PARIS – When Polish railway workers found unexplained code embedded in their network’s control systems last November, the disruption looked, at first, like a technical fault. By December, investigators were tracing the same signatures to a broader plot allegedly aimed at knocking out Poland’s national energy grid. On Monday, France, the European Union and the United Kingdom put names and sanctions designations to a campaign those governments say stretched for years across more than a dozen European countries.
France announced it would summon Russia’s ambassador to Paris over what Foreign Minister Jean-Noel Barrot described as “sabotage and espionage in a dozen European countries,” a campaign he attributed to Russia’s Federal Security Service. Barrot said France was imposing sanctions on nine individuals and four entities linked to the operation. “We will also impose sanctions on nine individuals and four entities responsible for this cyber campaign, which was orchestrated by the FSB,” he said, adding that France had been able to “detect these attacks” after having “significantly strengthened our defenses.”
The European Union matched the scale of France’s action, sanctioning its own list of nine individuals and four entities that EU statements said included GRU military intelligence officers and cybercriminals. Britain went considerably further, designating 24 individuals and entities under British sanctions law, reflecting London’s longstanding practice of using its post-Brexit domestic regime more aggressively than the bloc it left behind.
Moscow rejected the framing without engaging the specifics. Kremlin spokesman Dmitry Peskov, in remarks at a separate briefing, dismissed the Coalition of the Willing – the European military support network for Ukraine – as “a coalition of warmongers.” The Kremlin had issued no formal response to Monday’s cyber sanctions by evening Moscow time.
The alleged campaign documented by European governments spans several years and multiple categories of interference. The November 2025 Polish railway sabotage interrupted freight and passenger services at a juncture when NATO logistics through Polish corridors were under close scrutiny. The December 2025 energy grid plot, foiled before it could be executed, targeted infrastructure in a country that has become a primary transit hub for military supply chains running into Ukraine. In April 2026, Sweden said it had stopped a cyberattack on a thermal power plant, an incident Swedish authorities linked to the same network now named by France and the EU.
EU statements described a pattern of “infiltration of governmental networks and sabotage of critical infrastructure” across member states. The countries named as targets form a broad arc of NATO’s eastern and central flank: France, Germany, Poland, Cyprus, the Netherlands, Austria, Slovakia, Romania and Finland. The breadth suggests a campaign designed not just to collect intelligence but to pre-position capabilities inside critical systems for future activation.

Security researchers tracking state-linked Russian hacking groups have long noted a distinction between intelligence-gathering operations and what they call access operations – intrusions where the primary goal is maintaining persistent presence that can later be weaponized. The pattern described by European governments on Monday fits the latter category, raising questions about what capabilities may remain embedded in systems not yet publicly identified as compromised.
European governments have faced growing pressure to publicly attribute cyber operations and impose visible costs. The shift began in earnest after the 2018 Salisbury nerve agent attack, when Britain coordinated a mass expulsion of Russian diplomats that rippled across allied capitals. Monday’s coordinated announcement follows that model, with France participating more directly than it has in previous attribution events – a signal of the shift in Paris’s posture toward Moscow over the course of the Ukraine conflict.
The spy case of French researcher Laurent Vinatier tested that posture from the opposite direction. Russia held Vinatier on espionage charges through the end of 2025, with Moscow extending diplomatic overtures that Paris received in silence. Barrot’s decision to front Monday’s announcement with his own name marks a harder line from the Quai d’Orsay than France has publicly taken in recent years.
The EU’s cyber sanctions regime, established in 2017 following attacks attributed to Russian and Chinese state actors, has been used sparingly since its creation. Previous designations targeted individuals linked to the Bundestag hack attributed to Sandworm – one of the GRU units referenced in Monday’s action – and the 2020 intrusion into the European Centre for Disease Prevention and Control. Monday’s use of the mechanism for nine individuals and four entities in a single action is the largest the regime has produced since its inception.
The sanctioned individuals have not been publicly named in documents released by the EU or France – a gap that will fuel debate about the evidential transparency of the case against Russian intelligence services. German federal prosecutors this month charged a Ukrainian national in the Nord Stream pipeline sabotage, demonstrating that European courts can reach cases of this kind, but the prosecution pathway for state intelligence officers operating from Russian territory remains theoretical.
What the coordinated announcement accomplishes is completing a circle of public attribution: French, EU and British governments have now declared that specific officers of Russia’s two main intelligence services orchestrated physical infrastructure sabotage and digital espionage in allied states. Whether Moscow responds with diplomatic expulsions, counter-sanctions or silence will define the next phase of a standoff that neither side is likely to publicly claim to have sought, as CBS News reported.

