Geo Focus: The United Kingdom
,
Geo-Specific
,
Standards, Regulations & Compliance
Governments Cite Winter Hack of Polish Power Grid and Cyberespionage

A winter Russian intelligence hack of the Polish energy grid and a protracted campaign of cyberespionage are behind coordinated sanctions against Moscow’s intelligence apparatus announced Monday by the European Union and the United Kingdom.
See Also: How Payment Service Directive (PSD2) is Changing Digital Banking – Are You Ready?
The bloc designated nine individuals and four entities for asset freezes and travel bans in retaliation against hacking activity carried out by Center 16, the cyberwarfare division of the Federal Security Service – Russia’s domestic intelligence agency.
The December 2025 attack against 30 substations connecting wind and solar farms to the Polish grid appeared to have a connection to Russian intelligence almost from the start, although some security researchers attributed that attack – which did not interrupt power – to another military intelligence hacking unit operated by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, rather than the FSB (see: Wiper Malware Targeting Poland’s Power Grid Tied to Moscow).
The British government sanctioned 24 individuals, going beyond Europe by cutting off banking access to individuals behind the Lumma Stealer. U.K. authorities said Russian nation-state hackers have used stolen credentials obtained through infostealer infections to conduct cyberespionage (see: Lumma Stealer Malware Resurgence Challenges Global Takedown).
The joint announcement constitutes the first post-Brexit joint cyber sanctions package made on both sides of the English Channel.
Center 16 has been around in one form or another since the days of the KGB. Formally known as Military Unit 71330, it has a wide array of nicknames including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard and Static Tundra.
Kaja Kallas, the EU’s top diplomat, announced the cyber sanctions as part of a wider designation of 250 Russian individuals and entities, which she said was intended to weaken “the financial backbone of Russia’s war machine” as the Kremlin continues to press an invasion against Ukraine. The European Commission has been trying to get EU member states to agree to an even broader 21st package of sanctions against Russia, but no agreement has been reached on that yet.
“This is our biggest round of individual designations since Moscow’s 2022 full-scale invasion, and includes also the EU’s largest-ever cyber sanctions package,” Kallas said in a Bluesky post.
Companies designated under the cyber sanctions package include Russian intelligence services partners Advanced System Technology – already sanctioned by the United States in 2021 – and NPP Gamma.
Kallas said the EU was exposing the FSB’s Center 16 as the operation of “a variety of cyber threat groups including Turla.” Cybersecurity agencies in the U.S., U.K., Canada and Australia came to the same conclusions more than three years ago, when the FBI disrupted the Snake cyberespionage malware, which was part of the venerable Turla toolkit. The Turla group is thought to have been operating for more than two decades.
Apart from the attack on Poland, the EU also accused Center 16 of being behind spying and sabotage operations in France, Germany, Cyprus, the Netherlands, Austria, Slovakia, Romania and Finland.
“Cybercriminals, self-proclaimed hacktivists and private companies linked to Russia, including actors operating under its instructions, direction or control, have also carried out, enabled and facilitated a wide range of malicious activities,” the EU statement read. “We strongly condemn Russia’s behavior and misuse of this cyber ecosystem, targeting public services and critical infrastructure, causing disruptions and financial losses.”
The British government also laid into the Russian network for “interfering in elections and spreading malicious anti-Ukraine narratives across Europe.”
Targets of its sanctions include Vyacheslav Stafeyev, Ivan Senin and Ivan Kasyanenko, senior leadership figures at the Russian military intelligence agency commonly known as GRU – as well the cybercriminal company Impuls, which the U.K. said was a partner of the GRU Unit 29155 cyber division. Another targeted company was Rybar, a Russia-funded media firm that’s “responsible for spreading false narratives about Ukraine and interfering in European elections, including in Moldova and Armenia.”
“These sanctions strike at the core of the cybercriminal networks propping up the Russian state’s aggression, and the U.K. and EU are sending a clear message that Russia cannot hide behind its use of these proxy groups,” said British Foreign Secretary Yvette Cooper. “From directing criminals to targeting businesses, and striking Poland’s energy grid in the depths of winter, the Russian state is sinking to new lows in its attempts to undermine European security.”
Late last week, the U.K., U.S., and an array of European and Antipodean allies published a joint advisory urging better defenses against Center 16’s exploitation of poorly configured routers. The countries’ cyber agencies detailed the workings of the attackers’ simple network management protocol scanning agents and noted how the actors exploit known flaws in Cisco hardware, software and web portals. They advised a range of mitigation measures, including the use of SNMPv3 and the disabling of legacy SNMP versions, as well as better password and access control practices.
On Monday, the U.K. National Cyber Security Centre buttressed the advisory, saying organizations in the communications, defense, energy, financial services, government and healthcare sectors all need to take urgent action.
“Today’s joint advisory provides decisive, actionable directions from the global security community that network defenders should implement to protect against Russian Intelligence operations and secure the U.K.’s critical infrastructure,” said NCSC National Resilience Chief Jonathon Ellison in the statement. “I’d strongly encourage all organizations, especially those entrusted with U.K. critical networks, to adopt these recommended measures immediately, thereby reducing the risk of compromise.”
Google’s Threat Intelligence Group in late June published an analysis of Turla’s .NET backdoor “Stockstay” – used against Ukrainian government and military organizations, as well as those linked to Italian foreign policy – a few weeks ago.
It said Stockstay showed similarities to Turla’s Kazuar malware family, which Microsoft’s researchers detailed in May, characterizing it as a “relatively traditional backdoor” that had evolved into a “highly modular peer-to-peer botnet ecosystem designed to enable persistent, covert access to target environments.” Google said it assessed with “moderate confidence” that the two ecosystems may have a common developer or team behind them, at least in part.
