Skip to content

EU + UK ship first joint cyber sanctions on Russia — FSB Centre 16 and Turla named

EU lists 9 individuals + 4 entities under the cyber regime; UK adds 24 more. FSB Centre 16 designated for the Poland grid attempt; ANSSI ties Turla to FSB unit 61240.

Published 6 min read

On July 13, 2026 the Council of the European Union and the United Kingdom rolled out the first joint EU + UK cyber sanctions package against Russia. The EU listed 9 individuals and 4 entities under the cyber restrictive-measures regime; the UK Foreign Office published its own package covering 24 individuals and entities. The centerpiece of the attribution: the 16th Centre of the FSB, plus GRU leadership and a set of Russia-based operators behind Lumma Stealer. France's cybersecurity agency ANSSI published CERTFR-2026-CTI-005 the same morning — the English-language version of its report on the Turla intrusion set — and Paris confirmed it will summon the Russian ambassador.

Who is designated

EU cyber regime — 9 individuals + 4 entities. The Council press material identifies the FSB's 16th Centre and, per the French Foreign Ministry statement, the list includes a group that claimed destabilisation actions against the Paris 2024 Olympics. This is the first time the EU cyber regime is used against FSB personnel; prior listings targeted GRU units 26165 (APT28 / Fancy Bear) and 74455 (Sandworm).

UK package — 24 designations. The Foreign Office named three GRU senior officers — Vyacheslav Stafeyev, Ivan Senin and Ivan Kasyanenko — for "directing GRU cyber and hybrid threat operations." The UK also designated individuals behind Lumma Stealer, the credential-stealing malware-as-a-service the UK statement says has fed stolen credentials into "cyber espionage operations against targets globally to support the Kremlin's objectives."

Combined, the EU + UK packages hit 24 unique individuals across the two lists per the joint UK-EU statement.

What the FSB Centre 16 is being sanctioned for

The Council's attribution ties Centre 16 to operations against France, Germany, Poland, Cyprus, the Netherlands, Austria, Slovakia, Romania and Finland. The two named incidents:

  • Poland's electricity grid, late December 2025. The UK Foreign Office says the FSB's "so-called Centre 16" ran an attack that "failed but could have caused 500,000 citizens to lose electricity in the depths of winter." CERT Polska's January write-up tied a coordinated campaign on 30-plus wind and solar farms — plus a heat-supply plant serving roughly 500,000 customers — to the "Static Tundra" cluster (aka Berserk Bear / Dragonfly / Energetic Bear) already linked in open reporting to FSB Centre 16. UK + EU designation moves that attribution from the analyst layer to the sanctions layer. ESET's independent read connected the malware to Sandworm rather than the FSB; the disagreement is preserved in the record.
  • France, 2010 → 2025. ANSSI's CTI-005 documents intrusion campaigns using the Turla intrusion set against French entities across the diplomatic, defense, justice and technology sectors — the Ministry of Armed Forces email accounts since 2017, the network of the Ministry of Europe and Foreign Affairs at the French Embassy in Moscow in 2018, a justice-sector server in 2019, and a research institute working on sensitive technologies for the French defense industry in February 2025, with data exfiltration ANSSI describes as "significant."

The UK statement additionally attributes election-interference activity to GRU units within the sanctioned scope.

Turla ≠ Sandworm ≠ APT28 — read the intrusion sets

The important pivot in this attribution wave is that the FSB Centre 16 / Turla brand is now being treated as a peer of the GRU intrusion sets in the sanctions record. Turla has been documented under a dozen open-source names — Snake, Uroburos, Pensive Ursa, Waterbug, Secret Blizzard, Venomous Bear, Krypton, IRON HUNTER — and MITRE tracks it as G0010. Its historical toolkit spans Snake / Uroburos, Kazuar, Carbon, Neuron and Nautilus.

Confusing Turla with GRU-linked Sandworm or APT28 has always been a taxonomy problem; the July 13 attribution treats them as distinct services under distinct commands, and the Poland-grid case shows the two intelligence-community reads (FSB Centre 16 vs. Sandworm) can still land on the same target.

Action checklist

  1. Update supplier and third-party screening against the newly published EU + UK sanctions lists. Any of the 9 EU-designated individuals + 4 entities and the 24 UK designations become financial-sanctions matches — treat them as blocking on payments, hosting agreements, and code-signing partnerships.
  2. Re-run detections for the Turla toolkit across at least a 12-month window if you fit the CTI-005 target profile (diplomatic, defense, judiciary, sensitive-technology research, energy). Historical indicators from Snake, Kazuar, Carbon and Neuron are catalogued at MITRE ATT&CK G0010; the ANSSI report is the current-day reference, but the recall window is the older one.
  3. Rotate credentials with Lumma-Stealer exposure risk. If your users' browsers were on stealer-infected hosts in the past year, the UK's designation says the stolen credentials fed into state-linked espionage — treat this as a hard prompt to burn any credential harvested via Lumma-tagged campaigns.
  4. Watch for spillover retaliation. French and German foreign ministries have indicated they will summon Russian ambassadors this week; historically, such diplomatic escalation has been followed by opportunistic wiper and defacement activity from Russia-aligned crews outside the designated units. Keep the incident-response bar tight through the end of the month.
  5. If you run Ukrainian, Polish, or French critical infrastructure OT, treat the Poland-grid attempt as a live pattern. CISA's read-out on the Poland event remains the current playbook for renewable-generation SCADA segments.

Context

This is the fourth EU cyber-regime listing since December 2025 and the first with a Centre-16-of-the-FSB centerpiece — earlier packages had focused on GRU units. It is also the first time the UK's cyber sanctions and the EU cyber regime have been used coordinated on the same day rather than staggered, per the Foreign Office announcement. Bratislava, Warsaw, and Berlin have all filed member-state attribution statements over the past 18 months against Russia-linked cyber activity; today's move consolidates those into a single instrument.

The other structural signal: France attributing publicly to the FSB (not the GRU) is a departure. Prior public French attributions targeted APT28 (GRU 26165) and, in 2024, Nobelium/SVR-linked activity. Naming FSB Centre 16 and its unit 61240 — the granularity ANSSI used — is the strongest French attribution to Russia's internal service to date and folds neatly into the EU sanctions record adopted the same morning.

What other outlets missed

Most wire coverage frames the joint package as "sanctions over cyberattacks" without noting that the Poland-grid attribution is still contested at the intelligence-community level — CERT Polska's public assessment ties the intrusion cluster to Static Tundra (FSB-linked), while ESET's malware analysis pins it to Sandworm (GRU-linked). The UK + EU sanctions move landed on the FSB reading; the disagreement doesn't disappear because the sanctions do. For detection engineers, that means the IOCs to hunt for that incident sit across two toolkit lineages, not one — worth checking your rule coverage before assuming a Turla-only sweep is enough.

Related stories