respond. For now, they seem to bet that patrolling and monitoring the Baltic Sea will deter sabotage of undersea installations—but like all deterrence efforts, these activities are at best an educated guess. The real test for the Baltic Sea nations, and NATO, will arrive if—or when—a vessel ignores CTF Baltic’s patrols and coastal states’ instructions to change course.

From the Baltics to the South China Sea

The Baltic Sea is the region most affected by Russia’s shadow vessels and—together with Taiwan—the region most affected by suspicious incidents involving undersea cables and pipelines. At the time of the Newnew Polar Bear incident in October 2023, individual countries had impressive response protocols, but there were no real protocols involving information sharing and response with other countries. That situation has dramatically improved. Today, the Baltic Sea countries systematically share information, aided by NATO’s coordination cell, and consistently exchange updates and information with cable and pipeline operators, while national authorities and CTF Baltic monitor traffic around the clock and are able to deploy in case of an incident.

What is less clear is how CTF Baltic and national authorities would respond in case of an incident in which a vessel refuses to obey orders to move or has already struck a cable or pipeline and refuses orders to halt. Such rules of engagement cannot be established by CTF Baltic or national authorities. Instead, they depend on what NATO decides constitutes an aggressive act that could trigger Article 5.

CTF Baltic and Baltic Sea countries can bring further attention to suspicious incidents by adopting the Philippines’ strategy of total transparency. In contested parts of the South China Sea, where the Chinese Coast Guard and Maritime Militia harass Philippine and other vessels, the Philippine Coast Guard patrols the waters and films each dangerous Chinese activity. At times, the Philippine Coast Guard also invites reporters on board its vessels. This gives the public at home and abroad a better understanding of the dangerous activities transpiring in the South China Sea. A similar strategy could help educate the public about the situation in the Baltic Sea. As in the South China Sea, those involved in dangerous activities in the Baltic Sea are likely to be immune to naming and shaming, but public attention would increase the pressure on them and, at the same time, educate the public about actions their governments might need to take.

Fellow

Elisabeth Braw

Senior Fellow

Scowcroft Center for Strategy and Security Transatlantic Security Initiative

NATO Resilience & Society

Threats to the global maritime order

Learn more about the Atlantic Council’s project Threats to the global maritime order: Protecting the freedom of the seas.

Issue Brief Jun 5, 2025

The world needs a maritime ‘elite league’ to combat rogue shipping

By Elisabeth Braw

Geopolitical tensions are undermining the mostly apolitical system that has regulated shipping since the 1950s, but hazards remain on the high seas. Countries interested in curtailing the rise of shadow vessels and the associated risks of accidents and environmental damage should band together to keep their waters places where the highest standards apply.

Economy & Business International Organizations

Report Jan 23, 2025

From Russia’s shadow fleet to China’s maritime claims: The freedom of the seas is under threat

By Elisabeth Braw

This report analyzes the deterioration of the global maritime order, focusing on rule violations in areas including maritime border alteration, harassment of civilian vessels, and disturbance of navigational tools

China Europe & Eurasia

Report Dec 6, 2024

The threats posed by the global shadow fleet—and how to stop it

By Elisabeth Braw

Since 2022 the number of aging ships whose ownership, insurance status, and safety is unknown has exploded, prompted by Russia’s reliance on this “dark fleet” to ship its oil in defiance of Western sanctions. What can be done about this environmental, economic, and safety threat on the high seas?

China Europe & Eurasia

The Transatlantic Security Initiative aims to reinforce the strong and resilient transatlantic relationship that is prepared to deter and defend, succeed in strategic competition, and harness emerging capabilities to address future threats and opportunities.

Learn more

Image: NATO announced Baltic Sentry 2025, a multi-domain vigilance activity aimed at increasing maritime situational awareness in the Baltic Sea area, to deter and defend against attacks on Critical Undersea Infrastructures (CUI). NATO MARCOM 2025