Main Intelligence Agency of the Armed Forces (GRU)

Posted on :

The GRU, or Main Intelligence Agency, is the foreign military intelligence agency of the General Staff of the Armed Forces of the Russian Federation. The acronym GRU stands for “Glavnoye Razvedyvatel’noye Upravleniye,” which translates to “Main Intelligence Agency.” The GRU works alongside the Foreign Intelligence Service (SVR) and the Federal Security Service (FSB) to achieve strategic objectives for the Russian Federation.

The GRU’s roots trace back to the Soviet Union’s early years, where it initially served as the intelligence arm of the Red Army. Over the decades, it underwent transformations to adapt to the changing geopolitical landscape. Despite the dissolution of the Soviet Union, the GRU persisted, and its role expanded beyond traditional military intelligence to address contemporary security challenges. It became a crucial player in Russia’s efforts to assert its influence on the global stage.

The GRU is responsible for gathering and analyzing military-related intelligence, conducting espionage, and carrying out covert operations abroad. It operates under the umbrella of the Russian military and reports directly to the General Staff. The agency has a history dating back to the early 20th century and has played a significant role in various geopolitical events.


GRU 85th Field Post 26165 (FANCY BEAR)

Unit 26165 is a military cyber unit operating under the Main Intelligence Agency of the General Staff of the Armed Forces of the Russian Federation, commonly known as GRU (Glavnoye Razvedyvatelnoye Upravlenie). The unit gained international attention for its involvement in various cyber operations, including remote and on-site hacking activities. GRU Unit 26165 is identified by cybersecurity organizations by a variety of codenames including APT28, Fancy Bear, Sofacy Group, and Strontium.

APT28 has targeted a diverse range of entities, including governments, military organizations, defense contractors, political organizations, and international institutions. Fanc y Bear specializes in cyber-espionage, aiming to gather intelligence and sensitive information from its targets. The group employs various tactics, including spear-phishing emails, malware, and advanced persistent techniques to gain access and maintain a long-term presence on compromised networks. APT28 utilizes a variety of sophisticated tools and malware for its operations. These include the Sofacy, X-Agent, and Sednit malware families, among others. The group is known for constantly evolving its toolsets to avoid detection and attribution.

APT28’s activities align with Russia’s geopolitical interests. The group has been linked to operations that coincide with significant political events, elections, or conflicts, reflecting an intent to influence or gather intelligence related to these events. APT28 gained widespread attention for its alleged involvement in the hacking and release of sensitive information during the 2016 U.S. presidential election. GRU Unit 26165 is known for its cyber activities both within Russia and abroad, with reported incidents ranging from the hacking of the Democratic National Committee in the United States in 2016 to targeting various international organizations and entities.

Fancy Bear is also suspected to be behind the attempted hacking of the Organization for the Prohibition of Chemical Weapons (OPCW) headquarters in The Hague in 2018. The unit’s operatives, equipped with diplomatic passports and technical gear, traveled to the Netherlands with the intention of disrupting investigations into the Salisbury poisoning of former Russian intelligence officer Sergei Skripal and his daughter Yulia. This particular operation involved on-site hacking attempts to gain persistent access to WiFi networks used by the targeted organizations. The unit’s methods include both remote cyber intrusions and physically traveling to locations for on-site hacking operations, making it a distinctive player in the realm of state-sponsored cyber activities.


GRU GTsST Field Post 74455

Sandworm is a hacking group that is widely believed to be associated with the Russian military intelligence agency GRU (Main Intelligence Agency of the General Staff of the Armed Forces of the Russian Federation). The group has gained notoriety for its involvement in various cyber-espionage and cyber-attack campaigns, often targeting foreign governments, critical infrastructure, and organizations.

Sandworm was implicated in the use of the BlackEnergy malware during cyber-attacks against Ukraine’s energy sector in 2015. The attacks resulted in power outages, affecting thousands of people. The malware was used as part of a broader cyber-espionage campaign targeting Ukrainian government institutions.

One of the most notable incidents attributed to Sandworm is the NotPetya malware attack in 2017. The malware initially targeted Ukraine but quickly spread globally, affecting various organizations and causing widespread disruption. The attack was considered one of the most destructive and costly in history, impacting businesses, government systems, and critical infrastructure.

Sandworm was suspected of orchestrating the Olympic Destroyer malware attack during the 2018 Winter Olympics in Pyeongchang, South Korea. The attack disrupted the opening ceremony and targeted Olympic-related systems. The malware was designed to destroy data and disrupt operations.

Sandworm was also associated with the 2017 ExPetr (or Petya, or NotPetya 2.0) malware, which shared similarities with the earlier NotPetya attack. The malware affected organizations primarily in Ukraine but had global repercussions, affecting multinational companies.


Key Terrain Cyber is dedicated to the professional development of our cyber workforce and information warfare community. We offer all our programs at no cost to readers, including our professional journal, mentorship and fellowship programs, and information warfare memorial. Our team of unpaid volunteers work hard to keep this site running and appreciate any support you are willing to give us.

There are several ways you can help us spark innovation, disseminate good ideas, and remember our fallen. You can donate to KTC via the paypal button or venmo graphic below and help us cover our operating costs. Buying Key Terrain Cyber merchandise from our webstore is another excellent way to show your support for our programs and look good in the process.

Interested in volunteering your time? Contact us at [email protected] if you want to learn more about becoming a volunteer, staff member, or senior fellow. Finally, you can thank our staff by using the button below to buy us a coffee or a beer.

Please follow and like us: