First joint EU-UK cyber sanctions name 33 Russian targets
The EU Council named 9 individuals and 4 entities; the UK named 24 more. FSB Center 16, Sandworm, Turla, Lumma Stealer, and Rybar LLC are on the list.
Confirmed: first joint EU-UK cyber sanctions package, announced July 13, 2026. Confirmed count: 9 individuals and 4 entities from the EU Council; 24 individuals and entities from the UK Foreign Office. Confirmed named operators: FSB Center 16, Sandworm, Turla, the Lumma Stealer infrastructure, IMPULS, and Rybar LLC. Confidence on the numbers: high — Council and FCDO statements are the primary sources. Confidence on scope and campaign attributions inside those statements: as-reported, on the strength of the named agencies, not independently verified here.
What the sanctions actually cover
The EU Council statement frames this as the inaugural joint EU-UK cyber action — the two jurisdictions have issued cyber designations before, but not on the same day, against the same target list, and rolled up as one package. The UK Foreign Office moved in parallel. Between them: 33 designations across GRU officers, FSB-linked infrastructure, and the commercial cutouts that support both.
Three GRU officers were named directly: Vyacheslav Stafeyev, Ivan Senin, and Ivan Kasyanenko. Unit numbers were not published in the statements read for this piece.
FSB’s 16th Centre was designated as the parent behind Turla. Turla is a long-running cyberespionage operator with public write-ups going back over a decade; today’s action is the first time an allied government has cleanly hung it on 16th Centre in a sanctions instrument, rather than in a research report. Confidence on that framing: high as of the July 13 statements. This is the same 16th Centre named in yesterday’s joint router-hygiene advisory — same day, different instrument.
Sandworm was attributed to the December 2025 attack on Poland’s power grid using DynoWiper — the Council statement says the strike failed but had put roughly 500,000 people at risk — and to a separate cyberattack on Poland’s National Centre for Nuclear Research. Confidence: as-reported by the Council.
The Lumma Stealer operation was cited for 2,100+ UK victims across six months, which is what earned it a designation rather than a takedown notice. IMPULS was named as a recruitment pipeline that pulls hackers out of Russian universities. Rybar LLC — the pro-Russian media outlet — had 10 members sanctioned, treated as an information-operations arm rather than a separate hacking crew.
Governments listed as targets
The EU Council cites cyberespionage campaigns since 2010 against government and defense networks in France, Germany, Poland, Cyprus, the Netherlands, Austria, Slovakia, Romania, and Finland. Nine countries. This is the frame the sanctions were signed under; treat it as the Council’s rationale, not a fresh incident report.
Timeline
- December 2025 — Sandworm attack on the Polish power grid using DynoWiper. Failed. Council estimate: ~500,000 people at risk. Confidence: as-reported.
- Late 2025 – mid-2026 — Lumma Stealer campaigns tallied at 2,100+ UK victims across six months. Confidence: as-reported by the FCDO.
- July 13, 2026, morning — Joint US and allies advisory drops on Russian router targeting, naming FSB Center 16 and CVE-2018-0171. Confidence: confirmed, advisory PDF.
- July 13, 2026, midday — EU Council and UK Foreign Office publish the joint sanctions package. Confidence: confirmed.
What defenders should take from this
Sanctions do not patch anything. They don’t take an actor offline, they don’t rotate a C2, they don’t clean an implant. What they change is enrichment context and vendor risk posture — infrastructure and shell companies now on OFAC/UK lists get de-platformed, and any organization still doing business with them inherits legal exposure they didn’t have last week.
For defenders, the useful reading is the target-and-toolkit list, not the sanctions instrument. FSB Center 16 running Turla and being hit twice in the same day — once via a router-hygiene advisory, once via a sanctions package — is a signal that the SNMPv1/v2, Smart Install, and TFTP hygiene work in yesterday’s joint advisory coverage is the concrete action the sanctions story points back at. Do that work.
Sources
- BleepingComputer — “EU and UK hit Russia with first joint cyber sanctions package” — July 13, 2026.
- BleepingComputer — “US and allies share defense tips against Russian hackers targeting critical infrastructure” — July 13, 2026.
- IC3 CSA — “Russian State-Sponsored Cyber Actors Targeting Networking Devices” — July 13, 2026.
Found this useful? Share it.


