GRU Unit 26165 (85th Main Special Service Centre)

Audio readout of this profile.

Overview

Unit 26165 is the institutional designation for the 85th Main Special Service Centre of the Russian Main Intelligence Directorate (GRU) — the GRU's principal computer-network-exploitation and influence-operations unit, headquartered at 20 Komsomolsky Prospekt in central Moscow. The unit's mission is the use of cyber operations to support Russian military-intelligence collection requirements: penetration of foreign government, diplomatic, military, and political-party networks, exfiltration of communications and documents, and selective release of exfiltrated material in support of broader Russian influence operations.¹

The unit's institutional identity is established in the public record principally through the July 2018 United States Department of Justice indictment of twelve named GRU officers, nine of whom were specifically identified as Unit 26165 personnel and were charged with the 2016 Democratic National Committee, Democratic Congressional Campaign Committee, and Clinton campaign intrusions. The indictment specified the unit's address, organisational placement within the GRU, and the operational chain of command up to Colonel General Igor Korobov, then-Chief of the GRU.²

Across the threat-intelligence industry the unit's activity is tracked under multiple vendor designations: Fancy Bear (CrowdStrike), APT28 (Mandiant), Sofacy (Kaspersky Lab), Pawn Storm (Trend Micro), Sednit (ESET), STRONTIUM and then Forest Blizzard (Microsoft), and Tsar Team (iSIGHT Partners). See APT designation for the naming-conventions context. The mappings are tight: all the labels refer to the same underlying institutional entity.³

History & Origins

The unit traces institutional roots to the GRU signals-intelligence and electronic-warfare formations of the late Soviet period, but its consolidation as the principal GRU cyber-operational unit dates to the mid-2000s — the period in which Russian military-intelligence cyber capability transitioned from an experimental capability of the signals-collection units into a dedicated operational mission with a separate command structure. The unit acquired its current designation as the 85th Main Special Service Centre in 2002, per the indictment record and the supporting United Kingdom National Crime Agency investigation.⁴

The publicly-attested operational footprint begins approximately 2007, with what Sednit-cluster reporting subsequently characterised as the unit's first major sustained intrusion campaign — against Caucasus-region government targets — and continues through the present. The mid-2010s saw the unit's operational tempo expand substantially, and the 2014–2017 period encompassed the operations on which the unit's public reputation now substantially rests.⁵

Operational footprint (documented)

The publicly-documented operational footprint of Unit 26165 includes:

The 2014–2017 Russian campaign of intrusions against Western political institutions. The 2015 intrusion of the German Bundestag (later confirmed by the Bundesamt für Verfassungsschutz attribution); the 2016 intrusion of the United States Democratic National Committee, Democratic Congressional Campaign Committee, and Hillary Clinton campaign personnel (United States DOJ July 2018 indictment, see Special Counsel report Volume I); the parallel 2016–2017 intrusions of the French Macron campaign (subsequently leaked as the MacronLeaks); the 2016 intrusion of the World Anti-Doping Agency in retaliation for the McLaren Report on Russian state-sponsored athletic doping. All four operations followed the same documented operational pattern: spearphishing of target personnel, credential capture, persistent access to email accounts, exfiltration of correspondence and documents, and selective release through DCLeaks and Guccifer 2.0 personas which the United States indictment established as Unit 74455 operational covers coordinated with Unit 26165's document-theft operations.⁶

Operations against international sport-governance institutions. The 2016 WADA intrusion was followed by 2018 operations against the International Olympic Committee, the Court of Arbitration for Sport, and the Organisation for the Prohibition of Chemical Weapons (the Hague-based body investigating the Salisbury chemical-weapons attack against Sergei Skripal). The OPCW operation was disrupted by Dutch military intelligence in April 2018 at the OPCW headquarters in The Hague; four Unit 26165 officers were physically present in the Netherlands with operational equipment, were apprehended, and were subsequently named publicly by Dutch authorities.⁷

Persistent collection against United States and European government targets. The publicly-disclosed operational record establishes sustained collection against United States executive-branch agencies (State Department, Pentagon, intelligence-community elements) across the 2014–2020 period, against North Atlantic Treaty Organization headquarters and several European foreign-affairs ministries, and against the European Parliament. The collection mission is broader than the influence operations; most of it does not surface publicly because the exfiltrated material is not released externally.⁸

