The Russia cyberattack targeting Poland’s critical infrastructure has been formally attributed to Russia’s Federal Security Service (FSB), with the European Union and the United Kingdom announcing a coordinated package of cyber sanctions against Russian-linked hackers and organizations. The move follows an attempted disruption of Poland’s energy sector last winter that officials said came close to triggering a major blackout affecting nearly half a million people.
According to statements released by the EU and UK on Monday, the FSB’s Center 16 was responsible for attempted cyber sabotage against Poland’s heating and power infrastructure, as well as cyber intrusions targeting water treatment facilities. The allies also accused the agency of conducting broader cyber operations against governments and critical infrastructure across Europe.
Russia Cyberattack Linked to FSB’s Center 16 Operations
The European Union said Center 16, the signals intelligence arm of the FSB, has conducted malicious cyber activities affecting multiple member states and international partners. According to the bloc, these operations have included infiltration of government networks, cyber espionage, and sabotage targeting critical infrastructure in France, Germany, Poland, Cyprus, the Netherlands, Austria, Slovakia, Romania, and Finland.
The EU also stated that Center 16 controls several cyber threat groups, including TURLA, and has been involved in cyber operations against strategic government entities in France since 2010 and the country’s defense industry in 2025. In Germany, it allegedly targeted government institutions, while in Poland it carried out disruptive operations against combined heating and power plants.
British authorities described last December’s attempted attack on Poland’s energy grid as “reckless,” saying it was another example of Russia’s attempts to create disruption across Europe.
Poland Attack Nearly Triggered Major Blackout
The cyber incident targeting Poland’s energy infrastructure last winter was initially linked by cybersecurity firms ESET and Dragos to Sandworm, a threat group associated with Russia’s military intelligence agency.
However, Poland’s national cybersecurity agency, CERT Polska, later disputed that assessment after tracing the attack infrastructure and connecting it to a cluster associated with the FSB.
Separately, Poland’s domestic intelligence service warned in May that cyber intrusions targeting the country’s water treatment facilities posed a direct risk to the continuity of water supply.
EU and UK Expand Cyber Sanctions
In response, the European Union imposed restrictive measures on nine individuals and four entities linked to Russia’s cyber ecosystem. The sanctions target intelligence officers, cybercriminals, self-proclaimed hacktivists, and private companies accused of supporting or facilitating malicious cyber operations.
The wider sanctions package announced by European partners targets more than 30 individuals and organizations, including operators behind the Lumma Stealer malware, companies accused of recruiting hackers from Russian universities, and individuals associated with the pro-Kremlin Rybar military blog.
EU foreign policy chief Kaja Kallas said Russia continues to rely on intelligence agencies, cybercriminal groups, hacktivists, and private companies to conduct malicious cyber operations against Europe and its partners.
She added that the bloc strongly condemns the misuse of this cyber ecosystem, which has targeted public services and critical infrastructure, resulting in operational disruptions and financial losses.
France Details FSB Activities
France also announced additional sanctions and said it would summon the Russian ambassador over what it described as persistent malicious cyber activities conducted for espionage purposes.
A technical report from France’s Cyber Crisis Coordination Center (C4) identified 11 interception centers operated by Center 16 across Russia, including Unit 61240, which it said specifically focused on France.
French authorities alleged that the unit targeted government ministry systems in 2014, compromised the French Embassy network in Moscow in 2018, and stole significant volumes of data from a research institute working with the French defense industry in February 2025.
France also stated that one newly sanctioned group had claimed responsibility for destabilization efforts targeting the 2024 Paris Olympic and Paralympic Games.
Allied Advisory Warns of Ongoing Threats
Alongside the sanctions, the United States and intelligence agencies from a dozen allied countries published a joint cybersecurity advisory warning that Russian operators linked to Center 16 have been scanning internet-connected devices protected by weak or default credentials.
The United Kingdom separately sanctioned individuals connected to Lumma Stealer, describing it as one of the world’s most widely used information-stealing malware families. British officials said credentials stolen through the malware have been used to support Russian espionage operations globally. According to the UK’s National Crime Agency, more than 2,100 victims in the country were infected by Lumma Stealer during the past six months.
British Foreign Secretary Yvette Cooper said the sanctions are intended to disrupt the cybercriminal ecosystem supporting Moscow’s intelligence services, while emphasizing that the coordinated measures send a clear message against the use of proxy cyber groups.
The Kremlin has repeatedly denied conducting offensive cyber operations. Russian President Vladimir Putin has dismissed European allegations of sabotage and cyberattacks as baseless, saying they are intended to justify aggressive policies against Russia.
