
GRU Unit 26165
Russian GRU unit operating APT28; attributed to 2016 election interference and 2026 SOHO router DNS-hijacking campaign.
Last refreshed: 24 June 2026 · Appears in 1 active topic
How is GRU Unit 26165 intercepting credentials before they reach corporate security tools?
Timeline for GRU Unit 26165
Mentioned in: NCSC names FSB Centre 16 over routers
Cybersecurity: Threats and DefencesTriple CVSS-10 Ubiquiti chain hits root
Cybersecurity: Threats and DefencesOperated DNS hijacking campaign against enterprise Microsoft 365 credentials through compromised home routers
Cybersecurity: Threats and Defences: GRU hijacks home routers for M365 loginsWhat is the difference between APT28 and Sandworm?
How did GRU Unit 26165 compromise home routers to steal Microsoft 365 logins?
What is GRU Unit 26165?
Background
GRU Unit 26165, officially designated the 85th Main Special Service Centre of Russia's military intelligence directorate (GRU), is assessed by NCSC, CISA, and the US Intelligence Community as the organisational entity operating the APT28 threat actor (also known as Fancy Bear, Forest Blizzard, and STRONTIUM). In April 2026 NCSC published advisory PSA260407 attributing to Unit 26165 a campaign targeting SOHO routers, specifically TP-Link WR841N and MikroTik models, to redirect DNS resolution for Microsoft 365 login endpoints and harvest OAuth tokens from remote workers. The unit was also referenced in analysis of the June 2026 triple-CVE Ubiquiti UniFi chain as a likely beneficiary of home-network infrastructure compromises given its established SOHO-router collection methodology.
Unit 26165 was publicly named in the US DOJ indictments of 12 GRU officers in July 2018, covering the 2016 US election interference operation including the DNC and Podesta email exfiltrations. It has since been attributed to the 2017 Macron campaign breach, the 2018 WADA hack, the 2019-2020 energy-sector targeting campaigns, and sustained 2022-2023 attacks against Ukrainian government networks and defence supply chains. Its signature is credential theft via phishing, edge-device exploitation, and DNS manipulation rather than destructive malware, which it leaves to Unit 74455 (Sandworm). This same credential-harvesting signature connects its Ukraine-facing operations to its campaigns against Western governments and NATO members.
The April 2026 SOHO-router campaign represents a structural evolution: by compromising consumer routers, Unit 26165 intercepts Microsoft 365 authentication traffic before it crosses any enterprise-monitored perimeter, making detection through standard Security Operations Centre (SOC) tooling essentially impossible. The tactic is consistent with its broader doctrine of ambient, low-noise collection rather than destructive action, and it extends a methodology first documented against Ukrainian targets in 2022 into the home networks of remote workers across NATO member states.