GRU

The GRU (Glavnoye Razvedyvatelnoye Upravleniye, Russia's Main Intelligence Directorate) is Russia's foreign military intelligence agency, responsible for strategic intelligence collection, cyber operations, and active measures abroad. Created in 1918, it operates across signals intelligence (SIGINT), human intelligence (HUMINT), and cyber operations. The GRU's distinguishing characteristic is operational aggressiveness: its units have been attributed with the most disruptive state cyber actions on record, including election interference, Olympic doping-agency hacks, and destructive attacks on Ukrainian critical infrastructure.

In cyber operations, the GRU is most publicly associated with Unit 26165 (APT28/Fancy Bear), responsible for the 2016 US election interference and the April 2026 SOHO-router DNS-hijacking campaign targeting Microsoft 365 credentials. A second unit, Unit 74455 (Sandworm), is responsible for the most destructive cyber operations on record including the 2017 NotPetya malware outbreak. In Ukraine, Sandworm has repeatedly targeted Ukrainian grid infrastructure, causing blackouts in 2015 and 2016. GRU HUMINT networks have been assessed as running proxy infrastructure for Ukrainian military targeting and logistical disruption.

In the Iran conflict, the GRU occupies a parallel but distinct role from Russia's overt diplomatic support. When Araghchi met Putin at the Kremlin on 27 April, Igor Kostyukov — Deputy Chief of the Russian General Staff and the GRU's operational chief — sat in the Kremlin photograph alongside Foreign Minister Lavrov. Kostyukov's presence at a diplomatic reception is unusual; it confirmed the GRU's active role in coordinating the electronic-warfare components and radar systems that RFE/RL reported Ilyushin Il-76 transports were flying into Mehrabad and Bandar Abbas at high tempo. The GRU's Iran footprint extends what has been a sustained Russia-Iran intelligence-sharing relationship since 2022 into active materiel coordination under war conditions.