Understanding Russia's Intelligence Agencies Part 3: The GRU Explained
Introduction
This is the last section of my three-part series explaining Russian intelligence agencies. In part one, we discussed the Federal Security Service (FSB), while in part two, we explained the Foreign Intelligence Service (SVR).
In this article, we talk about the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), its role in supporting Russian military intelligence requirements, its cyber operations, and geopolitical impact.
Historical Evolution
The GRU was created in 1918, during the Bolshevik Revolution as the Soviet Union’s first military intelligence agency. They operated alongside the KGB and were heavily focused on collecting military and strategic intelligence all the way even after the collapse of the Soviet Union in 1991.
The 2008 Russo-Georgian War exposed the GRU’s shortcomings, leading to a period of decline. Blamed for the lack of proper intelligence, the GRU underwent leadership changes, downsizing, and a reduction in its responsibilities. This forced the GRU to start prioritizing aggressive operations such as assassinations, proxy warfare, and cyber operations. Their capabilities were shown during the 2014 annexation of Crimea, where the GRU proved crucial in providing intelligence that contributed to Russia’s victory.
Role of the GRU
The GRU is a part of the Russian armed forces. They are responsible for all levels of military intelligence, including Human Intelligence (HUMINT), Signals Intelligence (SIGINT), and Electronics Intelligence (ELINT). The GRU also commands the Russian Spetsnaz, a special forces unit focused on field recon, raiding, sabotage, and training of proxy and mercenary units.
Unlike the FSB and the SVR, the GRU is unique in its role as both an intelligence agency and a military organization. Although both the GRU and the SVR have the responsibility of collecting foreign intelligence, the GRU focuses on military-relevant information and the SVR on political intelligence.
Organizational Structure of the GRU
According to the American Congressional Research Service, the GRU is divided into 15 directorates, 4 regional and 11 mission-specific. Within the directorates are multiple sub-directorates or individual units. For example, the GRU’s cyber capabilities are located within the Sixth Directorate and include Unit 26165 and Unit 74455.
Regional Directorates (4) and Mission-Specific Directorates (11)
- First Directorate: European Union
- Second Directorate: North and South America, United Kingdom, Australia, New Zealand
- Third Directorate: Asia
- Fourth Directorate: Africa
- Fifth Directorate: Operational Intelligence
- Sixth Directorate: Electronic/Signals Intelligence
- Seventh Directorate: NATO
- Eighth Directorate: Spetsnaz
- Ninth Directorate: Military Technology
- Tenth Directorate: Military Economy
- Eleventh Directorate: Strategic Doctrine
- Twelfth Directorate: Information Operations
- Space Intelligence Directorate
- Operational and Technical Directorate
- External Relations Department
Spetsnaz GRU
The Spetsnaz is a specialized unit focused on field reconnaissance, sabotage, and combat missions. They also play a role in managing and creating proxy forces, often comprising organized criminals, warlords, or former rebels. Spetsnaz operators typically act as overseers and trainers, directly subordinating these proxy units to the GRU. Notable examples include the Second Chechen War and the Syrian civil war.
Cyber Operations
The GRU has two specialized cyber units that conduct espionage and sabotage operations based on the Kremlin’s requirements:
Unit 26165 (APT28 / Fancy Bear)
Known for targeting Western nations, particularly NATO countries. The group focuses on infiltrating government institutions and political entities to gather intelligence.
- 2015 German Bundestag: Spear-phishing campaign, theft of 16 GB of data, four-day shutdown of Parliament’s computer system.
- 2016 Democratic National Committee (DNC): Infiltrated the DNC’s network, stole over 19,000 emails and 8,000 attachments, leaked emails caused controversy and resignations.
- 2016 World Anti-Doping Agency (WADA): Unauthorized access and leak of medical records of multiple athletes, retaliation for banning Russian athletes for doping.
Unit 74455 (APT44 / Sandworm)
Infamous for causing destructive cyberattacks against critical infrastructure. Sandworm has established itself as Moscow’s primary cyber sabotage unit. They leverage the Telegram channel of the hacktivist group “Cyber Army of Russia Reborn” to telegraph the success of their attacks and share data leaks.
- 2015/2016 Ukraine power grid attacks: First known cyber operations causing power outages, affecting 230,000 residents.
- 2017 NotPetya: Wiper disguised as ransomware, caused $10 billion in global damages.
- 2018 Pyeongchang Winter Olympics disruption: “Olympic Destroyer” malware disrupted IT infrastructure, internet access, and broadcast systems.
Geopolitical Impact
The GRU’s attacks on Ukraine’s power grid have shown how cyber attacks can be used to cause physical damage and psychological terror. Sandworm’s use of hacktivist groups as proxies is a force multiplier and complicates attribution. Hybrid warfare—cyber attacks on infrastructure combined with conventional military action—is a growing threat.
Conclusion
The transformation from a traditional military intelligence agency to one with advanced cyber capabilities shows how the GRU is shifting from traditional intelligence methods to a focus on cyberspace. This has allowed Russia to project influence and cause disruption to their adversaries on a global scale.
Although most of the news we see of the GRU is of cyber attacks, it is important to remember that they are primarily a military organization. Their broader mandate allows the GRU to operate more aggressively compared to its intelligence counterparts.