The EU and UK have imposed sanctions on the entirety of Russia's cyber ecosystem.
**TL;DR:** The EU and UK have launched their first joint cyber sanctions against Russia, with the EU identifying nine individuals and four entities and the UK naming 24. The EU has attributed the Turla espionage group to FSB Centre 16, also blaming the same unit for a December attack on Poland’s energy grid that could have impacted 500,000 people during winter. The focus is now on an entire “ecosystem” of hackers, criminals, and affiliated companies rather than just on specific hacking groups.
The European Union and the United Kingdom have imposed their first coordinated sanctions on Russia's cyber operations. The EU sanctioned nine individuals and four entities, while the UK announced 24, according to a report by Politico.
The significance lies in the language used; EU High Representative Kaja Kallas condemned not just a specific group but an entire ecosystem comprising intelligence agencies, criminal organizations, self-proclaimed hacktivists, and private firms. This reflects a deliberate change in strategy, signaling that the distinction between Russian state hackers and criminals is no longer considered valid.
Regarding the Turla group, the Council’s statement links it to Centre 16 of Russia’s Federal Security Service (FSB). Turla, also known as Secret Blizzard or Waterbug, is known for its long-standing espionage activities, which can be traced back to 2010, initially targeting French government networks and subsequently extending to Germany, Poland, Cyprus, the Netherlands, Austria, Slovakia, Romania, and Finland. Identifying a group with a particular FSB division is a significant step, transforming a threat-label into a formal accusation against a specific section of the Russian state.
The most serious allegation concerns the attack on Poland’s energy infrastructure. The UK and EU member states have attributed the December assault on Poland’s energy grid to FSB Centre 16. Although the attack was unsuccessful, its intention was alarming, as it could have left 500,000 people without power in winter. Poland has been a focal point for such attacks, with hackers previously infiltrating Polish water treatment facilities.
Another new target of the sanctions is a company. The UK has sanctioned OOO IMPULS, claiming that the GRU’s Unit 29155 utilized it to recruit hackers and cyber experts from universities across Russia. This demonstrates the tangible nature of the ecosystem: a front company, staffed by graduates, supplying talent to a military intelligence unit.
Three figures from the GRU leadership—Vyacheslav Stafeyev, Ivan Senin, and Ivan Kasyanenko—were sanctioned for overseeing these activities, emphasizing that sanctions are being directed at the managers as well as the operators.
Additionally, the sanctions also encompass typical cybercrime. The UK has sanctioned individuals involved with Lumma Stealer, an information-stealing program, alleging that Russia exploited the stolen credentials for espionage. The impact appears broad and less glamorous, with the National Crime Agency documenting at least 2,100 victims of Lumma Stealer in the UK over a six-month span.
The UK also listed ten individuals from Rybar LLC, a state-backed media organization accused of spreading disinformation regarding Ukraine and interfering in elections in Moldova and Armenia. This signifies that disinformation and cyber intrusions are being treated as interconnected efforts.
Europe has previously experienced the proxy model, having seized 800 servers linked to Russian hackers in a Dutch operation. The current sanctions appear to be targeting the same infrastructure.
Is this approach effective? Skepticism is justified, as asset freezes and travel bans might not impact GRU officers who have no intentions of visiting places like Brussels, and Russia consistently denies such claims. The true value may lie elsewhere; public attribution increases the stakes for the criminal side of the ecosystem, targeting those who possess assets, travel, and seek payment.
The pressure on Russian cyber criminals is tangible, as evident from the Jaguar Land Rover breach, which inflicted a $2.5 billion damage on the UK economy—significant for an attack against an automotive manufacturer. Furthermore, European institutions remain vulnerable, as seen in cyberattacks on the EU Parliament and ongoing threats to European governments. Identifying the attackers is not synonymous with neutralizing them.
Germany and France are now calling in Russia’s ambassadors, which, alongside an expanded sanctions list, constitutes Europe's current strategy.
Other articles
The EU and UK have imposed sanctions on the entirety of Russia's cyber ecosystem.
Brussels and London targeted Russian spies, criminals, hacktivists, and a front organization that recruits hackers from universities in their initial joint initiative.
