Disclosure of Russian military units behind hacker attacks and IPSO

5 March 2024 13 minutes Author: Cyber Witcher

The article investigates Russian military units involved in psychological operations (PSYOP) and hacker attacks. In particular, three military units of the Russian Armed Forces are considered, known by their numerical designations: military unit 74455, military unit 26165 and military unit 29155. These units conduct information warfare using various methods, sometimes going beyond mere information tactics.

Let’s start

The study considered three special units of the Armed Forces of the Russian Federation, known under the numbers 74455, 26165 and 29155.

These military units are engaged in information warfare, but use different methods for this, sometimes not informational at all.

  1. The command center is military unit 74455. The center’s military personnel are engaged in cyber operations, including cryptanalysis, development and implementation of IPSO, hacking and theft of important government documents, interference in the election campaigns of members of the United States Congress, and the development and distribution of malware at the level of government agencies.

  2. Military Unit 26165 is engaged in the development and execution of cyberattacks, the creation of malware, including X-Agent, interference in the US election process, and infiltration of the computers of military, political, governmental and non-governmental organizations.

  3. Troop 29155 has been involved in “physical operations” uncharacteristic of an intelligence unit, including the 2014 bombing of a military compound in the Czech Republic, the attempted poisoning of Bulgarian businessman Gebrev, the attempted assassination of the Skripals in Salisbury, and other sabotage and physical destruction of people and property.

In the course of our research, we studied the structure of these military units, the specifics of their work, the definition of their tasks and ways of achieving the set goals. We also managed to get information about some special forces employees (40 people), which is presented in the following sections.

The structure and subordination of special units of the Armed Forces of the Russian Federation

Scheme of divisions of psychological operations of the Russian Federation

The Russian General Staff/GRU is subordinated to the structural unit of the Operational Coordination Center of Military Command and Control through Main Directorate 12, which deals with information warfare.

Military unit 74445 is called “Tower”, it acts as a center of operational coordination of military administration bodies.

“Tower” is a division of the Center for Special Services, which includes at least seven military units in different regions. All these units are special purpose units that are engaged in the assessment, planning and conducting of intelligence and psychological operations. Thus, units 26165 and 26155 have different specializations, but both have the number 74445 and are subordinate to the main center “Tower”.

Military unit: 74455

Unofficial name – “Tower”. The official address of this military unit is the “Novator” business center, but at the entrance hangs a sign with the inscription “Daily Activities Management Center”. This is the name of the research institute created to coordinate the activities of the military administration. Internal reports identify the center as a hacking group called Fancy Bear. The US intelligence community believes that this hacking group, which includes units 74455 and 26165, was created in 2004.

Military unit 74455 is not included in the list of military units of Moscow and the region, all known physical addresses of the unit are also removed from the list, except for one – Khoroshivsky Shosse, where four military units with other numbers are stationed: 45807, 40273, 61535, 77065.

Known addresses of military unit 74455: Moscow region, Khimki city, Kirova street, 22. However, in the court decision, where military unit 74455 appears, another address is indicated: military town #48/1, Svobody prospect 21/2. The official address is: Khoroshivske shosse, 76.

The activities of military unit 74455 are known

2018: 12 GRU officers are indicted for meddling in the 2016 US presidential election and the theft of documents stemming from an attack on the internal email of the US Democratic Party. Among the military units that appear in the indictment are military units 74455 and 26165.

2020, first indictment: 6 officers of Air Force 74455 were accused by the US of attacking the Olympic Committee and causing $11 billion in damages, of which at least $1 billion was direct damage to the US. The same officers were accused of cyberattacks using the NotPetya virus on energy companies of Ukraine, as well as of trying to obstruct the investigation into the poisoning of the Skripals in Great Britain.

2020, second accusation: in February 2020, the US State Department accused Air Force 74455 of conducting a multi-level campaign against Georgia.

