Photorealistic image of a frosted padlock on a substation gate
Thirteen nations warned that the same hackers exploit poorly secured routers to access infrastructure. (Image is AI-generated) IBTimes UK

Britain and the European Union have accused Russia's FSB of a failed cyberattack that could have left 500,000 Poles without electricity in the depths of winter, and answered with their first joint package of cyber sanctions on Monday. The lists extend well beyond the grid plot, naming malware operators who have already stolen passwords and other sensitive details from at least 2,100 British victims in six months.

The UK designated 24 individuals and entities, including three senior GRU officers, Vyacheslav Stafeyev, Ivan Senin, and Ivan Kasyanenko, accused of directing cyber and hybrid operations, along with GRU Unit 29155's cyber division and IMPULS, a company said to recruit hackers from universities and academies across Russia. The EU imposed a parallel round on nine individuals and four entities. Both carry asset freezes and travel bans, and the round takes Britain's Russia-related designations past 3,400.

The centrepiece is the joint attribution of last December's attack on Poland's energy infrastructure to FSB Centre 16, the service's signals intelligence arm. The strike on combined heating and power plants failed, but the UK government said it could have cut electricity to 500,000 citizens in midwinter, and a senior Polish minister said at the time that the country came very close to a blackout. The EU said the same unit has targeted government networks and critical infrastructure in nine countries, from France and Germany to Finland.

From a Polish Power Plant to British Passwords

For most readers, the nearer end of this story is Lumma Stealer. Three people accused of operating the malware, which harvests saved passwords and other sensitive data from infected devices at scale, are now under sanctions; the National Crime Agency has tied it to at least 2,100 UK victims in six months, and the government says Russia has reused credentials stolen through it for espionage operations worldwide.

The announcement compressed quickly as it spread online, and one trade post's version below shows how the details get lost.

That summary's single figure is Britain's list alone; the EU's parallel designations add nine people and four entities, and the two were announced as a first coordinated package. The substance above rests on the government's own statements rather than the post.

Yvette Cooper, the foreign secretary, said the measures strike at the core of the cybercriminal networks propping up the Russian state's aggression.' The lists also include 10 people behind Rybar, a state-resourced media network accused of election interference in Moldova and Armenia and of spreading anti-Ukraine narratives.

Kaja Kallas, the EU's foreign policy chief, wrote on X that the round was the bloc's 'largest-ever cyber sanctions package' and its biggest set of individual designations since the full-scale invasion of 2022. On the technical trail, investigators at CERT Polska traced the intrusion's infrastructure to a cluster linked to the FSB, and Poland's energy minister, Milosz Motyka, said in January that the attackers appeared to have tried to disrupt communication between renewable hardware and power distribution operators.

Ambassadors Summoned and a Response Promised

Warsaw welcomed the move, while Germany and France said they would summon Russia's ambassadors, with the French foreign minister accusing Russian services of hitting around 10 European countries and promising a firm reply before the 2027 elections.

Thirteen allied nations, including the United States, issued a joint advisory the same day warning that Centre 16 exploits poorly secured routers to reach critical infrastructure, with the National Cyber Security Centre's resilience director saying allied agencies had 'repeatedly exposed the advanced tools and coordinated campaigns' of Russian actors. Moscow's foreign ministry promised an 'appropriate response'.

Sanctions freeze what can be found, and bar travel that may never have been planned, and a name on a list does not switch off a botnet. What Monday changed is narrower but still useful: two blocs now publicly name who they believe came for the heating in Poland and the passwords in Britain. The next test is whether the malware's victim count actually falls.