Summary
- CERT-FR says French entities have been targeted and compromised through the Turla intrusion set.
- The activity is attributed to Centre 16 of Russia’s Federal Security Service.
- French victimology includes government, diplomatic, defence, justice, and technology organisations.
CERT-FR has attributed Turla activity against French entities to Centre 16 of Russia’s Federal Security Service, placing long-running espionage activity against European government and strategic sectors into a formal French attribution record.
The report, dated 13 July 2026, says members of France’s Cyber Crisis Coordination Centre observed the targeting and compromise of French entities using the Turla intrusion set. CERT-FR says the activity is operated by the 16th Centre of the FSB and has been used since at least 2004 for intelligence collection against strategic entities and individuals around the world, including in France.
French victimology identified by CERT-FR includes ministries, diplomatic entities, defence organisations, justice-sector bodies, and technology organisations. The report says espionage campaigns associated with Turla against Ukraine, NATO countries, and EU countries continue in the context of Russia’s war against Ukraine.
The advisory does not publish a victim list, compromise count, or remediation status. Its importance rests in the formal attribution and sector picture. France is describing an espionage pattern aimed at state functions, diplomatic relationships, defence capability, legal systems, and technology assets, all of which carry consequences beyond the first compromised environment.
Turla has been tracked for years by Western governments and cyber agencies as a persistent Russian-linked espionage operation. The French report gives affected sectors a national context for activity that may otherwise appear as a local intrusion investigation. A compromised ministry system, diplomatic mailbox, supplier environment, or technology platform can expose negotiations, legal processes, procurement, research, or operational plans.
The report also fits the broader pressure now being placed on Russian state cyber activity by the UK, EU, and national governments. Recent public actions have focused not only on campaigns, but also on state units, infrastructure providers, criminal services, and enabling networks. That approach gives regulated and strategic organisations clearer grounds for threat-led testing, supplier assurance, executive reporting, and incident classification.
Espionage risk differs from disruptive cybercrime. A ransomware incident is usually visible because systems stop working, but intelligence collection can remain active for long periods if detection is weak. Identity telemetry, endpoint monitoring, privileged access control, network visibility, email security, and incident investigation discipline all determine whether a quiet compromise is found before sensitive information is collected or reused.
The supplier dimension is also material. Technology companies, managed service providers, consultancies, software vendors, and outsourced support providers working with ministries, defence organisations, or strategic sectors can become indirect routes into higher-value targets. Those organisations need to understand how privileged support access, remote administration, data sharing, and logging would stand up during a state-linked intrusion investigation.
CERT-FR’s Turla report gives French and European organisations a formal basis for reviewing exposure, strengthening detection, and reassessing sensitive supplier relationships. France has attributed ongoing espionage against French entities to Russia’s FSB, and the named sectors sit close to national decision-making and European security.




