Armed GroupRU

GRU Unit 26165

Russian GRU military intelligence unit; attributed as APT28 operator responsible for 2026 SOHO router DNS-hijacking campaign.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

Which GRU unit is behind APT28, and what exactly did they do to home routers in 2026?

Timeline for GRU Unit 26165

#117 Apr

Operated DNS hijacking campaign against enterprise Microsoft 365 credentials through compromised home routers

Cybersecurity: Threats and Defences: GRU hijacks home routers for M365 logins

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is GRU Unit 26165?: GRU Unit 26165 (85th Main Special Service Centre) is Russia's military intelligence unit attributed by Western agencies as operating APT28/Fancy Bear, responsible for election interference in 2016 and SOHO router DNS hijacking in 2026.Source: NCSC / US DOJ indictment
How many GRU officers were indicted for the 2016 election hack?: The US DOJ indicted 12 GRU Unit 26165 officers in July 2018 for their roles in the 2016 US election interference operation, including the DNC and Podesta email exfiltration.Source: US DOJ indictment July 2018

Background

GRU Unit 26165, designated the 85th Main Special Service Centre of Russia's military intelligence directorate, is the organisational entity assessed by NCSC, CISA, and the US Intelligence Community as operating the APT28 threat actor. In April 2026 NCSC published advisory PSA260407, attributing to Unit 26165 a campaign targeting SOHO routers, specifically TP-Link WR841N and MikroTik models, to redirect DNS resolution for Microsoft 365 login endpoints and harvest OAuth tokens.

Unit 26165 was publicly named in the US DOJ indictments of 12 GRU officers in July 2018, covering the 2016 US election interference operation. The unit has since been attributed to the 2017 Macron campaign breach, the 2018 WADA hack, the 2019-2020 energy-sector targeting campaigns and, in 2022-2023, sustained attacks against Ukrainian government networks and defence supply chains. Its signature is credential theft via phishing, edge-device exploitation and DNS manipulation rather than destructive malware, which it leaves to Unit 74455 (Sandworm).

The April 2026 campaign represents an evolution toward ambient, low-noise collection inside remote-worker home networks. By compromising consumer routers, Unit 26165 intercepts M365 authentication traffic before it crosses any enterprise-monitored perimeter, making detection through standard Security Operations Centre (SOC) tooling essentially impossible.

How the World Sees Them

Russia

Russia denies the existence of offensive cyber units within the GRU. No officers have been extradited to face the 2018 US indictments.

United States

Twelve Unit 26165 officers were indicted by the US DOJ in 2018 for election interference. CISA continues to track the unit's activity in joint advisories with UK and EU partners.

United Kingdom

NCSC issued the April 2026 attribution. The unit is named in multiple NCSC public advisories dating to 2018.