EU Traces Decade of Cyber Attacks to Russian Intelligence Cell

by Michal Fuja

European authorities have publicly identified a covert unit within Russia’s Federal Security Service as the driving force behind an extensive series of digital infiltrations over the past ten years. The campaign targeted vital infrastructure, including energy networks and defense systems, across multiple European nations.

On Monday, the European Union’s Council imposed financial restrictions and travel bans on nine individuals and four organizations linked to these activities. In a parallel move, the United Kingdom sanctioned 24 individuals and entities associated with the same operations.

Officials revealed that the FSB’s 16th Center orchestrated notorious hacking groups, such as the collective known as Turla. Their cyber operations have been detected in government systems and essential services in countries like France, Germany, Poland, and Ukraine. Notably, the 16th Center itself was excluded from the latest sanctions list.

In France, security agencies pinpointed Unit 61240, a specialized branch of the 16th Center, as responsible for a series of significant breaches beginning in 2010. These included attempts to infiltrate email accounts at the French Defense Ministry in 2017, a cyberattack on the French Embassy in Moscow in 2018, and the compromise of a secure server used by France’s judicial system in 2019. Last year, the unit stole data from a research institute collaborating with the French defense sector.

In Poland, the operations escalated from espionage to potential physical harm. The FSB unit was accused of launching disruptive campaigns against combined heat and power plants. British authorities reported that the same unit attempted a catastrophic shutdown of Poland’s electricity grid, which could have cut power to about half a million people during winter.

British Foreign Secretary Yvette Cooper condemned the actions, describing them as a dangerous fusion of state intelligence and criminal cyber networks aimed at destabilizing Western allies.

The sanctions also targeted organizations that blur the line between Russian intelligence and private criminal enterprises, including tech firms Media Land LLC and ML.Cloud, which allegedly provided server infrastructure for ransomware groups. Additionally, the pro-Kremlin hacktivist group Z-Pentest, known for targeting Western utilities, and Impuls, a firm linked to the GRU’s Unit 29155, were blacklisted. Key developers of malware like Trickbot, Conti, and LummaC2 were also sanctioned, including Ivan Kasyanenko, identified as a senior GRU officer.

NATO officials warned that the Kremlin is increasingly relying on a mix of formal intelligence services, proxy criminal groups, private tech companies, and patriotic hacktivists to wage a quiet digital war against the West.