2026-07-13 · view entry permalink →
France and the EU attribute the Turla intrusion set to FSB Centre 16, with French victimology, TTPs and EU/UK sanctions
UPDATE · originally covered FSB Centre 16 (Static Tundra) router-hijacking campaign: 19-agency joint advisory, formal Poland energy-grid attribution and first joint EU/UK cyber sanctions (2026-07-13)
The morning entry covered the 19-agency Static Tundra/Berserk Bear advisory (SNMP and Cisco Smart Install router hijacking) and the UK/EU attribution of the December 2025 Polish grid sabotage. This delta covers the sibling FSB Centre 16 cluster — Turla — which France and the EU formally attributed the same day. France's Cyber Crisis Coordination Centre (C4 — ANSSI, COMCYBER, DGA, DGSE, DGSI and the Ministry for Europe and Foreign Affairs) and the EU High Representative jointly attributed the Turla intrusion set to the FSB's 16th Centre on 2026-07-13, publishing CERT-FR's technical report CERTFR-2026-CTI-005 alongside formal French and EU attribution statements (CERT-FR, 2026-07-13; ANSSI, 2026-07-13). France's COMCYBER describes Turla as an FSB 16th Centre attack mode (mode opératoire) used for intelligence-gathering since at least 2004 (COMCYBER, 2026-07-13). The 16th Centre is the parent unit behind both this Turla/Secret Blizzard espionage set and the Static Tundra/Berserk Bear router-hijacking cluster covered this morning — the EU-sanctions reporting describes the 16th Centre as controlling groups including Turla (heise online, 2026-07-13).
ANSSI documents French Turla victims including Ministry of Armed Forces webmail accounts compromised since 2017, the network of the French Embassy in Moscow (2018), a justice-sector personnel-training host (2019) and an advanced-technology company (2025), plus opportunistic intermediary compromises across varied sectors between 2019 and 2025 used as relay infrastructure (CERT-FR, 2026-07-13). The initial-access tradecraft combines spearphishing and watering-hole attacks that lure targets into downloading malicious files masquerading as legitimate software, plus exploitation of vulnerabilities in webmail/messaging services, browsers, business applications and web servers; the operators favour rented or previously-compromised infrastructure for camouflage (ANSSI, 2026-07-13). In coordination, the EU sanctioned 9 individuals and 4 organisations (entry bans and asset freezes), including the enabler firms Advanced System Technology (AST) and NPP Gamma, and the UK sanctioned 24 individuals and organisations; the EU Council statement names Germany, Poland, Cyprus, the Netherlands, Austria, Slovakia, Romania and Finland among affected states (heise online, 2026-07-13).
Members of the Cyber Crisis Coordination Centre (C4) have observed the targeting and compromise of French entities using the Turla intrusion set operated by the 16th Centre of the Federal Security Service of the Russian Federation (FSB).
Russian technology companies supporting the intelligence service are also affected. For example, Advanced System Technology (AST) and NPP Gamma will no longer be allowed to do business in the EU in the future.