{ "id": "c86f1ec2-1368-4205-af5d-3fab21ff6941", "created_at": "2026-04-06T01:30:54.74091Z", "updated_at": "2026-04-10T03:37:50.273389Z", "deleted_at": null, "sha1_hash": "c9f8b84cb36967a95ea9d8b84efb23b36f487c32", "title": "GRU 26165: The Russian cyber unit that hacks targets on-site", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 540833, "plain_text": "GRU 26165: The Russian cyber unit that hacks targets on-site\r\nBy eschroeder\r\nPublished: 2022-11-18 · Archived: 2026-04-06 00:40:19 UTC\r\nConflict, Risk, and Tech November 18, 2022\r\nJustin Sherman\r\nRussian hackers are not always breaching targets from afar, typing on their keyboards in Moscow bunkers or St.\r\nPetersburg apartment buildings. For some Russian government hackers, foreign travel is part of the game. They\r\npack up their equipment, get on international flights, and covertly move around abroad to hack into computer\r\nsystems.  \r\nEnter GRU Unit 26165 (of the military intelligence agency Glavnoye Razvedyvatelnoye Upravlenie), a military\r\ncyber unit with hackers operating remotely and on-site. Despite the security risks on-site cyber operations pose to\r\ngovernments and international organizations, and the questions they raise about how the West should track and\r\ncombat Russian state hacking, Russia’s activities in this realm are not receiving sufficient policy attention. \r\nGRU Unit 26165, the 85th Main Special Communications Center \r\nIn March 2018, after the GRU tried to murder former Russian intelligence officer Sergei Skripal and his daughter\r\nYulia in Salisbury, England using a Novichok nerve agent, the Kremlin came under international fire. British\r\nintelligence officials blamed the GRU, where Skripal used to work (and later became a British informant); the\r\nmultinational Organization for the Prohibition of Chemical Weapons (OPCW), which enforces the Chemical\r\nWeapons Convention, launched an investigation; and in June of the same year, OPCW countries voted to let the\r\nbody attribute chemical weapons attacks to particular actors. (A year later, the OPCW would formally ban\r\nNovichok nerve agents.) Additional journalistic investigations into the perpetrators, meanwhile, continued to point\r\nto the GRU’s involvement. \r\nAlthough the OPCW’s investigation was not made public for months, the Russian government decided to move\r\nquickly against the organization, turning to a tactical cyber unit to do so. \r\nhttps://www.atlanticcouncil.org/content-series/tech-at-the-leading-edge/the-russian-cyber-unit-that-hacks-targets-on-site/\r\nPage 1 of 6\n\nOPCW Headquarters\r\nOn April 10, 2018, four Russian nationals landed at Amsterdam Schiphol Airport in the Netherlands. With\r\ndiplomatic passports in hand, they were met by a member of the Russian embassy in The Hague. After loading a\r\ncar with technical equipment—including a wireless network panel antenna to intercept traffic—the four\r\nindividuals scouted the OPCW’s headquarters in The Hague for days, taking photos and circling the building\r\nbefore being intercepted by the Dutch General Intelligence and Security Service (Algemene Inlichtingen- en\r\nVeiligheidsdienst or AIVD) and sent back to Moscow. Seemingly, the plan had been for the operatives to hack into\r\nthe OPCW’s systems to disrupt investigations into the attempted GRU chemical weapon attack.  \r\nThe Netherlands made all of this public on October 4, 2018, with Dutch intelligence identifying the four operators\r\nby name—Aleksei Sergeyevich Morenets and Evgenii Mikhaylovich Serebriakov were described as “cyber\r\noperators” and Oleg Mikhaylovich Sotnikov and Alexey Valerevich Minin were described as “HUMINT (human\r\nintelligence) support.” The AIVD linked all of these individuals to Russia’s GRU. A Department of Justice (DOJ)\r\nindictment issued on the same day went a step further, linking the hackers—Morenets and Serebriakov—to GRU\r\nUnit 26165. \r\nUnit 26165, otherwise known as Fancy Bear, was already known for breaking into systems from afar, including\r\nthe Democratic National Committee in 2016 and World Athletics (previously the International Amateur Athletic\r\nFederation) in 2017. Yet, the revelations around the attempted OPCW hack made clear that Unit 26165 does much\r\nmore. The full DOJ indictment, subsequently published by the National Security Archive at The George\r\nWashington University, alleged that Morenets “was a member of a Unit 26165 team that traveled with technical\r\nequipment to locations around the world to conduct on-site hacking operations to target and maintain persistent\r\naccess to WiFi networks used by victim organizations and personnel.” Serebriakov also belonged to such a team.