Some aspects of Russian agent handling have evolved, but others remain the same. In my upcoming book on Russian intelligence tradecraft (out with Naval Institute Press, April 2026), I have a chapter devoted to Russian “street tradecraft” or how they handle their recruited agents. CIA calls this practice “sticks and bricks.” The RIS train on this heavily at their intelligence academies, including surveillance/countersurveillance techniques, agent signaling and handling, and the use of operational technology in agent communications. These tactics have evolved as well over the years to include satellite- and computer/encrypted-based “covert communications,” or what the Russians commonly call “spets-svyaz.”

Studying these techniques and their patterns is more important than ever with Russia unleashing a wave of covert action and sabotage operations against NATO and the West. Invariably, among those operations, there will be handling of espionage penetrations of NATO countries and their governments. And when they have highly placed agents, or even those placed in the media, companies, or NGO’s, the SVR, GRU, and FSB will use the following types of tradecraft to handle them.

Russian Agent Signaling and Handling Practices

Signaling is fundamental to any agent-handling operation (recall that the Russians, like U.S. services, do not refer to their officers as agents—the term agent is reserved for the asset, or foreign spy, being handled). Before any message is exchanged, agents and handlers must confirm that it is safe to communicate and then signal that the material exchange has been successful. Russians use what we often like to call “urban geography,” meaning telephone poles, mailboxes, park benches, or signs. Things that won’t typically move but are part of our everyday life and can be easily described to an agent, while still being distinct.

For example, the KGB used telephone and utility poles to mark signals and packages for the recruited cryptographic spy John Walker in the 1980s, while he was betraying the U.S. Navy in the case that became known as the “Walker Family of Spies.” The utility poles had the advantage, as the KGB noted, of each bearing a specific metal plate or identifier, which Walker could verify before dropping his reels of photographed documents, often concealed among various pieces of garbage (such as photographic reels placed in empty soda cans).

Dead drops, or what our British colleagues call “dead letter boxes,” are equally fundamental to Russian agent handling. They call them “tainiki,” meaning “concealed” or “secret place.” The Russians will use sealed and concealed containers — magnets under bridges, hollowed-out stones, or waterproof capsules (sometimes just double-wrapped trash bags) set in quiet locations or buried shallow in parks. These dead drops allow material to be exchanged without face-to-face contact. The method minimizes exposure: no meeting, no surveillance photographs, no conversations to intercept, and no risk of the FBI, British BSIS, or other foreign counterintelligence services following the agent or the Russian intelligence officer (RIO) to the meeting, thereby compromising the op.

And then there are communications protocols. Historically, this meant one-time pads and burst radio transmissions used by Russian agents throughout the Cold War. All of the Russian illegals who were arrested in the “Ghost Stories” case publicized in 2010 were trained and utilized to some extent or another in these systems. They involve encrypted messaging apps, laptops wired for covert exchanges, steganography in digital images, or covert Wi-Fi exfiltration from public spaces.

With all these practices, the same rules endure from the early days of the Bolshevik Chekists: assume compromise is inevitable, and design for resilience and redundancy in agent communications.

Surveillance Operations Abroad

Abroad, the SVR and GRU use surveillance more selectively than at home. Russia is indeed a modern surveillance state, but abroad, the RIS are the hunted and watched. The FSB operates less abroad than its foreign intelligence service and military counterparts, but it has made more forays into foreign work than ever, particularly in special operations and so-called “wet work.” The goal with surveillance, for all three services, is to monitor adversarial services (i.e., all diplomats from NATO and other countries that Russia considers adversaries—a list that is growing), protect their own officers, and, sometimes, use it to find kompromat—compromising material to intimidate potential recruits via extortion.

The SVR and GRU each have dedicated surveillance teams that can deploy abroad under the guise of illegal or other official or non-official covers. But more often than not, they employ their own IO (intelligence officer/staff officers) from Residencies already abroad in order to conduct “pick-up” teams to surveil targets of interest. This is not a best practice, but one they are forced into by the PNGs (declaration persona non grata), or expulsions, of hundreds of their intelligence officers from NATO and other countries in recent years. The RIS no longer have the staffing they once did under official cover at embassies abroad.

Naruzhka, as the Russians term the surveillance art, is never just about “following.” It supports countersurveillance, ensuring GRU and SVR officers are not under adversarial monitoring before a meeting or dead drop. Also, for the various acts of operational security with meetings, Russians use surveillance detection routes, which they call “marshrut proverki” or MP’s. When they have the resources to do so, just as in Russia, the SVR, GRU, and sometimes even the FSB map the routines of foreign officials or business leaders. Their goal is to determine whether those targets are viable recruits or potential targets for other operations, like their “direct action” and assassination attempts abroad.

Lessons Learned and Forgotten, From the Cold War

Good counterintelligence isn’t about chasing cinematic spy stories, but about recognizing patterns: subtle signaling behaviors or unusual compartmentation requests. These can be seemingly low-value contacts that, over time, map a network. U.S. and allied services have disrupted sophisticated networks run by the RIS over the years, many times over. Still, the operating environment has unfortunately only become more permissive for spying as methods using technical resources expand.

Global mobility, digital platforms, academic openness, and venture capital ecosystems create frictionless access points that hostile services exploit patiently and methodically. That means counterintelligence tradecraft must be just as disciplined. Allied services need to employ pattern analysis, cross-domain collaboration, and data integration. Defensive briefings need to be practical, not paranoid or meant to intimidate employees. Early anomaly detection inside sensitive programs is important. And above all, we need to exercise our collective institutional memory: understanding that these methods are not new, only repackaged.

Companies, universities, research centers, and startups sit on the front lines, whether they realize it or not. Talent recruitment, joint research proposals, conference networking, investment offers, and data partnerships can all be legitimate, or occasionally something else. The RIS and their Chinese allies understand that long-term access is preferable to short-term theft. They cultivate relationships, not just sources, and they play on ego, especially with academics, diplomats, and businesspeople. The Chinese recruitment of former CIA officer Kevin Mallory is a case in point—recruited and contacted by the Chinese through a job-hunting social media platform.

We are targets — both in the United States and with all of our European allies. We are so, not because of paranoia, but because of capability and innovation that are the envy of Russia. That and our democracy, which Putin fears. He can’t afford for the Russian people to have the benefit of democracy and the freedoms we enjoy. If he allowed it, his reign could not have lasted as long as the longest of the Tsars.

The Russians still use the term “GP” (glavnii protivnik) to refer to the U.S. as the main adversary. Ask any RIO, and they will quickly state that the UK, Germany, and all our NATO allies rank 2,3,4 etc. We need to be aware, actively collaborate, and remain constantly vigilant. The brush of a hand against a bench. A benign LinkedIn message. A visiting scholar with a narrowly defined question set. Tradecraft hasn’t disappeared, but has adapted. Vigilance, transparency, and informed skepticism aren’t overreactions. They are the modern equivalent of checking the lampposts and utility poles for chalk marks.

All statements of fact, opinion, or analysis expressed are those of the author and do not reflect the official positions or views of the US Government. Nothing in the contents should be construed as asserting or implying US Government authentication of information or endorsement of the author’s views.

The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals. Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.