site-logo
site-logo
site-logo

Preparing European critical infrastructure for the next phase of Russian cyber operations

Preparing European critical infrastructure for the next phase of Russian cyber operations

Preparing European critical infrastructure for the next phase of Russian cyber operations

blog-details-image
author

Prayukth K V

Critical infrastructure operators have often treated geopolitical cyber activity as a concern for governments rather than plant operators. That distinction has now faded. The European Council's latest sanctions against key actors in Russia's cyber ecosystem underscore a broader reality: industrial organizations are now central targets in modern geopolitical competition.

As Russian forces face mounting battlefield setbacks in Ukraine, Moscow’s intelligence agencies may increasingly seek to retaliate through cyberspace.

For operators of Operational Technology (OT) and Industrial Control Systems (ICS) across vital critical infrastructure sectors including energy, water, oil and gas, manufacturing, transportation, healthcare, and defense, this development demands an immediate shift in threat modeling.

This Shieldworkz Intelligence briefing examines the architecture of the sanctioned entities, the strategic shift toward dismantling the threat-enabling infrastructure, and the tactical steps that industrial cybersecurity leaders must execute to protect physical processes from all forms of state-sponsored degradation.

Strategic context and evolution of the cyber sanctions mechanism

The escalation of the European Union’s diplomatic and economic response does mark a fundamental shift in how Western alliances defend cyberspace. In the past decade, Russian offensive cyber doctrine has matured from distinct, isolated espionage operations into an integrated, continuous component of asymmetric, hybrid warfare often involving unconnected third countries and actors.

The convergence paradigm

Historically, state intelligence networks like the GRU (Main Directorate of the General Staff) and FSB (Federal Security Service) operated with clear tactical boundaries and targets. Those boundaries no longer exist. The EU explicitly called out this phenomenon, noting the convergence of state-backed entities, cybercriminal networks, "patriotic" hacktivists, and private front companies.



By relying on private technology companies to build tools, buying access from initial access brokers, and leveraging volunteer or proxy hacktivist front groups, the Russian state has created artificial layers of deniability while executing high-consequence operations.

Why governments have turned to sanctions

Traditional defensive security controls (firewalls, patching, network segmentation) only address the effects of malicious activity and not the source. Pure diplomatic condemnation has completely missed the mark in terms of deterring aggressive Russian cyber operations. Consequently, the EU is deploying its "Cyber Diplomacy Toolbox" and the sanctions framework established under Council decisions to impose a tangible economic friction directly onto the threat ecosystem.

By enforcing strict asset freezes, travel bans, and criminalizing the provision of funds or resources to these actors, these sanctions aim to achieve specific objectives:

  • Degrade enablers: Severing financial ties impairs a threat actor's ability to rent international command-and-control (C2) servers, buy zero-day exploits, or legally procure specialized hardware.

  • Isolate tech talent: Forcing private developers and administrators out of the global technology market limits their operational capacity to state-shielded borders.

  • Signal collective defense: Coordinated enforcement between the EU and the United Kingdom presents a unified intelligence and tactical front, complicating the operational environments of proxy groups.

These measures will make it difficult for Russian threat actors to assemble resources and may even serve to expose some of the individuals connected with Russian cyber operations.

Deep-dive analysis of the sanctioned ecosystem

To implement effective defensive strategies, security teams must understand the exact roles played by the targets of the 13 July 2026 sanctions package. The EU has targeted four distinct layers of the offensive infrastructure:

The infrastructure enablers: Media Land LLC and ML.Cloud

The council sanctioned the bulletproof hosting provider Media Land LLC, its owner Alexander Volosovik, and its sister entity ML.Cloud.

  • Operational role: These companies served as the foundational hosting infrastructure for globally distributed malware operations, large-scale ransomware campaigns, and sophisticated phishing rings targeting critical infrastructure.

  • Significance: Bulletproof hosts deliberately ignore abuse complaints and law enforcement inquiries. By providing reliable uptime for C2 servers, credential-harvesting portals, and data exfiltration repositories, these companies acted as the logistics spine for multi-stage network intrusions.

The State front company: LLC Impuls

LLC Impuls and its owner, Evgeniy Viktorovich Bashev, were designated for their direct relationship with Russian Military Intelligence.

  • Operational Role: Bashev is an active member of GRU Unit 29155, a notorious unit linked to subversive covert actions, physical sabotage operations across Europe, and disruptive cyber operations. LLC Impuls served as a commercial front providing specialized technical and material support to enable Unit 29155's cyber-attacks against EU member states and partner nations.

  • Significance: This underscores a critical trend: state intelligence agencies rely on custom-developed tooling and commercial infrastructure fronts to mask state attribution during the early phases of an intrusion campaign.

