The United Kingdom and European Union on Monday attributed a near-blackout cyberattack against Poland’s energy sector to Russia’s Federal Security Service, then used their first coordinated cyber sanctions package to hit more than 30 people and organizations tied to Russian state and criminal hacking.
The attribution matters because the Polish incident was not a website defacement or another tedious leak-and-boast operation. British authorities said the attack threatened heating for 500,000 people last winter. A senior Polish minister said at the time that the incident came very close to causing a blackout.
London and Brussels blamed Center 16, the FSB’s signals intelligence arm, for attempted sabotage against Polish energy and water systems. The EU also said Russia-linked cyber operations had targeted government networks and critical infrastructure in Austria, Cyprus, Finland, France, Germany, the Netherlands, Poland, Romania and Slovakia.
EU foreign policy chief Kaja Kallas said the bloc condemned what it described as Russia’s use of a cyber ecosystem against public services and critical infrastructure, causing disruption and financial losses. Kallas said Russia relies on intelligence agencies, cybercriminal groups, hacktivists and private firms to conduct operations against Europe and its partners.
Attribution shifted from GRU-linked hackers to the FSB
Early assessments by the cybersecurity companies ESET and Dragos had linked the Polish grid attack to Sandworm, a group associated with Russia’s military intelligence agency, the GRU. Poland’s national cyber response team, CERT Polska, later challenged that assessment after tracing infrastructure used in the intrusion to a cluster connected to the FSB.
Poland’s domestic intelligence service separately warned in May that cyber intrusions against water treatment facilities posed a direct risk to continuity of water supply in the country.
The sanctions package reaches beyond Center 16. According to the UK and EU, the targets include Russian intelligence officers, private companies accused of recruiting hackers from Russian universities, operators tied to the Lumma Stealer credential-theft malware, and people linked to the pro-Kremlin military blog Rybar.
The UK said Lumma Stealer has been used to collect credentials from infected computers and that Russia has used stolen credentials to support espionage. Britain’s National Crime Agency said more than 2,100 UK victims were infected by Lumma Stealer in the past six months.
British Foreign Secretary Yvette Cooper said the sanctions were aimed at disrupting cybercriminal networks that support Russian intelligence services. The UK also sanctioned 10 people associated with Rybar, including executives and content creators, and accused the outlet of spreading disinformation about Ukraine and interfering in elections in Moldova and Armenia.
France adds its own allegations
France said it would summon Russian Ambassador Aleksey Meshkov over what it called persistent malicious cyber activity for espionage. French Foreign Minister Jean-Noël Barrot accused Russian security services of carrying out cyberattacks for espionage and sabotage in about 10 European countries, including France.
A technical report from France’s Cyber Crisis Coordination Center, known as C4, described Center 16 operations and identified 11 interception centers used by the FSB signals intelligence arm across Russia. The report said Unit 61240 focused on France and named two Russian companies, AO AST and NPP Gamma, as alleged supporters of the unit’s offensive cyber work.
French authorities listed several alleged FSB targets, including French ministry systems in 2014, the French Embassy network in Moscow in 2018, and a research institute working with France’s defense industry in February 2025. France said a significant volume of data was stolen from the institute.
The United States also published a joint cybersecurity advisory with agencies from allied countries warning that Center 16 operators were scanning internet-connected devices protected by default or weak passwords. The mechanism is depressingly basic: find exposed routers and other devices, try bad credentials, then use the compromised systems as footholds or infrastructure.
The Kremlin has repeatedly denied offensive cyber operations. Russian President Vladimir Putin said last month that European claims about Russian sabotage and cyberattacks were baseless and intended to justify aggressive plans against Russia.
This story draws on original reporting from The Record.