\r\nhttps://www.atlanticcouncil.org/content-series/tech-at-the-leading-edge/the-russian-cyber-unit-that-hacks-targets-on-site/\r\nPage 2 of 6\n\nWhile Unit 26165 often conducts remote hacks from Russia, the indictment stated that “if the remote hack was\r\nunsuccessful or if it did not provide the conspirators with sufficient access to victims’ networks,” Unit 26165\r\nwould carry out “‘on-site’ or ‘close access’ hacking operations.” \r\nThe OPCW incident was not the first time these particular hackers went abroad to conduct operations. According\r\nto the DOJ, Morenets traveled to Rio de Janeiro, Brazil, and Lausanne, Switzerland, in 2016 to breach the into\r\nWiFi networks used by people with access to the US Anti-Doping Agency, the World Anti-Doping Agency, and\r\nthe Canadian Center for Ethics in Sport. Serebriakov, the indictment stated, also participated in these on-site\r\nhacking operations. Both individuals allegedly planned to target the Spiez Laboratory in Switzerland after the\r\nOPCW hack. The indictment alleged that Ivan Sergeyevich Yermakov, also part of GRU Unit 26165, provided\r\nremote reconnaissance support for his colleagues’ on-site hacking operation against the OPCW. \r\nAdditionally, it is speculated that these on-site hackers were supported by another GRU unit, which is where the\r\nother two Russians caught in the Netherlands by the AIVD enter the picture. Sotnikov and Minin were described\r\ngenerically by the Dutch as HUMINT support for the two hackers, and as “Russian military intelligence officers”\r\nby the DOJ’s full indictment. Neither of these government documents mentions a specific GRU unit associated\r\nwith Sotnikov or Minin. \r\nPublished in tandem with the October 4, 2018 state disclosures was a new Bellingcat investigation linking\r\nMorenets’ Russian car to the Unit 26165 building in Russia. It also linked Minin’s car registration to the GRU\r\n“Conservatory.” The Conservatory—formally numbered GRU Unit 22177—is the Russian Defense Ministry’s\r\nMilitary Academy and a training site for the GRU, located in Moscow near GRU headquarters and other GRU\r\ntraining facilities. Due to Minin’s connection to 22177 and the Dutch and US governments’ vague references to\r\nSotnikov and Minin as “HUMINT support” and “Russian military intelligence officers” separate from Unit 26165,\r\nnumerous articles have speculated that operatives from another GRU unit were tasked to support the mission in\r\nThe Hague. \r\nStepping back, assessing the picture \r\nPolicymakers should use this information as a case study for how Russian government hackers—and,\r\ntheoretically, state hackers from other adversary countries—move around the world to break into systems. The use\r\nof on-site cyber operations abroad seems unique to this GRU team, with many possible motivations at play. It is\r\nunclear how high up the oversight chain these on-site operations go. What is clear, though, is that Western\r\ngovernments cannot restrict their hunt for Russian hackers to the digital sphere; they must also remember how\r\nRussian hacking fits into broader Russian intelligence activities, including overseas. \r\nThere are several takeaways and implications that result from this information. The on-site, overseas cyber\r\noperations of GRU Unit 26165 appears to stand out from other Russian government cyber units. Of course, cyber\r\ncapabilities are a part of intelligence operations more broadly, and many human operations around the world\r\nleverage cyber reconnaissance on an ongoing basis. Nonetheless, when the United Kingdom (UK) released its\r\nown statement on Russian government cyber activity in October 2018, it clearly differentiated between the\r\nactivities of Unit 26165 in the Netherlands, Brazil, and Switzerland and those of Unit 74455 (Sandworm), which it\r\nstressed “were carried out remotely—by GRU