2020, third indictment: 74,455 military personnel were charged with cyberattacks using the NotPetya virus and Blackout-3 against Ukrainian energy companies, including a power outage in the Ivano-Frankivsk region. Ukraine was the most affected by the NotPetya virus: 10% of government computers, 22 banks, six energy companies, six hospitals and two airports were affected.

2022: In April 2022, Deutsche Welle published information that official London accused 16 FSB offices, unit 74455 and unit 26165 of cyber attacks around the world. The publication contains a link to the official UK government gazette.

Additionally:

  • in April 2022, the information portal Defence.net published information that the US government is ready to pay a reward of up to $10m for the location of 6 Russian hackers serving in military unit 74455 and carrying out attacks with the NotPetya virus.

  • In 2015, the Investigative Committee of the Russian Federation launched an investigation into reserve lieutenant colonel Andriy Nikolenko. In 2015, Nikolenko and his wife Tatyana created a so-called “financial pyramid” from the resale of iPhones and Macbooks, collecting money from servicemen of military unit 74455, which at that time had 17 servicemen and acquaintances of the spouses invested from hundreds of thousands to millions of rubles through the Antey company, which belonged to Nikolenko’s wife, and resold them at a further markup, promising 10% profit within two months. The company did not conduct any economic activity. Nikolenko was arrested in 2017 but released in 2018.

Command of Military Unit 74445 “Tower”

Oleksandr Volodymyrovych Osadchuk (November 17, 1962), commander of military unit 74445 under the name “Tower”

Oleksandr Volodymyrovych Osadchuk (11/17/1962, +79032410466, +79037970357, [email protected], [email protected], passport: 4513023827) – colonel and commander in 2016, specialist in the field of information systems. Originally from the city of Obninsk, Kaluga region. In 1985, he graduated from the Kyiv Higher Engineering Radio-Technical College of Air Defense.

Performs the duties of the General Director of the Main Directorate of Advanced Technological Research and Technical Support of the Ministry of Defense of Russia from September 10, 2021; Head of the Main Department of Innovative Development of the Ministry of Defense of Russia from November 1, 2021; Deputy General Director of the Main Directorate of Innovative Development of the Ministry of Defense of Russia from November 1, 2021. It is engaged in developments related to the implementation of artificial intelligence technologies in the development of weapons and the construction of the security component of state platforms based on artificial intelligence.

Known address: Moscow, Metalurgiv street, building 62, apartment 155, also: Moscow region, Khimki city, Gorshina street building 1, apartment 724.

Probable training centers:

  • the Military Academy of the Ministry of Defense of the Russian Federation, unofficially “Conservatory”, which has a faculty for training officers to work in the 12th department – information technologies;

  • military unit 29155 – 161 training center for the training of intelligence specialists of the GRU.

Known staff and subordination of military unit 74445 “Tower”

The scheme of subordination of employees of military unit 74445, depicted schematically based on the found employees and their ranks

Military unit: 26165

Military unit 26165 is almost the main military unit where Russian hackers work. The unit has the 85th Main Special Purpose Center, which employs cryptographers. In 2020, the head of the GRU, Ihor Kostyuchkov, came under EU sanctions for a hacker attack on the German parliament. In the past, Kostyukov was also the commander of the 85th Special Purpose Center, which is part of the 26165th military unit, and is associated with the creation of hacker groups APT-28 or Fancy Bear, Sofacy Group, Pawn Storm and Strontium.

Some of Fancy Bear’s activities were previously identified by the cybersecurity company Crowdstrike

In Soviet times, the GRU decoding service, which was engaged in decoding intercepted encrypted messages, was located at the address of the military unit 26155; part 26165 served Georgy Roshka, a GRU officer who is allegedly involved in the hacking of French President Emmanuel Macron’s e-mail. She is also mentioned in the investigation of the Russian publication Insider.

ANB identified unit 26165 as the ART28 or Fancy Bear group, which carried out hacking attacks through the Kubernetes cluster using commercial VPN services (CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN).

