Organisation

GRU

Russian military intelligence service; GRU Unit 26165 attributed with APT28 Microsoft 365 credential-theft campaign.

Last refreshed: 17 April 2026

Key Question

How has the GRU shifted from headline hacks to quiet credential harvesting of office workers?

Timeline for GRU

#117 Apr

Mentioned in: GRU hijacks home routers for M365 logins

Cybersecurity: Threats and Defences

View full timeline →

Common Questions

What is the GRU and why is it in the news?: The GRU is Russia's military intelligence agency. Its Unit 26165 (APT28) was attributed in April 2026 to a campaign using home routers to harvest Microsoft 365 credentials from remote workers.Source: NCSC Advisory PSA260407
What is the difference between the GRU and the FSB?: The GRU is Russia's military intelligence service focusing on foreign operations, including cyber attacks on elections and CNI. The FSB is Russia's domestic intelligence service, also running cyber operations against civil-society targets via its Star Blizzard unit.Source: NCSC / CISA
What cyber attacks has the GRU carried out?: GRU Unit 26165 (APT28) conducted the 2016 DNC hack, 2018 WADA breach and 2026 M365 router campaign. Unit 74455 (Sandworm) caused the 2017 NotPetya outbreak and multiple Ukrainian power-grid attacks.Source: US DOJ indictments / NCSC

Background

The GRU (Glavnoye Razvedyvatelnoye Upravleniye, Russia's Main Intelligence Directorate) is Russia's foreign military intelligence agency, responsible for strategic intelligence collection, cyber operations and active measures abroad. In cyber operations, the GRU is most publicly associated with Unit 26165 (APT28/Fancy Bear), responsible for the 2016 US election interference and the April 2026 SOHO-router DNS-hijacking campaign targeting Microsoft 365 credentials. A second GRU unit, Unit 74455 (Sandworm), is responsible for the most destructive cyber operations on record including the 2017 NotPetya malware outbreak.

The GRU was created in 1918. It operates across signals intelligence (SIGINT), human intelligence (HUMINT), and cyber operations. Its cyber directorate works in parallel with the FSB's cyber arm (Star Blizzard, Cozy Bear/APT29) and the SVR, Russia's foreign intelligence service. The GRU's distinguishing characteristic is operational aggressiveness: its units have been attributed with the most disruptive state cyber actions, including election interference, Olympic doping-agency hacks, and destructive attacks on Ukrainian critical infrastructure.

The April 2026 NCSC advisory placing Unit 26165 inside a SOHO-router credential-harvesting campaign against M365 users is notable for its operational detail. The GRU's targeting has evolved from high-profile national-security targets (government, elections) toward sustained, lower-noise intelligence collection against the commercial workforce, particularly remote workers whose home-network security posture is well below enterprise baseline.

How the World Sees Them

Russia

The GRU is a prestige agency with a history dating to the Soviet era. Russian state media does not acknowledge GRU offensive cyber operations.

Ukraine

GRU Sandworm (Unit 74455) has caused repeated blackouts and the NotPetya malware outbreak in Ukraine. Ukrainian intelligence treats GRU as a primary adversary.

United States

US DOJ has indicted multiple GRU officers. Unit 26165 and Unit 74455 are named in US Treasury and DOJ designations.

United Kingdom

NCSC has attributed GRU operations to the 2018 Salisbury attack support network and the 2024 Bundestag targeting. The April 2026 advisory is the latest in a series of UK attribution actions.