Editor’s Note: For the first time, London and Brussels imposed sanctions under their respective cyber regimes on the same day, and they did it while jointly attributing to the FSB a destructive attack on Polish energy infrastructure that failed to interrupt electricity generation or heat delivery but that the UK assessed could have cut power to about 500,000 people during winter. The July 13 designations sweep from GRU senior leadership to the operators of Lumma Stealer to the staff of the Rybar influence operation, addressing military intelligence, criminal malware services and information manipulation through a coordinated cyber and hybrid policy response.

For cybersecurity, data privacy, regulatory compliance and eDiscovery professionals, the action can translate diplomacy into compliance obligations for organizations within scope: new names for sanctions screening, new risk in ransomware negotiations, new arguments in insurance coverage disputes and new government records whose internal use may need to be documented and preserved when preservation duties arise.

Watch three things next: the EU’s pending 21st sanctions package, the first enforcement actions built on these designations and the first coverage dispute to cite the coordinated attribution. Coordinated designation may be emerging as a recurring operating model in Europe, and playbooks written for a single list will age quickly.


Content Assessment: UK and EU coordinate first simultaneous cyber sanctions, attribute attack on Polish energy infrastructure to FSB Centre 16

Information - 93%
Insight - 92%
Relevance - 93%
Objectivity - 94%
Authority - 93%

93%

Excellent

A short percentage-based assessment of the qualitative benefit expressed as a percentage of positive reception of the recent article from ComplexDiscovery OÜ titled, "UK and EU coordinate first simultaneous cyber sanctions, attribute attack on Polish energy infrastructure to FSB Centre 16."


Industry News – Cybersecurity Beat

UK and EU coordinate first simultaneous cyber sanctions, attribute attack on Polish energy infrastructure to FSB Centre 16

ComplexDiscovery Staff

For the first time, the United Kingdom and the European Union imposed sanctions under their respective cyber regimes on the same day. The broader coordinated measures reach not one group or one incident but what the EU’s own statement called Russia’s “malicious cyber ecosystem,” from military intelligence units to malware operators to influence networks. Behind the announcement sits a failed attack on Poland’s power grid that the UK government assessed could have cut electricity to about 500,000 people during winter.

The measures, announced July 13, are coordinated but legally separate, imposed under their respective legal frameworks. Both regimes have been used before; what is new is the simultaneous exercise and the joint attribution. The UK designated 24 targets overall: 14 under its cyber sanctions regime and 10, all connected to the Rybar influence operation, under its Russia regime. The EU designated 13 targets overall: eight individuals and four entities under its cyber regime, through Council Decision 2026/1713, and one GRU officer under its separate framework addressing Russia’s destabilising activities, through Council Decision 2026/1707. The UK and EU simultaneously attributed the December 2025 attack on Polish energy infrastructure to Centre 16 of Russia’s Federal Security Service (FSB).

“These sanctions strike at the core of the cybercriminal networks propping up the Russian state’s aggression,” UK Foreign Secretary Yvette Cooper said, adding that the UK and EU “are sending a clear message that Russia cannot hide behind its use of these proxy groups.”

Speaking of the day’s measures together with the EU’s forthcoming 21st sanctions package, EU High Representative Kaja Kallas said the combined listings, over 250 in total, would constitute the bloc’s “biggest round of individual sanctions since Russia’s 2022 invasion.” She separately called the cyber action “the largest EU cyber sanctions package ever adopted.”



The attack on Polish energy infrastructure

The Poland incident gives the action its urgency. On Dec. 29, 2025, coordinated destructive attacks targeted at least 30 wind and photovoltaic farms across Poland, a private manufacturing company and a combined heat and power plant supplying heat to almost half a million customers, CERT Polska reported. Damage to industrial devices disrupted communications and remote control at the renewable-energy sites, though electricity production continued, and the attempt to disrupt heat delivery at the CHP plant failed. The operation used multiple destructive methods, including damaged controller firmware, deleted system files and custom destructive software.

Among those methods were two newly identified wiper families. CERT Polska identified DynoWiper, a native Windows binary, at a renewable-energy farm and the CHP plant; it identified a separate PowerShell-based tool, LazyWiper, at the manufacturing company. ESET said the recovered DynoWiper samples focused solely on the IT environment and showed no observed functionality targeting operational-technology components, while not excluding the possibility that other capabilities existed elsewhere in the attack chain. CERT Polska traced suspicious activity at the CHP organization to the period between March and July 2025, including reconnaissance and attempts to obtain credentials, though it could not fully confirm that the two activity clusters observed that year involved the same actor.

“We haven’t seen attacks of this kind before. For the first time, several sites were hit at the same moment,” Polish Energy Minister Milosz Motyka said after the incident, according to Balkan Insight. Deputy Prime Minister Krzysztof Gawkowski called it “an act of Russian sabotage” intended “to cause a blackout,” the outlet reported.

The unit now formally blamed is a familiar adversary that answers to many names. The EU said Centre 16 controls several threat groups, including the long-running espionage cluster known as Turla. The UK’s National Cyber Security Centre (NCSC) and private-sector researchers associate the unit’s activity with names including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard and Static Tundra, though those labels describe overlapping clusters and campaigns rather than interchangeable entities.

The July 13 attribution capped a mixed attribution record. ESET attributed the DynoWiper data-wiping component to the GRU-associated Sandworm group with medium confidence, while noting it lacked visibility into the initial-access and preparatory stages, which it said another actor may have conducted. CERT Polska separately reported a high degree of overlap between the attackers’ infrastructure and that linked to Static Tundra. The formal state attribution to FSB Centre 16, issued by the UK government and by the EU high representative on behalf of the bloc, is a distinct judgment reached on governmental evidence and standards. It creates an official public record that insurers, policyholders, regulators and litigants may cite, though its weight in any dispute will depend on the forum, the evidentiary rules and the applicable policy language.

Who landed on the lists

The designations reach across three distinct layers of Russian cyber operations. At the state level, the UK named three senior officers of the GRU, Russia’s military intelligence agency: Vyacheslav Stafeyev, Ivan Senin and Ivan Kasyanenko. The EU listed Kasyanenko, a lieutenant general and deputy commander of the GRU’s Special Operations Service, under its destabilisation framework. Both the UK and the EU designated IMPULS, a company the Foreign Office said GRU Unit 29155’s cyber division used to recruit hackers from Russian universities and academies.

At the criminal-services layer, the UK sanctioned individuals behind Lumma Stealer, a malware-as-a-service operation that harvests credentials and other sensitive data from infected devices. The National Crime Agency (NCA) counted at least 2,100 UK victims of Lumma Stealer in the past six months, and the UK government said Russian services have used credentials stolen through the tool for espionage worldwide.

At the influence layer, the package designated 10 directors, senior managers and content designers at Rybar LLC, a media operation the UK says conceals its Russian state connections while running covert information-manipulation networks and interfering in elections, including in Moldova. Rybar receives funding from Russian state corporation Rostec, according to the Foreign, Commonwealth and Development Office (FCDO).

New names require updated sanctions-risk controls

For sanctions and compliance teams, the practical work started July 13. Every new designation carries an asset freeze, and the UK’s Office of Financial Sanctions Implementation (OFSI) may impose civil monetary penalties on a strict-liability basis, without proving that a firm knew or had reasonable cause to suspect a breach; criminal offenses remain subject to separate legal requirements. Counsel advising on ransomware payments should treat the new names as an immediate checklist item: OFSI’s ransomware guidance makes clear that paying a designated party, directly or through intermediaries, risks civil or criminal penalties. Before a payment or negotiation proceeds, incident response teams should rescreen counterparties, aliases, wallet addresses and other known identifiers against current UK, EU and U.S. sanctions data, supplemented by relevant threat intelligence, because the Lumma Stealer designations show sanctions now reach the malware-as-a-service supply chain, not just named ransomware gangs.

U.S.-based organizations cannot assume distance protects them. The UK and EU lists do not mirror the U.S. Treasury’s Specially Designated Nationals list, and a counterparty cleared against OFAC data may still be designated in London or Brussels. U.S.-headquartered organizations may face overlapping UK, EU and U.S. requirements when corporate structure, personnel, operations, financial intermediaries or transaction routing create the necessary jurisdictional connections. OFAC’s own advisory on facilitating ransomware payments applies independently of UK and EU action, which means a payment not prohibited under one regime may still be prohibited under another.

Threat-intelligence purchasers face a subtler exposure. The designations do not by themselves make possession or defensive analysis of Lumma-linked data a sanctions violation, but organizations buying threat intelligence or stolen-data monitoring services should screen vendors, payment recipients and ownership relationships, and should document data provenance so the record shows no funds or economic resources reached a designated party.