Known address of military unit 26165: city of Moscow, Komsomolskyi Lane, 20 (“Khamovnitsky Barracks”).

Known status and subordination of military unit 26165

The scheme of subordination of employees of military unit 26165, depicted conventionally and schematically on the basis of the found employees and their ranks

Activities of military unit 26165

According to the American agency, this military unit is responsible for the attack on the servers of the Democratic Party structures and the mail of members of the campaign staff of the US presidential candidate Hillary Clinton in 2016. The case involves 9 officers of military unit 26165 and 3 officers of military unit 74455.

For these hacking attacks, the GRU paid the hackers with bitcoins. Employees of the special services made calculations with the help of tokens purchased on an unnamed crypto-site. Payments were made for the lease of the dcleaks.com domain and the lease of the server registered to the e-mail address [email protected]. A fadel47 account was created to receive payments in bitcoins.

Command of military unit 26165

Yury Leonidovych Shikolenko (April 26, 1979, +79296672304, +79032158814) is the commander of military unit 26165 as of September 2022. In 2012, he graduated from the Moscow State Technical University “MIREA” (Moscow Institute of Radio Engineering, Electronics and Automation). As of 2013, he was not married. In 2016, he obtained the degree of Doctor of Technical Sciences. In 2022, took part in the Cup of Russia in rifle shooting. I did not receive a discharge.

Has or had a BMW X5, released in 2017, VIN Х4ХКТ294600W53078, state number У525ХТ199. Also has or had a Ford Kuga, produced in 2016, VIN Z6FАХХЕСМАС45557, state number А472КН799.

Known address of registration: Moscow Region, Krasnoznamensk, Zhovtneva Street, building 8, apartment 62.

Probable training centers:

  • Morenets graduated from the Mozhaisky Military and Space Academy in 1999;

  • the Military Academy of the Ministry of Defense of the Russian Federation, unofficially “Conservatory”, which has a faculty for training officers for work in the 12th department;

  • military unit 29155 – 161 training center for the training of intelligence specialists of the GRU.

Military unit: 29155

The unit is part of the Special Operations Forces Command, and its headquarters is located in Senezh, north of Moscow. Historically, in the 1960s, military unit 29155 served as a training center for the GRU. Le Monde wrote in 2019 that Unit 29155 had training bases in remote mountainous areas such as Chamonix, France. According to French and British military analysts, military unit 29155 consisted of approximately 20 people.

Known addresses of the company 29155: legal address – city of Moscow, 11-ta Parkova Street, 38-A, physical address according to the registers – city of Orenburg, 4 Myru Street. The address indicated in the investigation of the Bellingcat group is the headquarters of the GRU on Khorosheevsky highway, building 76.

Activities of military unit 29155

Military unit No. 29155 works with “rough” methods that are not characteristic of scouts. Among their methods are sabotage and murder of persons abroad, the destruction of large objects by detonation.

Among the performed unsuccessful operations, experts list:

  • the bombings of military warehouses in Vrbetice, Czech Republic in 2014, the leadership of the sabotage in the Czech Republic is directly attributed to Averyanov;

  • 8 GRU officers are suspected of the attempted poisoning of Bulgarian businessman Omelyan Gebrev in 2015;

  • destabilization of the political situation in Moldova in 2016;

  • attempted pro-Serbian coup in Montenegro in 2016;

  • the Spanish Intelligence Service claimed to have identified agents of military unit 29155 during rallies for Catalan secession in 2017;

  • the attempted poisoning of Sergei Skripal in Salisbury in 2018.

