Three capitals moved on the same Monday
In December 2025, in the middle of winter, an attack on Poland's energy infrastructure came close enough to succeeding that governments now describe what it would have done: disconnected roughly 500,000 civilians from their electricity. It did not work. On 13 July 2026 Europe said out loud who tried.
The EU and the UK announced coordinated sanctions the same day. The UK designated 24 individuals and entities. The EU listed nine individuals and four entities, which its foreign policy chief called the bloc's largest cyber sanctions package to date. Thirty-three targets between them, carrying asset freezes, travel bans, and a prohibition on making funds or economic resources available to any of them.
The names are specific. Three GRU officers: Vyacheslav Stafeyev, Ivan Senin, Ivan Kasyanenko. The bulletproof hosting operation Media Land LLC and its affiliate ML.Cloud, tied to ransomware and phishing losses across Europe. Z-Pentest, which the Council says went after critical infrastructure including energy and water. Ten people behind Rybar LLC. Operators of the Lumma Stealer credential malware. And behind the Polish grid attack, a unit: FSB Centre 16.
Sanctions are a statement about the past. What came out on the same day is a statement about your network.
The way in was not clever
The UK's National Cyber Security Centre published a joint advisory with twelve other countries - the United States, Australia, Canada, Czechia, Denmark, Estonia, Finland, France, Italy, New Zealand, Poland and Sweden - describing how FSB Centre 16 actually gets in. The group has been tracked for years under a shelf of names: Berserk Bear, Energetic Bear, Dragonfly, Crouching Yeti, Static Tundra.
The techniques are the disappointing part. Internet-wide scanning for the Simple Network Management Protocol with default or weak community strings. Abuse of Cisco Smart Install, a provisioning feature that was designed to make switch deployment easy and that most organisations never turned off after deployment. Known, published vulnerabilities in the web portals of network devices. Sectors targeted: communications, defence, energy, financial services, government, healthcare.
There is no exotic capability in that list. A state intelligence service is walking into critical infrastructure through configuration defaults and unpatched edge hardware, because it works, and because it is quiet. Network devices do not run an endpoint agent. They do not appear in most vulnerability scans. Nobody gets paged when one is compromised, because there is nothing on them to page.
The advisory's mitigations are correspondingly plain: move to SNMPv3 and disable the legacy versions, use strong and unique passwords on network devices, restrict access to management protocols, and turn Smart Install off.
Why a bug from 2008 got a three-day clock
On the same 13 July, the United States added exactly one vulnerability to its Known Exploited Vulnerabilities catalogue. Not a fresh zero-day. CVE-2008-4128, a cross-site request forgery flaw in Cisco IOS, disclosed in 2008. The remediation deadline attached to it was 16 July: three days.
A KEV entry means one thing. It is not a theoretical severity score, and it is not a researcher's proof of concept. It means the flaw is being exploited in the wild, now, and the catalogue that carries it passed 1,638 entries with this addition. The three-day deadline binds US federal agencies, but the signal it sends is not administrative. An eighteen-year-old bug does not get an emergency clock because someone rediscovered it. It gets one because it is currently in use.
Put the two documents side by side and the picture resolves. The advisory says a state actor lives on network equipment. The catalogue says the specific door is a Cisco flaw old enough to vote. Nothing about this campaign required anybody to invent anything. It required only that the defender never looked at the switch.
Who owns the router?
Ask that question in your own organisation and watch what happens. Servers have an owner, a patch cycle and a monitoring agent. Laptops have a fleet manager. The router in the rack, the switch in the branch office, the firewall the managed service provider installed four years ago and has not logged into since: those tend to belong to whoever set them up, which frequently means nobody who still works there.
That gap is now a legal one as well as a technical one. Under NIS2, essential and important entities have to manage risk across the network and information systems they use, and network devices are unambiguously part of that. A regulator asking how you supervise your suppliers and your infrastructure will not accept that the edge hardware fell between the internal team and the outsourced one. The same applies to the managed service provider relationship: if they run your network kit, their configuration hygiene is your risk exposure, and your contract with them is where that either is or is not addressed.
For anyone in energy, water, transport, health or digital infrastructure, this advisory is not general awareness material. It names your sector, it names the protocol, and it comes with a list of designated individuals who were doing it.
What to do this week
Inventory first, because you cannot patch what you have not listed. Every managed switch, router, firewall and network appliance, including the ones in branch offices and the ones a supplier installed. If that inventory does not exist, building it is the week's work and it is worth more than any tool you could buy instead.
Then three concrete actions from the advisory. Disable Cisco Smart Install anywhere it is still on, which for most estates is anywhere it was ever on. Move SNMP to version 3 with authentication and encryption, and disable versions 1 and 2c, which transmit community strings in the clear. Take management interfaces off any path reachable from the internet and put them behind a controlled network segment.
Finally, check whether your network devices produce logs that anyone reads. The reason this campaign persisted is that compromised network gear is silent. A router that has been reconfigured looks exactly like a router that has not, unless someone is comparing it to a known good configuration.
None of this is new advice. That is precisely the point, and it is why thirteen governments felt the need to say it together.
Read next: CISA's First AI Agent Platform Is Now a Must-Patch | 430,000 Firewalls Became a Ransomware Supply Line