Attribution and indictment

The United States Department of Justice indictment of 13 July 2018 named nine Unit 26165 officers as defendants on charges including conspiracy to commit computer fraud, conspiracy to commit wire fraud, aggravated identity theft, and money laundering. The named Unit 26165 defendants — Viktor Netyksho, Boris Antonov, Dmitry Badin, Ivan Yermakov, Aleksey Lukashev, Sergey Morgachev, Nikolay Kozachek, Pavel Yershov, and Artem Malyshev — were charged in connection with the 2016 DNC, DCCC, and Clinton-campaign intrusions; an additional three GRU officers from Unit 74455 (the unit responsible for NotPetya and other destructive operations) were charged in the same indictment for the DCLeaks and Guccifer 2.0 release-and-amplification operations.⁹

The joint United Kingdom, United States, Australia, Canada, and New Zealand attribution statements of October 2018 separately attributed the Bundestag, WADA, IOC, and OPCW operations to Unit 26165 and named the unit publicly. The European Council imposed targeted sanctions on Unit 26165 personnel in October 2020, naming Igor Kostyukov (then-acting GRU Chief) and four operational officers. The unit's institutional standing as a publicly-named threat actor in the United States, European Union, and Five Eyes attribution architecture is settled.¹⁰

See also

• GRU — parent service
• GRU Unit 74455 — sibling unit, the destructive-operations cyber arm
• SVR cyber operations — sibling Russian-state cyber actor (different parent service)
• APT designation — the naming-conventions context
• Snowden disclosures — context on the parallel NSA / GCHQ side of the same cyber-operations doctrine

Sources & Further Reading

1. United States v. Viktor Borisovich Netyksho et al., Indictment, U.S. District Court for the District of Columbia (13 July 2018) — the foundational charging document, available at justice.gov. The indictment specifies Unit 26165's institutional designation, address, and operational chain of command. Subsequent United Kingdom National Cyber Security Centre attribution statements (October 2018, October 2020) corroborate the identification.
2. Mueller, Robert S. III, Report on the Investigation Into Russian Interference in the 2016 Presidential Election, Volume I (March 2019), pp. 36–50 — the Special Counsel narrative on the Unit 26165 operational role in the 2016 cycle.
3. CrowdStrike Global Threat Report series (annual, 2014 onward); Mandiant APT28: A Window Into Russia's Cyber Espionage Operations (October 2014); Recorded Future Insikt Group threat-actor profiles; ESET Research Sednit technical analyses (2014–2018); Microsoft Threat Intelligence, Forest Blizzard (formerly STRONTIUM) threat-actor profile.
4. DOJ Indictment, op. cit. (specifying Unit 26165's 2002 designation as the 85th Main Special Service Centre); subsequent investigative materials in the Mueller Report, op. cit.; United Kingdom National Crime Agency and National Cyber Security Centre investigation file (partially released through subsequent disclosure).
5. ESET Research, En Route with Sednit (technical report series, 2014–2018) — the most extensive technical reconstruction of Unit 26165's operational history through 2018; Mandiant, APT28, op. cit.
6. DOJ Indictment, op. cit.; Mueller Report Volume I, op. cit.; Bundesamt für Verfassungsschutz public attribution of the 2015 Bundestag intrusion; French Le Monde coverage of the 2017 MacronLeaks (5 May 2017); World Anti-Doping Agency public statement on the 2016 intrusion.
7. Dutch Military Intelligence and Security Service (MIVD) press conference, 4 October 2018 — the public identification of four Unit 26165 officers detained at the OPCW headquarters in The Hague. The Dutch announcement was coordinated with the United Kingdom and United States October 2018 joint attribution statements.
8. Mandiant, APT28, op. cit.; CrowdStrike, Bears in the Midst: Intrusion into the Democratic National Committee (June 2016); Federal Bureau of Investigation, joint statements with the Department of Homeland Security on Russian cyber operations (2016–2020).
9. DOJ Indictment, op. cit. The indictment names twelve GRU officers in total — nine from Unit 26165 and three from Unit 74455. The Unit 26165 defendants are identified by name, GRU-officer rank, and operational role within the unit.
10. United Kingdom National Cyber Security Centre, Reckless campaign of cyber attacks by Russian military intelligence service exposed (4 October 2018); European Council Decision (CFSP) 2020/1537 — targeted sanctions against Unit 26165 personnel (22 October 2020); Andy Greenberg, Sandworm: A New Era of Cyberwar (Doubleday, 2019), Chapter 14 on the 2018 Western-attribution coordination.