Russian Cyber Units
Updated February 2, 2022
Russian Cyber Units
Russia has deployed sophisticated cyber capabilities to
The units’ public profile underlines a high operational
conduct disinformation, propaganda, espionage, and
tempo. The GRU reportedly also controls several research
destructive cyberattacks globally. To conduct these
institutes that help develop hacking tools and malware.
operations, Russia maintains numerous units that are
Observers have noted an apparent willingness by GRU
overseen by various security and intelligence agencies.
cyber units to conduct brazen and aggressive operations,
Russia’s security agencies compete with each other and
sometimes with questionable levels of operational security
often conduct similar operations on the same targets,
and secrecy. Cyber analysts have referred to these units
making specific attribution and motivation assessments
collectively as APT (Advanced Persistent Threat) 28, Fancy
difficult. The U.S. government has indicted and imposed
Bear, Voodoo Bear, Sandworm, and Tsar Team.
sanctions on Russian security personnel and agents for
various cyberattacks. Congress may be interested in
Unit 26165: Unit 26165 is one of two Russian cyber groups
Russian agencies, units, and their attributes to better
identified by the U.S. government as responsible for
understand why and how Russia conducts cyber operations.
hacking the Democratic Congressional Campaign
Committee, Democratic National Committee, and
Early Russian Cyber Operations
presidential campaign of Hillary Clinton. Media and
According to media and government reports, Russia’s
Western governments also have linked Unit 26165 to cyber
initial cyber operations primarily consisted of Distributed
operations against numerous political, government, and
Denial of Service (DDoS) attacks and often relied on the
private sector targets in the United States and Europe.
co-optation or recruitment of criminal and civilian hackers.
In 2007, Estonia was the target of a large-scale cyberattack,
Unit 74455: Unit 74455 has been linked to some of
which most observers blamed on Russia. Estonian targets
Russia’s most brazen and damaging cyberattacks. The U.S.
ranged from online banking and media outlets to
government identified Unit 74455 as responsible for the
government websites and email services.
coordinated release of stolen emails and documents during
the 2016 U.S. presidential election. As opposed to primarily
Russia again employed DDoS attacks during its 2008 war
focusing on penetrating systems and collecting information,
with Georgia. Although Russia denied responsibility,
Unit 74455 appears to have significant offensive cyber
Georgia was the victim of a large-scale cyberattack that
capabilities. In October 2020, DOJ indicted members of
corresponded with Russian military actions. Analysts
GRU Unit 74455 for numerous cyberattacks, including the
identified 54 potential targets (e.g., government, financial,
2017 NotPetya malware attack. In June 2017, malware was
and media outlets), including the National Bank of Georgia,
deployed against numerous targets in Ukraine. The malware
which suspended all electronic operations for 12 days.
soon spread globally, causing significant damage to
countries and businesses beyond Ukraine.
Russian Security and Intelligence
Agencies
Unit 54777: This unit, also known as the 72nd Special
Over the past 20 years, Russia has increased its personnel,
Service Center, reportedly is responsible for the GRU’s
capabilities, and capacity to undertake a wide range of
psychological operations. This includes online
cyber operations. No single Russian security or intelligence
disinformation and information operations.
agency has sole responsibility for cyber operations.
Observers note that this framework contributes to
Foreign Intelligence Service
competition among the agencies for resources, personnel,
The Foreign Intelligence Service (SVR) is Russia’s primary
and influence, and some analysts cite it as a possible reason
civilian foreign intelligence service. It is responsible for the
for Russian cyber units conducting similar operations,
collection of foreign intelligence using human, signals,
without any apparent awareness of each other.
electronic, and cyber methods. Most observers
acknowledge the SVR operates with a strong emphasis on
Military Intelligence
maintaining secrecy and avoiding detection. Most cyber
The Main Directorate of the General Staff, commonly
operations reportedly linked to the SVR have focused on
referred to as the GRU, is Russia’s military intelligence
collecting intelligence. The SVR also is known to have high
agency. The GRU has been implicated in some of Russia’s
levels of technical expertise, often seeking to gain and
most notorious and damaging cyber operations. Media
retain access inside compromised networks. Cyber analysts
reporting and U.S. government indictments identify two
have referred to SVR hackers as APT 29, Cozy Bear, and
primary GRU cyber units. The U.S. Department of Justice
the Dukes.
(DOJ) has charged personnel from both units for actions
ranging from election interference in the 2016 U.S.
