The European Union sanctions Russia’s primary instrument for stealing secrets and disrupting systems across the bloc.

Brussels rarely names its cyber adversaries in public. When it does, the message is deliberate. On Monday, EU High Representative Kaja Kallas led a formal denunciation of Russia’s Federal Security Service (FSB), exposing its 16th Centre as the controlling authority behind years of malicious cyber operations across the continent. The statement named nine individuals and four entities subject to new EU sanctions. It was the bloc’s sharpest public attribution of Russian cyber aggression to date.

The 16th Centre—also known as Military Unit 71330 and tracked by Western intelligence agencies under the names Turla and Venomous Bear—is the FSB’s signals-intelligence and cyber-operations arm. UK and allied governments describe it as responsible for “intercepting, decrypting and processing electronic messages” and for the “technical penetration of foreign targets”, including critical national infrastructure worldwide.

A decade of quiet penetration

Ms Kallas delivered the move with her trademark directness. “For years, the FSB has conducted a wide range of malicious cyber activities with growing severity affecting the EU, its member states, as well as international partners, notably Ukraine,” the High Representative’s statement said. The list of targeted countries reads like a roll-call of the EU’s most strategically significant members: France, Germany, Poland, Cyprus, the Netherlands, Austria, Slovakia, Romania, and Finland.

The scale of the 16th Centre’s operations is striking. In France, it conducted cyber espionage against strategic governmental entities since 2010 and targeted the defence industry as recently as 2025. The Germans found it penetrated governmental networks. In Poland, it went further still, carrying out what the EU statement describes as “disruptive sabotage operations against critical infrastructure, including combined heating and power plants”.

You might be interested

The unit’s primary toolset has evolved steadily. Its flagship implant, Snake, maintained covert peer-to-peer nodes in at least 15 EU member states before a coordinated allied operation dismantled the infrastructure in May 2023. The US Cybersecurity and Infrastructure Security Agency described Snake as “the most sophisticated cyber-espionage tool” in the FSB arsenal. Despite the takedown, allied agencies warned that the 16th Centre “has other toolsets ready to deploy” and was actively re-establishing access.

That warning proved accurate. By mid-2025, a 16th Centre subgroup tracked as Static Tundra was exploiting a decade-old vulnerability in Cisco networking equipment to drain configuration data from hundreds of routers across European telecoms companies and universities. The footholds gained allowed lateral movement into connected systems. Incident response, router replacement, and network hardening following that campaign alone cost internet service providers and universities across at least five member states millions of euros in 2025 and 2026.

Spies, criminals, and hired hacktivists

What makes the 16th Centre’s operations particularly difficult to counter is the deliberate blurring of lines between state and non-state actors. The EU statement made this explicit. “Cybercriminals, self-proclaimed hacktivists and private companies linked to Russia, including actors operating under its instructions, direction or control, have also carried out, enabled and facilitated a wide range of malicious activities,” it said.

This ecosystem serves a double purpose. It gives Moscow plausible deniability when operations go wrong. It also dramatically expands the pool of available talent and infrastructure. Hacktivist-style denial-of-service attacks increasingly serve as cover for deeper, quieter intrusions by 16th Centre operatives. The EU’s Computer Emergency Response Team (CERT-EU) notes that disruption has become a “standing capability” that the unit can activate whenever geopolitical goals require it.

Ms Kallas welcomed “close coordination with the United Kingdom in our shared assessment of the growing convergence between non-state and state actors”. That convergence represents a qualitative shift in the threat. Traditional diplomatic and legal frameworks struggle to address it.

Credentials theft

The 16th Centre does not operate randomly. Its campaigns coincide with moments of maximum political sensitivity inside the EU. Turla phishing waves against EU ministries and defence contractors have repeatedly timed with sanctions debates and NATO summits. Between January and May 2024, the unit ran the ApolloShadow campaign, compromising multiple EU diplomatic missions through adversary-in-the-middle interception of embassy traffic at Russian internet service providers. The goal was credential theft.

For years, the FSB has conducted a wide range of malicious cyber activities with growing severity affecting the EU, its member states, as well as international partners, notably Ukraine. — Statement by the Kaja Kallas office

Between February and June 2026, senior EU officials received phishing messages disguised as legitimate Signal application updates. The campaign, linked to Turla infrastructure and currently under CERT-EU investigation, attempted to take over the personal devices of people with access to the EU’s most sensitive deliberations. The strategic logic is clear: steal negotiating positions before they become policy, and shape the information environment before decisions are made.

Naming, shaming, and sanctioning

Ms Kallas’s public attribution is itself a policy instrument. The nine sanctioned individuals include Russian military intelligence (GRU) officers alongside cybercriminals and self-proclaimed hacktivists. That combination is a deliberate signal that the EU treats the entire ecosystem, not just its state components, as a legitimate target for punitive measures.

The statement also called on Russia to adhere to “the United Nations framework of responsible state behaviour in cyberspace and its norms and respect international law”. That appeal is unlikely to produce an immediate change in Russian behaviour. It matters nonetheless as a statement of legal principle and as a foundation for future action, both within the EU and in coordination with NATO and other partners.

The 16th Centre will not stop. It has operated continuously for more than 15 years inside European networks, adapting each time one tool is neutralised. The Union’s answer had better come out equally persistent. It must patch vulnerable devices, harden credentials, share threat intelligence across member states, and make the cost of attribution fall on Moscow rather than disappear into the noise.