Attribution will echo through insurance disputes

Formal state attribution also matters to insurers and policyholders in coverage disputes. For specified standalone cyber policies incepting or renewing from March 31, 2023, Lloyd’s of London required exclusions addressing state-backed cyberattacks that meet stated minimum standards. Certain London Market Association model clauses treat formal government attribution as relevant evidence of state conduct, though the wording of each policy controls. The UK-EU finding may form part of the evidence considered under those attribution mechanisms, alongside forensic reports and expert testimony, but it is not by itself a coverage trigger. Its significance will depend on the policy language, including whether the clause specifically references attribution by the government of the state where the affected systems are located, which in this incident is Poland.

Policyholders have precedent to draw on, though. Merck’s insurers pressed a war exclusion after the 2017 NotPetya attack, which the U.S. and UK governments attributed to Russia, and a New Jersey appellate court read the exclusion narrowly in Merck’s favor before the parties settled litigation over an approximately $1.4 billion property claim in January 2024; the settlement terms were not disclosed. That case involved legacy war exclusions in all-risk property policies, so its application to the newer standalone cyber wordings is limited. Attribution strengthens the factual record; it does not settle the legal question of what an exclusion actually excludes. Risk managers should reread their cyber policies now, before renewal season, with attention to how each exclusion defines state-backed conduct and which government’s attribution counts.

What the eDiscovery community should watch

Attribution statements, designation notices and the underlying technical advisories will shape the disputes that follow, and the records organizations create around them are what litigation teams should think about now. An NCSC advisory on FSB Centre 16’s router-exploitation tradecraft, published July 13 alongside 18 agencies from 12 countries, details years of intrusions through default or weak SNMP credentials, Cisco Smart Install weaknesses and web-portal vulnerabilities. Although the underlying government materials are public, organizations should preserve the versions they relied on, together with the internal analyses, screening results, coverage assessments and response decisions built on them, whenever litigation, enforcement activity or a coverage dispute is reasonably anticipated. Information governance teams should confirm that existing retention schedules and legal-hold procedures cover those records.

The coordinated action also signals durability. The UK has now sanctioned over 3,400 targets connected to Russia’s war effort, and the EU’s cyber regime, first used in July 2020 against operators behind the WannaCry and NotPetya attacks, is being exercised with new speed and, for the first time, simultaneously with London. Further measures may follow: Kallas said the same day that the EU does not yet have agreement on the 21st sanctions package but is “quite close.”

A winter blackout that never happened has now redrawn sanctions lists in two jurisdictions. The question for practitioners is whether their screening, incident response and coverage playbooks are ready for a world where London and Brussels attribute and designate together, and where each coordinated announcement resets the compliance baseline for organizations within jurisdictional reach of the UK and EU regimes. When the next coordinated action lands, will your organization find out from its screening vendor or from a regulator?



News sources



Assisted by GAI and LLM technologies

Additional reading

Source: ComplexDiscovery OÜ

 

ComplexDiscovery’s mission is to enable clarity for complex decisions by providing independent, data‑driven reporting, research, and commentary that make digital risk, legal technology, and regulatory change more legible for practitioners, policymakers, and business leaders.

 

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know, and we will make our response to you a priority.

ComplexDiscovery OÜ is an independent digital publication and research organization based in Tallinn, Estonia. ComplexDiscovery covers cybersecurity, data privacy, regulatory compliance, and eDiscovery, with reporting that connects legal and business technology developments—including high-growth startup trends—to international business, policy, and global security dynamics. Focusing on technology and risk issues shaped by cross-border regulation and geopolitical complexity, ComplexDiscovery delivers editorial coverage, original analysis, and curated briefings for a global audience of legal, compliance, security, and technology professionals. Learn more at ComplexDiscovery.com.

 

Generative Artificial Intelligence and Large Language Model Use

ComplexDiscovery OÜ recognizes the value of GAI and LLM tools in streamlining content creation processes and enhancing the overall quality of its research, writing, and editing efforts. To this end, ComplexDiscovery OÜ regularly employs GAI tools, including ChatGPT, Claude, Gemini, Grammarly, Midjourney, and Perplexity, to assist, augment, and accelerate the development and publication of both new and revised content in posts and pages published (initiated in late 2022).