Journalists investigating these incidents believe that military unit 29155 is a base for agents who specialize in operations in Europe. Chepiga, Sergeev and Myshkin were identified in the Czech Republic in 2014 and charged with sabotaging a warehouse, killing two people and causing $47 million worth of damage. They were also spotted near the WADA building in Switzerland in 2016 when they attempted to steal health data from Western athletes for further publicity. In 2016, they were also identified in Great Britain and charged with the attempted murder of Sergei Skripal and Yulia Skripal. Sergei Skripal is a former GRU officer, a colonel who was arrested in Russia on suspicion of spying for Great Britain, and later exchanged for a captured illegal Russian spy. He was pardoned by Russian President Dmitry Medvedev and expelled from Russia. Yulia Skripal is the daughter of Sergei Skripal.

Known status and subordination of military unit 29155

The scheme of subordination of employees of military unit 29155, depicted conventionally and schematically on the basis of the found employees and their ranks

Command of military unit 29155

Oleg Hryhorovych Kushnir (January 21, 1985, [email protected], +79258911366, passport: 6304628497) is the commander of military unit 29155 as of September 2022 (1, 2). Born in Dresden, Germany. He probably studied at the Moscow Higher Combined Military Command School (MVKU) and the Combined Military Academy of the USSR (OAVS).

Known addresses: St. Petersburg city, Neskorenikh avenue, building 2, building A, apartment 452, 440; the city of St. Petersburg, Khlopina Street, building 9, apartment 3 (wife’s address at 2021); city of Moscow, Glovacheva Street, 190 (MVVKU).

The connection of the former commander with the agents

Former commanders Avlyanov and Anatoly Chepiga, known as “Ruslan Boshirov”, were also present at the photo and video of Avlyanov’s daughter’s wedding. The wedding itself took place in one of the restaurants in the village of Sennezh, where the headquarters of the SBU is located. Oleksandr Mishkin should have been one of the invited guests, but he is not in the wedding photos.

Andriy Averyanov leads his daughter under the crown at the wedding, which was attended by Anatoly Chepiga and his family
Anatoly Chepiga at the wedding of Andriy Averyanov’s daughter

Probable training centers:

  • probably the military unit 29155 itself is the 161 training center for the training of intelligence specialists of the GRU;

  • military medical academy named after Kirov (graduated from Mishkin);

  • also, it is likely that the servicemen of military unit 29155 are officers of the SSO, where they are selectively enrolled from the Ryazan Guards Higher Airborne Command School, the Novosibirsk Higher Military Command School, the Air Defense Military Academy of the Russian Federation named after A.M. Marshal of the Soviet Union. Vasylevsky.

Additional locations 74455, 26165, 29155

To determine additional locations, an analysis of the movement of persons likely to be associated with military units was conducted for the period from 2020 to 2022.

Identified locations of military units based on analysis of movement of persons likely to be associated with military units

For further analysis, it was assumed that individuals found at one address were likely to visit other searched addresses, and the number of search results obtained was narrowed down to the number of individuals who were near multiple known addresses. Based on this list, the coordinates of places that were repeated by different persons were found, which could include additional locations of deployment of military units.

  1. 55.758648, 37.627133| 55.75702, 37.62937. Lubyanska Square, nearby are the buildings of the Federal Security Service of the Russian Federation, the Administration of the President of the Russian Federation, the Chamber of Commerce and Industry, and the State and Legal Department of the President of the Russian Federation.

  2. 55.81154, 37.50398| 55.80982, 37.50535| 55.81224, 37.50357. Leningradske Shosse, Sokol district, nearby is military unit 6796 (33rd special purpose unit “Peresvit”).

  3. 55.89472, 37.42886. Leningrad highway, Khimki district, nearby are (1, 2) buildings behind a fence with barbed wire, probably belonging to the rocket and space industry organization NGO named after Lavochkin

  4. 55.79109, 37.55005| 55.79013, 37.52577| 55.791092, 37.550055| 55.78825, 37.5605. Running area, nearby are (1, 2) buildings behind a fence with barbed wire, probably repair and maintenance shops for electric motors and power equipment that belonged to the “Znamya” machine-building plant.

  5. 55.64203, 37.46665. Teplostansky passage, next to it is the Institute of Criminalistics of the FSB.

The information was taken from Molfar open sources

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.