ctipilot.ch
← Back to the live brief
NOTABLEupdateNATOA2threat

France and the EU attribute the Turla intrusion set to FSB Centre 16, with French victimology, TTPs and EU/UK sanctions

discovered 2026-07-13 20:35 UTCrun 2026-07-13T2009Z-intel4 sourcesmulti-source

UPDATE · originally covered FSB Centre 16 (Static Tundra) router-hijacking campaign: 19-agency joint advisory, formal Poland energy-grid attribution and first joint EU/UK cyber sanctions (2026-07-13)

The morning entry covered the 19-agency Static Tundra/Berserk Bear advisory (SNMP and Cisco Smart Install router hijacking) and the UK/EU attribution of the December 2025 Polish grid sabotage. This delta covers the sibling FSB Centre 16 cluster — Turla — which France and the EU formally attributed the same day. France's Cyber Crisis Coordination Centre (C4 — ANSSI, COMCYBER, DGA, DGSE, DGSI and the Ministry for Europe and Foreign Affairs) and the EU High Representative jointly attributed the Turla intrusion set to the FSB's 16th Centre on 2026-07-13, publishing CERT-FR's technical report CERTFR-2026-CTI-005 alongside formal French and EU attribution statements (CERT-FR, 2026-07-13; ANSSI, 2026-07-13). France's COMCYBER describes Turla as an FSB 16th Centre attack mode (mode opératoire) used for intelligence-gathering since at least 2004 (COMCYBER, 2026-07-13). The 16th Centre is the parent unit behind both this Turla/Secret Blizzard espionage set and the Static Tundra/Berserk Bear router-hijacking cluster covered this morning — the EU-sanctions reporting describes the 16th Centre as controlling groups including Turla (heise online, 2026-07-13).

ANSSI documents French Turla victims including Ministry of Armed Forces webmail accounts compromised since 2017, the network of the French Embassy in Moscow (2018), a justice-sector personnel-training host (2019) and an advanced-technology company (2025), plus opportunistic intermediary compromises across varied sectors between 2019 and 2025 used as relay infrastructure (CERT-FR, 2026-07-13). The initial-access tradecraft combines spearphishing and watering-hole attacks that lure targets into downloading malicious files masquerading as legitimate software, plus exploitation of vulnerabilities in webmail/messaging services, browsers, business applications and web servers; the operators favour rented or previously-compromised infrastructure for camouflage (ANSSI, 2026-07-13). In coordination, the EU sanctioned 9 individuals and 4 organisations (entry bans and asset freezes), including the enabler firms Advanced System Technology (AST) and NPP Gamma, and the UK sanctioned 24 individuals and organisations; the EU Council statement names Germany, Poland, Cyprus, the Netherlands, Austria, Slovakia, Romania and Finland among affected states (heise online, 2026-07-13).

Members of the Cyber Crisis Coordination Centre (C4) have observed the targeting and compromise of French entities using the Turla intrusion set operated by the 16th Centre of the Federal Security Service of the Russian Federation (FSB).

CERT-FR (ANSSI) 2026-07-13

Russian technology companies supporting the intelligence service are also affected. For example, Advanced System Technology (AST) and NPP Gamma will no longer be allowed to do business in the EU in the future.

heise online (citing EU Council statement)

ATT&CK mapping

5 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Resource Development TA0042
T1584.004Compromise Infrastructure: Server

Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a Server or Virtual Private Server, adversaries may compromise third-party servers in support of operations.

overlap matrix · ATT&CK page ↗

Initial Access TA0001
T1189Drive-by Compromise

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Multiple ways of delivering exploit code to a browser exist (i.e., Drive-by Target), including:

overlap matrix · ATT&CK page ↗

T1190Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

overlap matrix · ATT&CK page ↗

T1566Phishing

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

overlap matrix · ATT&CK page ↗

Execution TA0002
T1204.002User Execution: Malicious File

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg, and .iso.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.