Back to Insights
Threats4 min read15 July 2026

Europe Sanctions Russia Over FSB-Directed Cyber and Sabotage Campaign Targeting Critical Infrastructure

France, the EU and the UK announced coordinated sanctions on 14 July 2026 after attributing a sustained, multi-country espionage and disruption campaign to Russia's FSB intelligence service, with one alleged plot coming close to cutting power to 500,000 Polish civilians.

t2s
train2secure NewsdeskSecurity awareness team
A wide-angle photoreal editorial photograph of a large European electrical substation at dusk, heavy steel pylons and tr

France summoned Russia's ambassador in Paris on 14 July 2026 after European governments formally attributed a sprawling cyber and physical sabotage campaign to the FSB, Russia's primary intelligence and security service.

What the Sanctions Cover

The European Union sanctioned nine individuals and four entities on the same day, including named officers of the GRU, Russia's military intelligence directorate. The UK went further, sanctioning 24 individuals and entities in total for what it described as "cyber and hybrid operations." French Foreign Minister Jean-Noel Barrot confirmed France's participation in a public interview, calling the FSB's activity "a vast cyber campaign" and announcing that Russia's ambassador had been formally summoned.

The scale is significant. Targets spanned government ministries, private companies and critical infrastructure operators across at least twelve European countries, including France, Germany, Poland, Cyprus, the Netherlands, Austria, Slovakia, Romania and Finland.

A Campaign Built on Proxies

This was not a series of isolated intrusions. European officials described a deliberate, sustained effort coordinated by the FSB through what they called a "malicious cyber ecosystem." That ecosystem mixed FSB officers with contracted criminal hacking groups, self-described hacktivists and private companies. The approach gives Moscow operational distance: when a criminal group carries out an attack, attribution is harder, and deniability is easier to claim.

The Kremlin, responding to the timing of the announcements, called the "Coalition of the Willing" summit in Paris a gathering of "warmongers." The summit brought together Ukraine's allies in France at the same time the sanctions were announced, a sequencing that European officials did not treat as coincidental.

When Cyberattacks Become Physical Danger

The most striking details involve Poland. In November 2025, two Ukrainian nationals allegedly acting under Russian intelligence direction were accused of bombing a Polish railway line. Poland's foreign minister called it "an act of state terror." Roughly one month later, a separate FSB-linked plot against Poland's electricity grid was disrupted before execution. The UK government stated the attack could have cut power to 500,000 civilians.

Sweden disclosed in April 2026 that it had identified and foiled a Russian cyberattack on a thermal power plant the previous year. Announcements from Poland, Sweden, Norway, Denmark and Latvia form a consistent pattern: systematic probing and targeted strikes against infrastructure that ordinary people depend on daily.

Which Security Controls Failed

The FSB's documented use of criminal proxies and hacktivist fronts points directly to an identity and access management problem at scale. When a state actor recruits third-party groups to act on its behalf, those groups typically gain initial access through the same routes that any opportunistic attacker uses: phishing emails, credential stuffing against accounts lacking multi-factor authentication, and exploitation of internet-facing systems running unpatched software. The Verizon 2024 Data Breach Investigations Report found that 68 percent of breaches involved a human element, whether a click on a phishing link, use of stolen credentials, or simple misconfiguration. A proxy-driven campaign exploits exactly that weakness at volume, with state-level resources and patience behind it.

The physical sabotage element compounds the picture. The November 2025 railway bombing and the disrupted grid attack suggest that cyber reconnaissance preceded or accompanied physical operations. Organisations that monitor only their IT networks while leaving operational technology systems, such as industrial control systems managing power distribution or rail signalling, without equivalent visibility create precisely the gap that this kind of hybrid campaign is designed to exploit. CISA's Cross-Sector Cybersecurity Performance Goals set a baseline that many infrastructure operators in Europe and beyond have still not fully met.

What Defenders Must Do Now

For anyone working in energy, transport, government IT or supply-chain management, this campaign carries a direct operational message.

First, review privileged access. Remove accounts tied to former contractors, inactive vendors and legacy integrations. Every dormant credential is a potential entry point for an actor who has already compromised a supplier.

Second, treat unsolicited contact as hostile by default. The FSB-linked ecosystem relies heavily on social engineering, where attackers impersonate suppliers, IT support staff or regulatory bodies to extract credentials or gain remote access. Staff who have never received scenario-based training on these tactics are statistically more likely to comply. Organisations running structured security-awareness programmes consistently report lower click rates on simulated phishing campaigns compared to those relying on annual policy documents alone.

Third, do not wait for certainty before reporting. Unusual network behaviour, unexpected authentication attempts from unfamiliar locations, or anomalous commands on operational technology systems should go to national cybersecurity authorities immediately. The FSB's playbook depends on defenders sitting on early indicators while they try to confirm whether something is "really" an attack.

Fourth, apply patches on a defined schedule and treat internet-facing industrial control systems as the highest priority. Many of the intrusions attributed to Russian state actors over the past three years have exploited vulnerabilities with published CVEs and available patches that organisations simply had not applied.

The 14 July 2026 sanctions represent one layer of response. Diplomatic measures do not harden a firewall or retrain an employee who clicked a link. That work falls to the organisations themselves.

How this could have been prevented

  • Enforce MFA on every account with access to operational or government systems, including third-party vendor accounts, since the FSB's proxy network depends on credential theft and social engineering for initial access.
  • Run regular scenario-based phishing simulations so staff can recognise impersonation attempts from actors posing as suppliers, IT support or regulators, the exact tactics this campaign used.
  • Establish a clear internal process for reporting suspicious activity to national cybersecurity authorities without waiting for full confirmation, early reporting is what disrupted the Poland grid attack.

Train2Secure's awareness training modules are built around exactly these threat scenarios, giving your team the pattern recognition they need before an attack lands.

Start free, no card required

Frequently asked questions

Which countries were targeted by the FSB-linked cyber campaign?

European officials identified at least twelve countries, including France, Germany, Poland, Cyprus, the Netherlands, Austria, Slovakia, Romania and Finland. Sweden, Norway, Denmark and Latvia separately disclosed related incidents around the same period.

What is the 'malicious cyber ecosystem' the EU described?

EU officials used that phrase to describe the FSB's use of contracted criminal hacking groups, self-described hacktivists and private companies alongside state officers to carry out attacks. The layered structure makes direct attribution to Moscow harder and gives Russia plausible deniability.

How close did the alleged Poland grid attack come to succeeding?

The UK government stated the disrupted FSB-linked plot against Poland's electricity grid could have cut power to 500,000 civilians. It was foiled before execution, approximately one month after the November 2025 railway bombing also attributed to Russian intelligence direction.

What can infrastructure operators do right now to reduce exposure?

Audit and remove dormant privileged accounts, enforce multi-factor authentication on all remote access points, apply outstanding patches to internet-facing systems, run regular phishing simulation training for staff, and report anomalous activity to national cybersecurity authorities without waiting to confirm an active breach.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress