EU and UK Hit Russian Spy Hackers With Joint Sanctions

Brussels and London name GRU and FSB officers behind years of cyberattacks on European power grids, government networks and elections.

ThreatVectr Newsdesk· 3 min read
Full-frame 16:9 photoreal news-editorial shot of a European Council meeting room after hours, empty leather chairs around a curved wooden table, EU and UK flags
Share

Key points

  • The European Union sanctioned nine people and four organisations linked to Russian cyberattacks on 15 October 2025.
  • The United Kingdom separately sanctioned 24 people and entities on the same day, including three senior officers of Russia's GRU military intelligence agency.
  • UK authorities linked the Lumma Stealer password-stealing malware to at least 2,100 British victims over six months.
  • The EU publicly named Russia's FSB 16th Centre as the unit running the Turla hacking group, which has targeted European governments since 2010.
  • A recent Turla operation against Polish energy firms could have cut power to roughly 500,000 people in winter, officials said.

The European Union and the United Kingdom have jointly slapped sanctions on dozens of Russians accused of running a sprawling network of state hackers and criminal groups aimed at Europe.

The move was announced on 15 October 2025. It names military officers, freelance criminals and front companies that Brussels and London say have worked together for years.

The Council of the European Union sanctioned nine individuals and four entities. The list includes officers of the GRU, Russia's military intelligence service, along with cybercriminals and companies that Brussels says do the Kremlin's dirty work online.

Britain went further. It named 24 people and organisations, including three senior GRU figures: Vyacheslav Stafeyev, Ivan Senin and Ivan Kasyanenko. UK officials say they directed both cyberattacks and "hybrid" operations, meaning a mix of hacking, sabotage and disinformation.

Who exactly is being punished?

The sanctions target several distinct groups.

First, senior GRU officers accused of running the show. Second, a Russian firm called IMPULS, which UK authorities say recruits hackers straight out of Russian universities.

Third, people tied to Lumma Stealer, a piece of malware that quietly grabs passwords and banking details from infected computers. British investigators say Lumma Stealer hit at least 2,100 victims in the UK over a six-month period.

Finally, ten people connected to Rybar LLC, a Russian media outlet accused of spreading anti-Ukraine propaganda and meddling in elections in Moldova and Armenia.

What does the FSB have to do with it?

The EU took the unusual step of publicly naming the 16th Centre of Russia's Federal Security Service, or FSB, as the unit that controls several well-known hacking crews. That includes Turla, one of the oldest and stealthiest Russian spy groups in the business.

Officials say Turla has been breaking into government and defence networks since 2010. The list of targets reads like a European map: France, Germany, Poland, Cyprus, the Netherlands, Austria, Slovakia, Romania and Finland.

Should ordinary people be worried?

The most concrete danger flagged today involves Poland's power grid.

Turla hackers were tied to a recent failed attack on Polish energy companies, including heat and power plants. Had it worked, roughly 500,000 people could have lost electricity in the middle of winter.

A separate December 2024 attack, first reported by BleepingComputer and attributed to another Kremlin-linked group called Sandworm, physically wrecked equipment at Polish grid operators using data-wiping malware called DynoWiper. Wiper malware does exactly what it sounds like: it erases the software that keeps industrial gear running.

Poland also recently blocked an attempted break-in at the National Centre for Nuclear Research, the country's main nuclear physics institute.

What happens next?

Sanctions freeze assets and ban travel. They do not, on their own, stop hackers from typing.

But naming the specific FSB unit and specific officers is the point. It tells European allies, and Russian officers themselves, that their cover is thinner than they thought.

The sanctions land as Brussels finishes work on a broader cybersecurity law proposed in January 2025 to shore up defences around hospitals, energy firms and other essential services. In March 2025, the EU also sanctioned three Chinese and Iranian companies over similar attacks on member states.

For Lumma Stealer victims, the practical advice is unglamorous. Change passwords, turn on two-factor authentication where you can, and keep an eye on bank statements.

© 2026 Threat Vectr