UK and EU Sanction Russian Cyber Hackers Over Poland Attack

News Desk
UK, EU Sanction Russian Hackers Over Poland Attack
Credit: dpa/Technology Khabar

Key Points

  • The UK Foreign Office has sanctioned 24 individuals and entities accused of running cyber and hybrid operations linked to Russia’s intelligence services.
  • The EU has separately sanctioned nine individuals and four entities, including GRU officers and self-declared “hacktivists,” in what it called close coordination with London.
  • The UK and EU have jointly attributed a cyberattack on Poland’s energy grid during winter to Russia’s FSB Centre 16 unit.
  • Senior GRU figures Vyacheslav Stafeyev, Ivan Senin and Ivan Kasyanenko have been named as directing the agency’s cyber and hybrid threat operations.
  • The National Cyber Security Centre (NCSC) has published a fresh advisory on FSB Centre 16’s tactics, warning that the group is exploiting weak router passwords and outdated network protocols.
  • Operators are targeting Cisco devices, the Smart Install feature and web-portal vulnerabilities to seize control of network infrastructure.
  • Communications, defence, energy, financial services, government and healthcare organisations are being told to adopt SNMPv3 and retire legacy protocols.
  • Foreign Secretary Yvette Cooper says the sanctions target the cybercriminal networks propping up the Russian state’s aggression.
  • London says the measures will not weaken British support for Ukraine.

London (Britain Today News) July 13, 2026 – The United Kingdom and the European Union have jointly sanctioned a network of alleged cybercriminals with links to Russia, as Britain’s cybersecurity agency urged operators of critical infrastructure to shore up their digital defences against an intensifying threat from Moscow.

Twenty-four individuals and entities accused of carrying out “destructive” cyber and hybrid operations, including proxy networks tied to Russia’s intelligence services, have been designated by the UK Foreign, Commonwealth and Development Office. The EU confirmed it was imposing its own restrictive measures on nine individuals and four entities, among them GRU officers, self-proclaimed “hacktivists” and cybercriminals, in a package it said had been developed in close coordination with the UK.

Both London and Brussels have also formally attributed a cyberattack on Poland’s energy grid, carried out in the depths of winter, to Russia’s FSB-run Centre 16 cyber-intelligence unit, according to the Foreign Office.

The action lands at a moment when Western governments are increasingly willing to name specific Russian units and individuals rather than issuing broad, unattributed warnings. Officials in London describe the joint package as a step change in how the UK and EU coordinate their response to state-linked cyber activity, moving beyond parallel but separate national sanctions regimes towards a shared attribution process backed by shared evidence.

What Are The New UK And EU Sanctions On Russian-Linked Cybercriminals?

The sanctions package represents one of the most coordinated cyber-focused actions taken jointly by London and Brussels against Moscow-linked actors to date. The UK’s measures cover two dozen individuals and entities said to be responsible for orchestrating cyberattacks, interfering in elections and spreading disinformation narratives about Ukraine across Europe.

Officials say the targets include cybercriminals embedded within proxy networks connected to Russia’s Intelligence Services, as well as state-linked hacking figures directly tied to military intelligence. The EU’s parallel package, covering nine individuals and four entities, was framed by Brussels as evidence of a deepening operational partnership with London on countering hybrid threats emanating from Russia.

Who Are The Individuals And Entities Targeted By The Sanctions?

Among the most senior figures named by the UK are Vyacheslav Stafeyev, Ivan Senin and Ivan Kasyanenko, who the Foreign Office says have directed the GRU’s cyber and hybrid threat operations. The three are described as senior leadership figures within Russia’s military intelligence agency.

The Foreign Office also linked GRU Unit 29155’s cyber division to a company called IMPULS, alleging the pairing was used to recruit hackers and cyber specialists from universities and military academies across Russia to support offensive operations.

Separately, sanctions have been placed on individuals connected to Lumma Stealer, malicious software used by cybercriminals to harvest sensitive information from compromised devices at scale. According to figures cited by the UK’s National Crime Agency, at least 2,100 victims of Lumma Stealer have been recorded in Britain within the past six months alone.

A further set of measures targets ten individuals linked to Rybar LLC, a media operation the UK describes as resourced by the Russian state and responsible for circulating false narratives about Ukraine, including alleged interference in elections in Moldova and Armenia. Officials say this strand of the package reflects a broader concern within government that cyber intrusion and information manipulation are increasingly treated by Moscow as two arms of the same campaign, rather than separate lines of activity.

The EU’s own list includes GRU officers alongside individuals it characterises as self-styled “hacktivists” and cybercriminals operating in support of Russian state objectives. Brussels has not published the full identities of all those designated, though it has confirmed the list includes both military intelligence personnel and individuals operating semi-independently but in alignment with Russian state aims.

Taken together, the two packages illustrate how the UK and EU are treating the boundary between state-directed operatives and criminal proxies as increasingly blurred, with sanctions now applied across that entire spectrum rather than solely against uniformed intelligence officers.

Why Did The UK And EU Blame Russia For The Poland Energy Grid Attack?

Officials in both London and Brussels say the winter attack on Poland’s energy grid bore the hallmarks of Russia’s FSB Centre 16 unit, prompting the joint attribution. The Foreign Office has not detailed the full scale of disruption caused, but the attack is understood to have targeted infrastructure supplying electricity during a period of high winter demand.