teams based within Russia.” The DOJ indictment appears to\r\nsuggest, although this is not totally clear, that hackers going abroad are part of at least one specific sub-team\r\nhttps://www.atlanticcouncil.org/content-series/tech-at-the-leading-edge/the-russian-cyber-unit-that-hacks-targets-on-site/\r\nPage 3 of 6\n\nwithin the broader cyber unit. Further, the DOJ indictment lists numerous examples of on-site hacks or hack\r\nattempts, but publicly available information has not exposed the same kind of on-site operations by Russia’s\r\nForeign intelligence Service, the SVR. \r\nThe motivations behind the on-site operations of Unit 26165 are also a key question. Based on publicly available\r\ninformation, its proclivity for “close access” operations leans toward disrupting high-profile investigations into\r\npotentially embarrassing Russian government activity. The first set of reported hacks targeted international\r\ninvestigations into allegations of Russian doping at the Olympics; the second set of hacks targeted the\r\ninternational investigation into the attempted murder of the Skripals with chemical weapons. It is possible,\r\ntherefore, that protecting the Kremlin’s image is a high priority. Simultaneously, the DOJ indictment stated that\r\nUnit 26165 carries out on-site operations when remote operations are unsuccessful, suggesting a more functional,\r\neffects-oriented motive for sending hackers overseas. \r\nHowever, there is another possibility: The GRU may simply be using on-site operations when it needs to draw\r\nattention away from its own failures. The botched attempt to murder Sergei and Yulia Skripal was carried out by\r\nGRU Unit 29155, a Russian military intelligence and assassination team with close relationships to the Signal\r\nScientific Center federal research facility and the Ministry of Defense’s State Institute for Experimental Military\r\nMedicine in St. Petersburg, entities suspected of managing Russia’s Novichok program. GRU operatives are well-known for their high-risk appetites and sometimes overt violence, even relative to other Russian intelligence\r\norgans like the Federal Security Service (FSB), Russia’s domestic security agency. (That said, the FSB is a violent\r\norganization, too, carrying out repressive tactics in Russia and, in 2019, assassinating a Georgian asylum seeker in\r\nBerlin.) \r\nThis tendency is playing out in cyberspace already, given that GRU teams are behind the NotPetya malware\r\nattack, shutdowns of Ukrainian power grids, and other more destructive, publicly visible operations. Such cyber\r\nactivities, in line with broader intelligence cultures, stand in contrast to agencies like the SVR, which appears to\r\nplace a premium on covertness, both online and offline. Wanting to frantically undermine an investigation into its\r\nown failed operation, it is not out of the question that the GRU sent Unit 26165 operatives overseas. That Unit\r\n26165 hackers Morenets and Serebriakov may have had support from other parts of the GRU (HUMINT operators\r\nSotbikov and Minin) in the OPCW plot suggests possible broader intra-agency coordination. But again, it is easy\r\n—and sometimes misguided—to assume there is more coordination within the Russian security services than\r\nactually occurs. \r\nAll of this raises a final and more interesting question always at play in the Russian cyber ecosystem: How far up\r\nthe chain does oversight of on-site hacks go? \r\nhttps://www.atlanticcouncil.org/content-series/tech-at-the-leading-edge/the-russian-cyber-unit-that-hacks-targets-on-site/\r\nPage 4 of 6\n\nCyber and information operations with high political sensitivity, which Moscow conceptualizes more cohesively\r\nthan in the West, are more likely to be supervised by the Kremlin. The US intelligence community assessed, for\r\nexample, that the influence actions targeting the 2016 US election were “approved at the highest levels of the\r\nRussian government,” and a similar conclusion was reached vis-à-vis President Vladimir Putin and Russia’s\r\nelection interference in 2020. This may also be true for more traditional intelligence operations. When the UK\r\nfinished its investigation into the murder of former Russian spy Alexander Litvinenko, who was killed on British\r\nsoil