Uncategorized

What is Unit 26165, Russia’s elite military hacking centre?

The four intelligence officers detained by Dutch security services are part of an elite military unit that runs high-risk cyber espionage operations out of a 19th-century barracks in central Moscow.  

Unit 26165 – named by US prosecutors as “GRU 85 Main Special Service Center” – is home to the Russian military’s best mathematical minds and is believed to have run the hacking campaign to influence the 2016 US elections. 

Dutch and British authorities believe the unit was also involved in attempts to hack the investigations into doping of Russian athletes and the shooting down of Malaysian airlines flight MH17. 

"Unit 26165 seems to be quite old, as far as we can tell from the open sources available," said Andrei Soldatov, the author of The Red Web and an expert on Russian cyber operations.  "It has probably existed since the ’70s, and was known as a unit dealing with cryptography."  

The unit is believed to come under the command of the GRU’s sixth directorate – the part of the Russian military intelligence agency that deals with signals intelligence. 

Four GRU officers entered the Netherlands at Amsterdam's Schiphol Airport on April 10Credit:
Dutch Ministry of Defence

Sixth directorate has a broad remit that includes running listening posts, encrypting messages, and attempting to de-crypt enemy communications. 

The unit was first named in the West by a US Grand Jury indictment issued in July, which identified 26165’s commander in 2016 as an officer called Viktor Borisovich Netyshko. 

The current commanding officer is one Dmitry Mikhailov, according to a publicly available online register of federal entities.

The indictment named 11 other officers assigned to 26165 and its sister unit, 74455, which it said were involved in hacking the computers of the Democratic National Committee in order to steal and leak documents damaging to the Hillary Clinton campaign. 

While much of its work was done by hackers working inside Russia, the unit also appears to specialise in overseas operations like the one broken up by Dutch security in April. 

 "We saw that the FSB went to hackers and said ‘work for us or something bad will happen’ – and then found, surprise surprise, that they only had a nominal loyalty to the service," said Mark Galeotti, an expert on Russian intelligence. 

"The GRU does it more mechanically – it talent spots smart young maths and computer science graduates and scours officer training academies and recruits them. They are not expected to be hackers when they are hired."  

The number 26165 refers to the index of Russian military units. The term “GRU 85 Main Special Service Center” has been in use since Soviet times.

A simple Google search puts a unit with the number 26165 at No. 20 Komsomolsky Prospekt, about a mile and a half southwest of the Kremlin. 

Russian hacking centre – locator map

That is the site of the the Khamovnichesky barracks, a sumptuous early 19th-century building that has housed Russian and Soviet military units for over 200 years.  

The complex of buildings also includes a branch of the Russian military university. 

The same address is named by Dutch authorities as the base of operations of the four hackers. The Mueller investigation gave the same address in its July indictment. 

A rear entrance opens on to Nesvizhsky lane, from where  one of the suspects, Aleksei Morenets, took a cab to the airport on the morning he flew to Amsterdam. 

It is also close to the mobile phone masts where two of the recovered phones were first activated.

Leave a Reply

Your email address will not be published. Required fields are marked *