Skip to content
You can now search across every topic, entity and event.What's new
GRU Unit 26165
Armed GroupRU

GRU Unit 26165

Russian GRU unit operating APT28; attributed to 2016 election interference and 2026 SOHO router DNS-hijacking campaign.

Last refreshed: 24 June 2026 · Appears in 1 active topic

Key Question

How is GRU Unit 26165 intercepting credentials before they reach corporate security tools?

Timeline for GRU Unit 26165

#109 Jul

Mentioned in: NCSC names FSB Centre 16 over routers

Cybersecurity: Threats and Defences
#823 Jun

Triple CVSS-10 Ubiquiti chain hits root

Cybersecurity: Threats and Defences
#17 Apr

Operated DNS hijacking campaign against enterprise Microsoft 365 credentials through compromised home routers

Cybersecurity: Threats and Defences: GRU hijacks home routers for M365 logins
View full timeline →
Common Questions
What is the difference between APT28 and Sandworm?
APT28 (GRU Unit 26165) specialises in credential theft, phishing, edge-device exploitation, and DNS manipulation for intelligence collection. Sandworm (GRU Unit 74455) conducts destructive attacks, including the 2017 NotPetya malware and attacks on Ukrainian power infrastructure. They are separate GRU units with distinct operational mandates.Source: NCSC / US intelligence community attribution
How did GRU Unit 26165 compromise home routers to steal Microsoft 365 logins?
NCSC's April 2026 advisory attributed a campaign to Unit 26165 in which TP-Link WR841N and MikroTik consumer routers were compromised to redirect DNS for Microsoft 365 login endpoints, intercepting OAuth tokens from remote workers before the traffic reached any enterprise-monitored perimeter.Source: NCSC PSA260407, April 2026
What is GRU Unit 26165?
GRU Unit 26165 (85th Main Special Service Centre) is Russia's military intelligence unit attributed by Western agencies as operating APT28/Fancy Bear, responsible for 2016 US election interference and, in 2026, a SOHO router DNS-hijacking campaign targeting Microsoft 365 credentials across NATO member states.Source: NCSC PSA260407 / US DOJ indictment

Background

GRU Unit 26165, officially designated the 85th Main Special Service Centre of Russia's military intelligence directorate (GRU), is assessed by NCSC, CISA, and the US Intelligence Community as the organisational entity operating the APT28 threat actor (also known as Fancy Bear, Forest Blizzard, and STRONTIUM). In April 2026 NCSC published advisory PSA260407 attributing to Unit 26165 a campaign targeting SOHO routers, specifically TP-Link WR841N and MikroTik models, to redirect DNS resolution for Microsoft 365 login endpoints and harvest OAuth tokens from remote workers. The unit was also referenced in analysis of the June 2026 triple-CVE Ubiquiti UniFi chain as a likely beneficiary of home-network infrastructure compromises given its established SOHO-router collection methodology.

Unit 26165 was publicly named in the US DOJ indictments of 12 GRU officers in July 2018, covering the 2016 US election interference operation including the DNC and Podesta email exfiltrations. It has since been attributed to the 2017 Macron campaign breach, the 2018 WADA hack, the 2019-2020 energy-sector targeting campaigns, and sustained 2022-2023 attacks against Ukrainian government networks and defence supply chains. Its signature is credential theft via phishing, edge-device exploitation, and DNS manipulation rather than destructive malware, which it leaves to Unit 74455 (Sandworm). This same credential-harvesting signature connects its Ukraine-facing operations to its campaigns against Western governments and NATO members.

The April 2026 SOHO-router campaign represents a structural evolution: by compromising consumer routers, Unit 26165 intercepts Microsoft 365 authentication traffic before it crosses any enterprise-monitored perimeter, making detection through standard Security Operations Centre (SOC) tooling essentially impossible. The tactic is consistent with its broader doctrine of ambient, low-noise collection rather than destructive action, and it extends a methodology first documented against Ukrainian targets in 2022 into the home networks of remote workers across NATO member states.

More questions
How many GRU officers were indicted for the 2016 election interference?
The US Department of Justice indicted 12 GRU Unit 26165 officers in July 2018 for the 2016 US election interference operation, including the exfiltration of DNC and Podesta emails.Source: US DOJ indictment, July 2018
Source Material