The hacktivist proxies: Z-Pentest and CARR

The sanctions target the pro-Russian hacktivist group Z-Pentest, its leader Yuliya Vladimirovna Pankratova, and primary hacker Denis Olegovich Degtyarenko. These two are key figures within the Cyber Army of Russia Reborn (CARR), an aggressive proxy group operationally tethered to the GRU.

  • Operational Role: Z-Pentest and CARR specialize in targeting physical critical infrastructure, specifically the energy, utility, and water sectors. The Council highlighted a milestone incident: Z-Pentest's successful cyber-attack against a Danish water utility in December 2024.

  • Significance: Moving away from simple Distributed Denial of Service (DDoS) operations, these proxy actors have increasingly demonstrated the intent and capability to manipulate operational control software, risking public safety and service continuity.

The malware architects: Infostealers and ransomware developers

The EU has also penalized key developers involved in the creation of highly destructive software pipelines:

  • LummaC2 Developers: Two sanctioned individuals were designated for developing, distributing, and selling the LummaC2 infostealer. Infostealers are a primary tool for harvesting corporate credentials, VPN profiles, and session tokens that initial access brokers subsequently monetize.

  • Trickbot and Conti Architects: Another sanctioned individual was tied to the foundational development of the Trickbot banking trojan/botnet and the Conti ransomware strain. These malware families pioneered modern corporate network extortion and have frequently been repurposed by state actors for politically motivated disruption campaigns disguised as financial cybercrime.

Sectors at risk: Critical infrastructure impact

The composition of this sanctions package offers a clear map of the vectors threat actors use to compromise industrial environments. Industrial sectors operating OT systems must analyze these exposures across the following operational profiles:


The Operational Technology (OT) perspective: Why the threat is distinct and imminent

For an asset owner, an attack on an industrial facility is fundamentally different from a standard corporate IT data breach. Understanding these core differences helps explain why state-sponsored entities are shifting their focus to physical operations.

IT vs. OT attack objectives

In corporate IT, malicious actors generally target data: intellectual property, financial records, or personally identifiable information (PII). The primary objectives are theft, monetization, or administrative disruption.

In OT, the target is the physical process itself. Attackers aim to manipulate physical laws such as temperature, pressure, electrical flow, chemical mixtures, and mechanical movement. The goal is to induce a state of physical non-equilibrium, leading to:

  • Operational derailment: Forcing an immediate, unsafe emergency shutdown that incurs millions of dollars in recovery costs.

  • Asset destruction: Over-spinning turbines, burning out pumps, or over-pressurizing vessels to cause permanent, long-lead-time equipment damage.

  • Public harm: Altering chemical dosing in water treatment facilities or dropping power grids to disrupt civil stability.

Tactical delivery vectors in the modern landscape

The threat profiles highlighted by the EU sanctions show that adversaries rarely target OT devices out of the blue. Instead, they leverage a highly coordinated, multi-stage delivery pipeline.

Infostealers and Initial Access Brokers

Advanced persistent threats (APTs) and proxy actors use infostealers like LummaC2 to harvest valid corporate credentials from home computers, third-party contractors, and non-segmented IT systems. These credentials are sold to Initial Access Brokers (IABs) or utilized directly to log into external-facing perimeter defenses, bypassing traditional brute-force detection methods.

Supply chain exploitation

As critical infrastructure relies on third-party integrators, original equipment manufacturers (OEMs), and remote maintenance organizations, attackers compromise the vendor first. Front companies like LLC Impuls provide the technical buffer needed to study vendor software, looking for trusted update mechanisms or hardcoded engineering credentials to abuse.

Living-off-the-Land (LotL) techniques

Modern ICS attackers rarely drop loud, easily detectable malware payloads into the execution environment. Instead, they execute Living-off-the-Land techniques—using the legitimate, built-in administrative tools already present in the operating system (e.g., PowerShell, WMI, native remote desktop protocols). Once inside the OT network, they use standard engineering software to send valid, authorized commands to PLCs and safety instruments. To the network, the attacker looks exactly like a legitimate plant engineer, rendering signature-based antivirus solutions ineffective.

Defensive Blueprint: Lessons for CISOs and OT security leaders

Defending critical infrastructure against a state-backed ecosystem requires moving beyond compliance checkboxes to implement an operational, resilience-driven defense-in-depth model.


· Establish continuous asset visibility and inventory

You cannot defend what you do not know exists. Organizations must deploy passive, OT-safe network monitoring tools to build a dynamic, real-time asset inventory of every device on the plant floor. This includes tracking vendor makes, models, firmware versions, and rack configurations for PLCs, HMIs, and Intelligent Electronic Devices (IEDs).

· Implement industrial Network Detection and Response (NDR)

Because adversaries utilize legitimate engineering protocols to execute attacks, standard IT firewalls are insufficient. Organizations require specialized industrial NDR solutions capable of deep packet inspection (DPI) of proprietary OT protocols (e.g., ModbusTCP, DNP3, EtherNet/IP, PROFINET). The NDR must baseline normal operational thresholds and trigger alerts on anomalous administrative actions, such as unexpected firmware writes, program modifications, or out-of-bounds parameter changes.

·  Enforce strict Zero-Trust Remote Access Architecture

Eliminate all persistent, direct-inbound VPN connections into the OT environment. All remote sessions—whether for internal engineers or external OEMs—must clear a centralized, secure access jump host located inside a highly restricted Demilitarized Zone (DMZ

·  Enforce phishing-resistant MFA: Multi-Factor Authentication must be mandatory for every remote access pivot point.

· Session termination: Remote sessions must be time-bound, continuously logged, and automatically terminated upon completion of work.

· Proactive threat hunting for Living-off-the-Land Indicators

Security Operations Centers (SOCs) must explicitly hunt for indicators that suggest an adversary is manipulating native infrastructure. Focus areas include:

Tracking unusual administrative actions, such as the unexpected execution of vssadmin.exe (frequently used by ransomware variants to delete shadow copies) or unauthorized PowerShell activity on engineering workstations.

Auditing host event logs for accounts logging in at anomalous hours or pivoting across dual-homed machines that span both IT and OT network boundaries.

·  Rigorous Third-Party and Supply Chain Risk Management

Incorporate rigorous cybersecurity requirements into all vendor and procurement contracts. Mandate that software suppliers provide a Software Bill of Materials (SBOM) for all deployed applications. Run periodic, isolated validation testing on vendor-supplied firmware updates before deploying them to production networks.

The regulatory imperative: Aligning frameworks with global sanctions

The threat indicators exposed by the European Council’s sanctions align directly with the control objectives mandated by modern international regulatory frameworks. Compliance is no longer just a legal obligation; it is a baseline structural defense against state-sponsored disruption.

NIS2 Directive (European Union)

The Network and Information Security (NIS2) Directive expands strict cybersecurity obligations to a broader set of entities across critical sectors. It introduces direct personal liability for corporate executives who fail to manage cyber risks appropriately. The directive emphasizes supply chain security, rigorous incident reporting, and the active adoption of cryptography and multi-factor authentication—controls directly intended to neutralize the threat from initial access brokers and infostealer vectors.

IEC 62443 Series (Global Industrial Standard)

The IEC 62443 standard provides a comprehensive framework for securing Industrial Automation and Control Systems (IACS).

  • Zones and Conduits (IEC 62443-3-2): Requires segmenting the plant floor into logical, risk-profiled zones connected by tightly controlled conduits. This segmentation prevents a compromise in a low-security zone (such as corporate Wi-Fi or a bulletproof host-facing edge) from cascading into safety-critical control loops.

  • Security Level Requirements (IEC 62443-3-3): Mandates specific technical capabilities, including robust user authentication, data integrity validation, and continuous security logging to defend against intentional manipulation by insider threats or compromised proxy credentials.

NIST CSF 2.0 and NIST SP 800-82

The National Institute of Standards and Technology (NIST) updated its Cybersecurity Framework (NIST CSF 2.0) to emphasize governance, ensuring that cyber risk assessment is handled as an enterprise-wide, board-level liability. For industrial environments, NIST SP 800-82 Guide to Operational Technology (OT) Security translates these core functions into the specific realities of the plant floor. It offers technical blueprints for deploying network segmentation, applying patches to legacy systems without disrupting availability, and constructing resilient OT incident response capabilities.

Cyber Resilience Act (CRA)

The EU's Cyber Resilience Act imposes mandatory hardware and software security requirements on all products with digital elements placed on the European market. By forcing manufacturers to guarantee lifetime vulnerability patching and secure-by-default initial configurations, the CRA aims to eliminate the hardware vulnerabilities that threat groups exploit to establish initial footholds in industrial environments.

The next 3–5 years of cyber conflict

The coordinated sanctions package issued on 13 July 2026 indicates that cyberspace has permanently integrated with geopolitical conflict. Over the next 3 to 5 years, critical infrastructure operators must prepare for several key structural shifts in the threat landscape:

·  Increased reliance on deniable proxy forces

As major state actors face harsher diplomatic and economic consequences for direct cyber actions, they will increasingly outsource operations to semi-independent hacktivist umbrellas, cyber-mercenaries, and criminal syndicates. This strategy allows state actors to leverage highly destructive capabilities while maintaining a degree of plausible deniability.

·   Targeting of operational Safety Instrumented Systems (SIS)

Future offensive campaigns will likely target more than just visibility systems like HMIs. Adversaries are actively studying how to modify the logic of Safety Instrumented Systems (SIS)—the independent, automated protection layers designed to prevent physical catastrophes when processes exceed safe operating limits. Compromising the SIS allows attackers to clear the path for high-consequence physical damage.

·  Shift from prevention to resilience

The complex nature of modern software supply chains means that a determined, well-resourced nation-state adversary can eventually breach almost any perimeter. Consequently, the primary metric of successful security leadership must shift from prevention to resilience.

Resilience means designing your industrial architecture to operate safely during an ongoing active intrusion. It requires preserving the ability to drop into manual, analog operating modes, decoupling core physical processes from compromised networks, and demonstrating the capability to rapidly rebuild engineering workstations from trusted, offline gold images.

Actionable recommendations for critical infrastructure operators

To strengthen defense systems against the capabilities of the state-sponsored cyber ecosystem exposed by the EU, executive leadership and plant operations teams should prioritize the following practical steps:

Immediate technical priorities (Next 30 Days)

  • Audit active perimeter access: Conduct an immediate review of all active remote access pathways, external connections, and vendor jump hosts. Terminate all persistent, single-factor authentication VPN links into production environments.

  • Deploy infostealer mitigations: Implement endpoint detection and response (EDR) policies on all corporate IT devices to block and alert on unauthorized credential-dumping utilities and infostealer behavior. Mandate enterprise-wide credential rotations for all administrative accounts.

  • Review edge infrastructure logging: Confirm that all internet-facing firewalls, routers, and edge systems are generating detailed logs, and aggregate those logs into a central, secure repository to identify potential scanning from known bulletproof hosting ranges.

Process and architecture upgrades (Next 90 Days)

  • Execute OT Network segmentation: Verify that your network segmentation aligns with the Purdue Model and IEC 62443. Ensure that all traffic crossing from the corporate IT network to the OT network passes through an inspectable, secure DMZ conduit.

  • Deploy passive network baselining: Integrate specialized industrial network anomaly detection tools to monitor deep packet information across core industrial protocols, creating a baseline of normal operating behavior.

  • Conceptualize and run scenario-based incident tabletop exercises: Run cross-functional incident response simulation exercises involving plant managers, control room operators, IT security specialists, and executive leadership. Test your team's readiness to respond to an active, disruptive ransomware or proxy threat scenario.

Strategic and governance planning (Next 180 Days)

  • Enforce board-level cyber governance: Align your reporting structures with the requirements of NIS2 and NIST CSF 2.0. Ensure that industrial cyber risk is presented regularly to the board of directors as a core operational liability, backed by clear engineering metrics.

  • Establish an analog isolation playbook: Develop and test explicit engineering procedures to safely isolate the physical plant from the network during a severe cyber crisis. Ensure that operational staff are fully trained to drop into manual control modes, maintaining continuous safety and public service availability independently of the digital network infrastructure.


The sanctions announced by the European Council should not be viewed solely as a diplomatic development. They offer valuable insight into how modern cyber operations are organised, financed, and sustained. For operators of critical infrastructure, the lesson is clear: defending against isolated indicators of compromise is no longer sufficient. Organisations must understand and defend against the broader ecosystem that enables persistent, state-aligned cyber activity. Building resilient OT environments through visibility, segmentation, secure remote access, and continuous monitoring will remain essential as geopolitical cyber risks continue to evolve.


To learn how you can conceptualise and deploy a set of proven measures to defend your OT infrastructure, reach out to our operational engineering experts.

Recommended reading

ICS Ransomware Defense Playbook

OT / ICS Cybersecurity Operational Security Checklist

AI Governance for Operational Technology (OT)

Ultimate Guide to OT Security Best Practices

Shieldworkz Regulatory Playbooks Library

 

احصل على تحديثات أسبوعية

الموارد والأخبار

تعرف على كيفية معالجة حلولنا الرائدة في مجال أمن تكنولوجيا التشغيل (OT) للتحديات الأمنية الحيوية

قد تود أيضًا

BG image

ابدأ الآن

عزز موقفك الأمني لنظام CPS

تواصل مع خبرائنا في أمن CPS للحصول على استشارة مجانية.

BG image

ابدأ الآن

عزز موقفك الأمني لنظام CPS

تواصل مع خبرائنا في أمن CPS للحصول على استشارة مجانية.

BG image

ابدأ الآن

عزز موقفك الأمني لنظام CPS

تواصل مع خبرائنا في أمن CPS للحصول على استشارة مجانية.