Skip to main content
Geopolitics & DefenseNational Security

EU Targets Russian Hackers with Sanctions Over Europe Cyberattacks

European Union officials gather in a formal council meeting room with symbolic representations of official seals in the…

Turla hackers were linked to a recent failed strike targeting Poland's critical infrastructure, including energy grid organizations such as heat and power plants, which could have cut power to roughly 500,000 people during winter.

Council of the European Union sanctions nine individuals and four entities

On July 13, the Council of the European Union announced restrictive measures targeting nine individuals and four entities it says contribute to Russia's cyber operations. The Council described those targets as "GRU intelligence officers, as well as cybercriminals, self‑proclaimed hacktivists and private companies that contribute to Russia's efforts to destabilise the EU, its member states and international partners." The announcement named Russian military intelligence (GRU) officers among the sanctioned individuals and said the measures respond to a broad pattern of malicious activity against public services and critical infrastructure.

United Kingdom separately sanctions 24 individuals and entities, naming senior GRU figures

At the same time, the United Kingdom imposed sanctions on 24 individuals and entities. The UK list includes senior GRU figures Vyacheslav Stafeyev, Ivan Senin, and Ivan Kasyanenko, whom officials say directed "cyber and hybrid operations." British sanctions also target members of the IMPULS company, accused of recruiting hackers from Russian universities, and individuals tied to the Lumma Stealer malware operation — which UK authorities linked to at least 2,100 domestic victims over six months. Ten people connected to media outlet Rybar LLC were designated for spreading anti‑Ukraine narratives and alleged election interference in Moldova and Armenia.

The 16th Centre of Russia's FSB and Turla's long campaign

The Council publicly identified the 16th Centre of Russia's Federal Security Service (FSB) as controlling several cyber threat groups, including Turla. According to the Council, that unit "has spent years targeting government networks and critical infrastructure" in France, Germany, Poland, Cyprus, the Netherlands, Austria, Slovakia, Romania, and Finland, and has run cyberespionage campaigns against government and defence targets since 2010. The Council explicitly tied Turla to operations that targeted government networks and infrastructure and highlighted a more recent operational link to a failed attempt against Poland's critical systems.

Sandworm, DynoWiper, and recent strikes against Poland's energy and research sectors

Independent reporting cited by the Council describes a December cyberattack that hit dozens of entities in Poland's power grid and damaged operational technology (OT) equipment "beyond repair" even though it failed to disrupt power. That incident was attributed to the Russian state‑backed group Sandworm, which attempted to deploy the DynoWiper data‑wiping malware and to disable compromised devices. More recently, Polish authorities blocked a separate cyberattack targeting the IT infrastructure of the National Centre for Nuclear Research (NCBJ), Poland's main government nuclear research institute that focuses on nuclear physics, reactor technology, and particle physics. Those incidents illustrate the range of tactics described by the Council, from destructive wipers to attempts at degrading critical services.

What this means for technologists, policymakers, and affected enterprises

  • Technologists and security teams: The Council's public identification of the 16th Centre and the attribution of destructive tools such as DynoWiper underscore a sustained, state‑linked targeting of OT and government networks. Security teams defending utilities, energy suppliers, and research institutions directly named in the reporting will need to prioritise detection and resilience for OT systems and incident response plans for data‑wiping scenarios.
  • Policymakers and regulators: The sanctions come alongside the European Commission's January proposal for new cybersecurity legislation intended to strengthen defences for critical infrastructure. Policymakers who backed the Commission proposal will point to today's package as a complementary tool — pairing regulatory hardening with targeted punitive measures against identified actors and facilitators.
  • Affected enterprises and procurement leaders: The UK sanctions against recruitment channels such as IMPULS and the designation of malware operations like Lumma Stealer send a signal to private sector buyers and supply chain managers to scrutinise vendor ties, recruitment pathways, and malware monetisation channels that can enable large numbers of domestic victims in a short time.

"Cybercriminals, self‑proclaimed hacktivists and private companies linked to Russia, including actors operating under its instructions, direction or control, have also carried out, enabled and facilitated a wide range of malicious activities. We strongly condemn Russia's behaviour and misuse of this cyber ecosystem, targeting public services and critical infrastructure, causing disruptions and financial losses," the Council of the EU said in its statement.

The sanctions mark a coordinated Western response that pairs public attribution and naming of state‑linked units with penalties against a mix of military officers, criminal operators, supporting companies, and media‑linked actors. They arrive after March measures that targeted Chinese and Iranian companies alleged to coordinate attacks against EU critical infrastructure, and sit beside legislative efforts in Brussels to tighten cyber defences across member states. Whether the combined pressure of sanctions and regulation will deter future strikes remains the open, operational question left by today's actions.

Original story