with the radioactive material Polonium-210, it concluded that Putin and Russian Security Council head\r\nNikolai Patrushev “probably” approved the killing. \r\nThe GRU’s botched murder attempt on the Skripals garnered significant international attention. At the time,\r\nRussian officials were already criticizing the OPCW’s investigations into the Assad regime’s use of chemical\r\nweapons in Syria—called an attempt “to make the OPCW draw hasty but at the same time far-reaching\r\nconclusions” by Russia’s deputy foreign minister. When the investigation into the Skripal poisonings began, senior\r\nofficials like Russian Foreign Minister Sergei Lavrov falsely claimed that a lab used by the OPCW picked up\r\ntraces of a nerve agent possessed by NATO countries but not Russia. Putin, meanwhile, has always held particular\r\ncontempt for people he perceives as betraying the Russian nation, once saying that “traitors always meet a bad\r\nend,” suggesting a kind of personal anger directed at individuals like Sergei Skripal who became agents for the\r\nWest. The Olympic doping investigations, too, proved an embarrassment for Moscow. \r\nIn this vein, it is quite possible that higher-level Kremlin officials may direct the GRU to act against investigations\r\nlike OPCW’s, prompting the GRU to deploy Unit 26165 hackers to the Netherlands. It is also plausible that the\r\nactivities of Unit 26165 merely reflect broader intelligence collection priorities, spying on those trying to “hurt”\r\nRussia, such as investigators looking into Russian athlete doping. Since there are few publicly known cases of\r\nUnit 26165 conducting “close access” operations, perhaps these are not representative samples, with the GRU\r\ncarrying out these activities on its own after all. \r\nhttps://www.atlanticcouncil.org/content-series/tech-at-the-leading-edge/the-russian-cyber-unit-that-hacks-targets-on-site/\r\nPage 5 of 6\n\nRegardless, the GRU is clearly sending hackers overseas to carry out operations. Going forward, Western\r\nintelligence and law enforcement personnel, as well as multinational organizations, would be wise to pay\r\nattention. \r\nThe Atlantic Council’s Cyber Statecraft Initiative, part of the Atlantic Council Technology Programs, works at\r\nthe nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better\r\ninform and secure users of technology.\r\nImage: OPCW Headquarters\r\nSource: https://www.atlanticcouncil.org/content-series/tech-at-the-leading-edge/the-russian-cyber-unit-that-hacks-targets-on-site/\r\nhttps://www.atlanticcouncil.org/content-series/tech-at-the-leading-edge/the-russian-cyber-unit-that-hacks-targets-on-site/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.atlanticcouncil.org/content-series/tech-at-the-leading-edge/the-russian-cyber-unit-that-hacks-targets-on-site/" ], "report_names": [ "the-russian-cyber-unit-that-hacks-targets-on-site" ], "threat_actors": [ { "id": "d866a181-c427-43df-9948-a8010a8fdad6", "created_at": "2022-10-27T08:27:13.080609Z", "updated_at": "2026-04-10T02:00:05.303153Z", "deleted_at": null, "main_name": "POLONIUM", "aliases": [ "POLONIUM", "Plaid Rain" ], "source_name": "MITRE:POLONIUM", "tools": [ "CreepyDrive", "CreepySnail" ], "source_id": "MITRE", "reports": null }, { "id": "6cfeba14-c84e-4606-88b9-c7a7689c450f", "created_at": "2022-10-25T16:07:24.06766Z", "updated_at": "2026-04-10T02:00:04.857565Z", "deleted_at": null, "main_name": "Polonium", "aliases": [ "G1005", "Incendiary Jackal", "Plaid Rain" ], "source_name": "ETDA:Polonium", "tools": [ "CreepyDrive", "CreepySnail", "DeepCreep", "FlipCreep", "MegaCreep", "PapaCreep", "TechnoCreep" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b7823339-891d-4ded-b01d-1f142a88bc64", "created_at": "2023-01-06T13:46:39.381591Z", "updated_at": "2026-04-10T02:00:03.308737Z", "deleted_at": null, "main_name": "POLONIUM", "aliases": [ "GREATRIFT", "INCENDIARY JACKAL", "Plaid Rain", "UNC4453" ], "source_name": "MISPGALAXY:POLONIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439054, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c9f8b84cb36967a95ea9d8b84efb23b36f487c32.pdf", "text": "https://archive.orkl.eu/c9f8b84cb36967a95ea9d8b84efb23b36f487c32.txt", "img": "https://archive.orkl.eu/c9f8b84cb36967a95ea9d8b84efb23b36f487c32.jpg" } }