Analysts and observers have recognized the SVR as highly
presidential election to multiple damaging cyberattacks.
capable and professional. In contrast to GRU cyber units,
https://crsreports.congress.gov
Russian Cyber Units
the SVR appears focused on collecting intelligence and
future damage in an attack. The U.S. government also has
remaining undetected once it gains access to targeted
linked the unit to attempts to penetrate state and local
networks. The U.S. government identified the SVR as one
government networks in 2020.
of two Russian cyber units responsible for hacking into
political campaigns during the 2016 U.S. presidential
Media reporting has documented close connections between
election. Despite the focus on operating clandestinely, in
the FSB and criminal and civilian hackers, which the FSB
2018, a Dutch newspaper reported that Dutch intelligence
reportedly uses to augment and staff its cyber units. DOJ
compromised the SVR’s infrastructure and provided crucial
has indicted multiple Russian hackers for a variety of
information to the U.S. government. Private cybersecurity
criminal and state-sponsored cyber activities. Many of these
firms noted that the SVR subsequently decreased its
indictments describe the close relationship between
activity. More recently, however, SVR activity reportedly
criminal hackers and the FSB.
has increased, and the unit has been linked to numerous
cyberespionage operations. For example, in April 2021, the
Federal Protective Service
U.S. government identified APT 29 as responsible for the
The Federal Protective Service (FSO) is responsible for the
SolarWinds attack that exploited supply chain
physical and electronic security of the government and
vulnerabilities to infiltrate U.S. government and private
government personnel. As such, it has extensive signals and
sector networks. In a cybersecurity advisory alert, U.S.
electronic capabilities to ensure the security of Russian
government noted APT 29 will “continue to seek
government communications. The FSO appears primarily
intelligence from U.S. and foreign entities through cyber
concerned with the defense of Russian government
exploitation, using a range of initial exploitation techniques
networks, and there is no indication it has launched
that vary in sophistication, coupled with stealthy intrusion
offensive operations.
tradecraft within compromised networks.”
Internet Research Agency
Federal Security Service
The Internet Research Agency is a private organization,
The Federal Security Service (FSB) is Russia’s primary
funded by Kremlin-connected oligarch Yevgeniy Prighozin,
domestic security agency responsible for internal security
which has supported Russian government disinformation
and counterintelligence. Its missions include protecting
and propaganda operations. Often referred to as a troll farm
Russia from foreign cyber operations and monitoring
or troll factory, this group has focused on disinformation by
domestic criminal hackers, a mission jointly undertaken
impersonating domestic activists and people, primarily
with Department K of the Ministry of Internal Affairs. In
through various social media channels. In 2018, the U.S.
recent years, the FSB has expanded its mission to include
government indicted the Internet Research Agency and its
foreign intelligence collection and offensive cyber
personnel for efforts to sow discord and influence the U.S.
operations. Cyber analysts have referred to FSB hackers as
political system, including during the 2016 presidential
Berserk Bear, Energetic Bear, Gamaredon, TeamSpy,
election.
Dragonfly, Havex, Crouching Yeti, and Koala.
Russian Cyber Weaknesses
The FSB reportedly has two primary centers overseeing its
Russia faces significant challenges in cyber operations,
information security and cyber operations. The first is the
despite its capabilities and high operational tempo. Many of
16th Center, which houses most of the FSB’s signals
these challenges are not unique to Russia but still present
intelligence capabilities. The FSB also includes the 18th
hurdles to further growth of Russia’s cyber operations.
Center for Information Security, which oversees domestic
operations and security but conducts foreign operations as
Like other government agencies, Russian security services
well. The U.S. government indicted 18th Center FSB
face challenges recruiting qualified personnel. Private-
officers in 2017 for breaching Yahoo and millions of email
sector opportunities and rival agencies compete for talent.
accounts. In 2021, Ukrainian intelligence released
As noted, this often causes Russian security services to
information and recordings of 18th Center FSB officers
outsource operations to civilian and criminal hackers.
based in Crimea as part of the “Gamaredon” hacking group.
Russia’s security services also are known for high levels of
Media reporting indicates FSB units are capable of
corruption. Russian security and intelligence agents have
manufacturing their own advanced malware tools and have
been unmasked and identified through information often
been documented manipulating exposed malware to mimic
reportedly sold by corrupt security officers. In 2020, media
other hacking teams and conceal their activities. Reporting
outlets identified the FSB agents reportedly responsible for
indicates the FSB oversees training and research institutes,
the assassination attempt of Russian opposition figure
which directly support the FSB’s cyber mission.
Alexei Navalny from purchased data.
One FSB team reportedly focuses on penetrating
For more information see CRS Report R45415, U.S.
infrastructure and energy sector targets. Most operations
Sanctions on Russia, coordinated by Cory Welt; CRS
linked to this team appear to be reconnaissance or
Report R46616, Russian Military Intelligence: Background
clandestine surveillance. The targeting of the energy sector
and Issues for Congress, by Andrew S. Bowen.
has raised concern within the U.S. government. The
Department of Homeland Security and the Federal Bureau
Andrew S. Bowen, Analyst in Russian and European
of Investigation have documented the unit’s reconnaissance
Affairs
and noted the possibility of inserting malware to cause
https://crsreports.congress.gov
Russian Cyber Units
IF11718
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF11718 · VERSION 3 · UPDATED