The formal attribution is significant because it links a specific, disruptive attack on European critical infrastructure directly to a named Russian intelligence unit, rather than treating the incident as the work of unaffiliated criminal actors.

What Is FSB Centre 16 And How Does It Operate?

FSB Centre 16 is described by British officials as a cyber-intelligence unit operating under Russia’s Federal Security Service. The NCSC’s newly published advisory sets out in detail how the unit has been targeting networks belonging to critical national infrastructure operators across Europe.

According to the NCSC, Centre 16 actors have been observed scanning the internet for devices still relying on default or weak Simple Network Management Protocol (SNMP) passwords and community strings, allowing them to gain unauthorised access to network equipment.

What Vulnerabilities Is Centre 16 Exploiting, According To The NCSC?

Beyond weak SNMP credentials, the NCSC advisory states that Centre 16 operatives have exploited well-known vulnerabilities affecting Cisco devices, including flaws in Cisco’s Smart Install (SMI) feature, as well as weaknesses in web portals, to seize control of network hardware.

The agency’s guidance frames this as an opportunistic strategy: rather than relying solely on sophisticated, bespoke intrusion tools, Centre 16 is said to be exploiting basic, preventable security gaps left open across large numbers of internet-facing devices.

The NCSC’s advisory is aimed squarely at network defenders and system administrators, setting out technical indicators that organisations can use to check whether their own equipment has been probed or compromised. Officials say the decision to publish detailed technical guidance alongside the sanctions announcement was deliberate, intended to convert intelligence about Centre 16’s methods into practical defensive action across both public and private sector networks, rather than leaving the warning at a general level.

Which Sectors Are Being Urged To Strengthen Cyber Defences?

The NCSC has identified communications, defence, energy, financial services, government and healthcare as the sectors facing the greatest exposure to Centre 16’s activity. Organisations in these fields are being advised to move to SNMPv3, the most secure version of the protocol, and to disable legacy versions that remain vulnerable to exploitation.

The advisory is intended to give network defenders concrete, actionable steps rather than general warnings, reflecting growing concern within government that basic configuration failures are leaving essential services exposed.

Security officials note that many of the vulnerabilities being exploited by Centre 16 are not new in themselves, but persist because organisations have failed to retire outdated equipment or update default configurations. The NCSC’s intervention is intended as much to prompt basic cyber hygiene across critical sectors as it is to counter a specific, sophisticated threat actor, reflecting a recurring theme in UK government cybersecurity guidance: that unpatched, poorly configured legacy systems remain among the most exploitable weaknesses in national infrastructure.

What Is Lumma Stealer And How Has It Affected UK Businesses?

Lumma Stealer is malicious software designed to extract sensitive data, including credentials and financial information, from infected devices. British officials say the tool has been used at scale against victims in the UK, with the National Crime Agency recording more than 2,100 cases in the past six months.

The sanctioning of individuals connected to the malware forms part of a wider effort by British authorities to disrupt the commercial infrastructure that supports cybercrime, rather than pursuing attackers only after an incident has occurred.

What Did The EU’s Sanctions Package Involve?

Brussels confirmed restrictive measures against nine individuals and four entities, describing the action as taken in close coordination with London. The EU’s designations include GRU officers, individuals it labels as self-proclaimed “hacktivists,” and cybercriminals it says are operating in support of Russian state interests.

The coordinated timing of the UK and EU packages is intended to project a unified transatlantic and European response to what officials describe as an escalating pattern of Russian-linked cyber aggression.
Explore More about UK:
King Charles Hosts Prince Harry and His Family at Highgrove in First Meeting for Years
Barcelona Comedian Sergi Polo On Learning English And Integrating In London

What Has Foreign Secretary Yvette Cooper Said About The Sanctions?

Announcing the package, Foreign Secretary Yvette Cooper said the measures were designed to “strike at the core of the cybercriminal networks” that she said were propping up the Russian state’s aggression. Cooper added that the UK and EU were “sending a clear message” that Russia could not hide behind its use of proxy groups.

She pointed to the attack on Poland’s energy grid as an example of Russia “sinking to new lows” in efforts to undermine European security, and said the government would continue working with international partners to expose such behaviour and strengthen national resilience against hybrid threats.

What Does This Mean For UK-Russia Relations Going Forward?

Cooper indicated that the sanctions would not affect Britain’s continued backing for Ukraine, stating that the measures would not deter the government from supporting Kyiv. Officials have framed the package as part of a broader, ongoing strategy of naming and sanctioning individuals and entities linked to Russian state and criminal cyber activity, rather than a one-off response to a single incident.

With both the UK and EU signalling closer coordination on attribution and sanctions, further joint action against Russian-linked cyber actors is likely should additional incidents affecting European infrastructure be identified.

Analysts following the announcement say the scale of Monday’s package, spanning military intelligence officers, cybercriminal facilitators and a state-linked media operation, marks one of the broadest coordinated sanctions actions taken by the UK and EU on cyber grounds to date. Whether the measures meaningfully disrupt the individuals and networks concerned will depend in part on how far the designations restrict their access to international financial systems, travel and infrastructure, though officials have consistently framed the value of such packages as extending beyond immediate disruption to the broader signal they send about attribution and accountability.

For now, the government’s message to critical infrastructure operators is unambiguous: the threat from Centre 16 and similar units is active, opportunistic, and frequently exploits security gaps that are well within organisations’ own power to close.