
A cyberattack that threatened to cut heating to half a million people in Poland last winter was formally attributed Monday to Russia’s Federal Security Service (FSB), as the United Kingdom and European Union imposed their first coordinated package of cyber sanctions against Russian hackers.
The allies blamed Center 16, the FSB’s signals intelligence arm, for acts of attempted cyber sabotage targeting Poland’s energy sector and water treatment facilities, alongside “a wide range of malicious cyber activities with growing severity.”
According to the European Union, the broader range of activities have included “infiltration of governmental networks and sabotage of critical infrastructure” targeting “France, Germany, Poland, Cyprus, the Netherlands, Austria, Slovakia, Romania and Finland.”
Last December’s attack on Poland’s energy grid came “very close” to causing a “blackout,” a senior minister said at the time. It was described as “reckless” by British authorities on Monday, adding it was “another example of the Russian state’s irresponsible attempts to sow chaos across Europe.”
Initial attributions by cybersecurity companies ESET and Dragos had attributed the attack to a group tracked as Sandworm, linked to Russia’s military intelligence agency. This was first disputed by CERT Polska who traced the infrastructure behind the intrusion and matched it to a cluster linked to the FSB.
Separately, Poland’s domestic intelligence service warned in May that cyber intrusions targeting water treatment facilities in the country have posed “a direct risk” to the continuity of water supply.
In a statement issued by EU foreign policy chief Kaja Kallas, the bloc said: “We strongly condemn Russia’s behaviour and misuse of this cyber ecosystem, targeting public services and critical infrastructure, causing disruptions and financial losses.”
Cumulatively, the sanctions target more than 30 individuals and entities across Russia’s cyber ecosystem, including intelligence officers, private companies accused of recruiting hackers from Russian universities, operators behind the Lumma Stealer credential-theft malware and people connected to the pro-Kremlin Rybar blog.
Kallas said Russia continues to rely on a broad cyber ecosystem comprising intelligence agencies, cybercriminal groups, hacktivists and private companies to conduct malicious operations against Europe and its partners.
The EU said government networks and critical infrastructure in Austria, Cyprus, Finland, France, Germany, the Netherlands, Poland, Romania and Slovakia have been targeted in recent years.
France imposed additional sanctions and said it would summon the Russian ambassador over what it described as “persistent malicious cyber activities for espionage purposes.”
A technical report from France’s Cyber Crisis Coordination Center, known as C4, detailed Center 16’s operations and identified 11 interception centers used by the agency’s signals intelligence arm across Russia. They included Unit 61240, which the C4 said was focused on targeting France.
The French report named two Russian companies, AO AST and NPP Gamma, that allegedly supported the unit’s offensive cyber operations. It also listed several French targets attacked by the FSB, including government ministry systems in 2014; the network of the French Embassy in Moscow in 2018; and a research institute working with the French defense industry in February 2025 from which a significant volume of data was stolen.
French authorities also said one of the newly sanctioned groups had claimed responsibility for destabilization efforts targeting the 2024 Paris Olympic and Paralympic Games. France said it would use all available means to respond to malicious cyber activity ahead of its 2027 elections.
French Foreign Minister Jean-Noël Barrot added Monday that he would summon Russian Ambassador Aleksey Meshkov in the coming days. Barrot accused Russian security services of conducting cyberattacks for espionage and sabotage in about 10 European countries, including France, targeting government ministries, companies and operators of critical services.
A joint cybersecurity advisory was also published Monday by the United States and co-signed by intelligence and security agencies from a dozen allied countries. It warned that Russian operators from Center 16 were scanning the internet for devices protected by default or weak credentials.
The United Kingdom also sanctioned individuals behind the Lumma Stealer malware, which steals credentials from infected computers and has become one of the world’s most widely used information-stealing tools.
British officials said Russia has used credentials stolen by Lumma to support espionage operations worldwide. According to the National Crime Agency, more than 2,100 victims in the U.K. have been infected by Lumma Stealer in the past six months.
“As Russia struggles to sustain its ailing war effort in Ukraine, the Russian Intelligence Service agencies have tasked cybercriminals to collect intelligence to support Russia’s military and foreign policy objectives, threatening security across Europe,” it said, adding it was “another example of Russia using its criminal networks to do its dirty work.”
British Foreign Secretary Yvette Cooper said the sanctions are intended to disrupt the cybercriminal ecosystem supporting Moscow’s intelligence services.
“These sanctions strike at the core of the cybercriminal networks propping up the Russian state’s aggression, and the U.K. and EU are sending a clear message that Russia cannot hide behind its use of these proxy groups,” Cooper said.
The sanctions package also targets 10 individuals associated with the pro-Kremlin military blog Rybar, including senior executives and content creators. Britain accused the outlet of spreading disinformation about Ukraine and interfering in elections in Moldova and Armenia.
The Kremlin has repeatedly denied engaging in offensive cyber operations. Russian President Vladimir Putin said last month European allegations of Russian sabotage and cyberattacks were baseless and aimed at justifying their own “aggressive plans” against Russia.
