(Cyber) GRU (VII): Structure. Unit 26165

Unit 26165 (85th Special Service Center) is located at number 20 of Komsomolskiy Prospekt. Also, at this same address is the Military Unit 06410 (152nd Training Center) with Koval NIKOLAY NESTEROVICH in command, which was created on 08/27/1943. Apparently, this second Unit is not related to the cyber field from a technical point of view, according to available information in public sources such as articles or theses related to military education, psychology, etc.

In the Soviet era, the GRU Service of Decryption was located at number 20 of the Komsomolskiy Avenue in Moscow, to which we have already referred, intimately related to the Sixth Directorate (SIGINT) but not dependent on it. In fact, that historical Service of Decryption is apparently the very Unit 26165, created on May 23, 1953 according to open sources. Apparently, there is public information that confirms its existence at least in 1958, such as the medal commemorating the 60th anniversary of the Unit shown below:

The attached “rationalization proposal” also shows activity of this Unit in the 70s of the last century:

The concept of “Rationalization Proposal” in the former Soviet Union referred to technical concepts that were innovative and useful for an organization because they involved a change in designs, technologies, machinery, materials, etc. If the proposal was accepted after an evaluation, the author was provided with a certificate such as the previous annex for intellectual property purposes.

Until early 2018, the Chief Colonel of the Unit was Viktor BORISOVICH NETYKSHO. Part of the information on military units is public in Russia, for instance, in RusProfile, a website where information on Russian legal entities and businessmen is collected, we can get access to the open information about Unit 26165, such as its founding date to which we have already made reference. According to this website, since January 2018, the current Commander is Colonel Dmitry ALEXANDROVICH MIKHAILOV.

Unit 26165 is in charge of the CNE and CNA activities related to the actions identified during 2018. This unit is a technical one, of attack and exploitation, which develops offensive tools and capabilities and also executes operations using these same capabilities, through two distinct groups:
On the one hand, the accusation of Robert Mueller identifies an operative group in relation to Unit 26165, commanded by ANTONOV, which is in charge of executing the attacks -intrusion, persistence, etc-.
On the other hand, a support and development group, commanded by MORGACHEV, which is responsible for providing infrastructure and tools to the former.

The structure defined in the indictment is the following:

The Dutch accusations add Aleksei SERGEYEVICH MORENETS and Evgenii MIKHAYLOVICH SEREBRIAKOV as members of the Unit. Both, together with agents of the Unit 22177 were intercepted in The Hague. It wasn’t established to which of the previous groups they belonged, although apparently, by the type of activity they were developing, they would be under the command of ANTONOV.

With the information gathered during 2018, we can put face – and name, and employment … – to alleged members of APT28. When different reports were related to the hours of compilation of the malware during working hours in Moscow and St. Petersburg, we could imagine MORGACHEV and his group, whereas when campaigns were identified against different objectives, ANTONOV and his people came into play.

Of course, the structure and previous identities are partial: Unit 26165 is much more complex and extensive than what we saw in 2018.

See also in: