ctipilot.ch

France/EU formal attribution of Turla (FSB Centre 16) espionage against France

incident · incident:france-eu-turla-fsb-attribution-2026-07

On 2026-07-13, France (ANSSI/Cyber Crisis Coordination Centre C4) and the EU High Representative formally attributed the long-running (since ≥2004) Turla intrusion set to Russia's FSB 16th Centre, with CERT-FR report CERTFR-2026-CTI-005 documenting French victims across the defence, diplomatic, justice and technology sectors (2017–2025) and Turla's spearphishing/watering-hole initial-access tradecraft. Coordinated EU sanctions hit 9 individuals and 4 organisations (incl. enabler firms AO AST and NPP Gamma) and the UK sanctioned 24. The FSB 16th Centre is the parent unit behind both Turla/Secret Blizzard and the Static Tundra/Berserk Bear router-hijacking cluster (per heise EU-sanctions reporting and the morning Static Tundra advisory).

Aliases: Turla France attribution 2026, FSB 16th Centre France espionage attribution

Coverage timeline
1
first 2026-07-13 → last 2026-07-13
Peak priority
notable
1 notable
Sources cited
4
4 hosts
Sections touched
1
updates
Co-occurring entities
2
see Related entities below
ATT&CK techniques
5
pinned v19.1 · see below

ATT&CK techniques

5 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Resource Development TA0042

T1584.004Compromise Infrastructure: Server×1

Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a Server or Virtual Private Server, adversaries may compromise third-party servers in support of operations.

Evidence: 2026-07-13/france-eu-turla-fsb-centre-16-attribution-french-victimology · ATT&CK page ↗

Initial Access TA0001

T1189Drive-by Compromise×1

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Multiple ways of delivering exploit code to a browser exist (i.e., Drive-by Target), including:

Evidence: 2026-07-13/france-eu-turla-fsb-centre-16-attribution-french-victimology · ATT&CK page ↗

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-13/france-eu-turla-fsb-centre-16-attribution-french-victimology · ATT&CK page ↗

T1566Phishing×1

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Evidence: 2026-07-13/france-eu-turla-fsb-centre-16-attribution-french-victimology · ATT&CK page ↗

Execution TA0002

T1204.002User Execution: Malicious File×1

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg, and .iso.

Evidence: 2026-07-13/france-eu-turla-fsb-centre-16-attribution-french-victimology · ATT&CK page ↗

Story timeline

  1. 2026-07-13France and the EU attribute the Turla intrusion set to FSB Centre 16, with French victimology, TTPs and EU/UK sanctions
    updatesANSSI publishes CERTFR-2026-CTI-005 on FSB Centre 16's Turla cluster as France and the EU formally attribute it and sanction AO AST and NPP Gamma

Relationships explore in graph

Typed, source-stated connections from the entity registry — each edge cites the entry whose reporting establishes it.

attributed to

Where this entity is cited

  • updates1

Source distribution

  • cert.ssi.gouv.fr1 (25%)
  • cyber.gouv.fr1 (25%)
  • defense.gouv.fr1 (25%)
  • heise.de1 (25%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about France/EU formal attribution of Turla (FSB Centre 16) espionage against France (1)

2026-07-13 · view entry permalink →

NOTABLEupdateNATOA2

France and the EU attribute the Turla intrusion set to FSB Centre 16, with French victimology, TTPs and EU/UK sanctions

UPDATE · originally covered FSB Centre 16 (Static Tundra) router-hijacking campaign: 19-agency joint advisory, formal Poland energy-grid attribution and first joint EU/UK cyber sanctions (2026-07-13)

The morning entry covered the 19-agency Static Tundra/Berserk Bear advisory (SNMP and Cisco Smart Install router hijacking) and the UK/EU attribution of the December 2025 Polish grid sabotage. This delta covers the sibling FSB Centre 16 cluster — Turla — which France and the EU formally attributed the same day. France's Cyber Crisis Coordination Centre (C4 — ANSSI, COMCYBER, DGA, DGSE, DGSI and the Ministry for Europe and Foreign Affairs) and the EU High Representative jointly attributed the Turla intrusion set to the FSB's 16th Centre on 2026-07-13, publishing CERT-FR's technical report CERTFR-2026-CTI-005 alongside formal French and EU attribution statements (CERT-FR, 2026-07-13; ANSSI, 2026-07-13). France's COMCYBER describes Turla as an FSB 16th Centre attack mode (mode opératoire) used for intelligence-gathering since at least 2004 (COMCYBER, 2026-07-13). The 16th Centre is the parent unit behind both this Turla/Secret Blizzard espionage set and the Static Tundra/Berserk Bear router-hijacking cluster covered this morning — the EU-sanctions reporting describes the 16th Centre as controlling groups including Turla (heise online, 2026-07-13).

ANSSI documents French Turla victims including Ministry of Armed Forces webmail accounts compromised since 2017, the network of the French Embassy in Moscow (2018), a justice-sector personnel-training host (2019) and an advanced-technology company (2025), plus opportunistic intermediary compromises across varied sectors between 2019 and 2025 used as relay infrastructure (CERT-FR, 2026-07-13). The initial-access tradecraft combines spearphishing and watering-hole attacks that lure targets into downloading malicious files masquerading as legitimate software, plus exploitation of vulnerabilities in webmail/messaging services, browsers, business applications and web servers; the operators favour rented or previously-compromised infrastructure for camouflage (ANSSI, 2026-07-13). In coordination, the EU sanctioned 9 individuals and 4 organisations (entry bans and asset freezes), including the enabler firms Advanced System Technology (AST) and NPP Gamma, and the UK sanctioned 24 individuals and organisations; the EU Council statement names Germany, Poland, Cyprus, the Netherlands, Austria, Slovakia, Romania and Finland among affected states (heise online, 2026-07-13).

Members of the Cyber Crisis Coordination Centre (C4) have observed the targeting and compromise of French entities using the Turla intrusion set operated by the 16th Centre of the Federal Security Service of the Russian Federation (FSB).

CERT-FR (ANSSI) 2026-07-13

Russian technology companies supporting the intelligence service are also affected. For example, Advanced System Technology (AST) and NPP Gamma will no longer be allowed to do business in the EU in the future.

heise online (citing EU Council statement)
threat13 Jul 20:35Zmulti-sourceOpen finding ↗