DEEP DIVE — Few Americans have ever heard of Unit 29155 or 161 Center. For those who have, the names evoke fear and loathing.
Created in 1963 as a headquarters element of the GRU – Russian military intelligence – Unit 29155, also known as 161 Center, is notorious for its old-school brutality. Murders, poisonings, blackmail – the unit’s brand is thug.
Yet today, Unit 29155 is in the FBI’s crosshairs for a new, uncharacteristically cerebral tradecraft: cybercrime.
“Historically they have been responsible for attempted coups, sabotage and influence operations and assassination attempts throughout Europe,” Brett Leatherman, deputy assistant director of the FBI Cyber Division, told The Cipher Brief. “We have seen them shift their posture to conducting offensive cyber operations.”
Unit 29155 is still believed to traffic in violent crime aimed at the Kremlin’s enemies – Russian defectors in particular – but increasingly, its weapon of choice is technology. And it is taking aim at Ukraine, its supporters, NATO, and even U.S. security agencies.
A grisly history
Unit 29155 was established in 1963, according to a report published in February 2024 by the Royal United Services Institute, the U.K.’s leading defense and security think tank. Back then, its ranks included officers adept at collecting human intelligence and others trained in special forces operations. The unit’s first leader, Major General Nikolay Patrakhaltsev, was well-versed in both. Patrakhaltsev started out in special reconnaissance units and, according to the RUSI report, moved on to work in GRU stations in Hungary, Slovenia and Brazil and in the Soviet military mission in Yugoslavia. Patrakhaltsev then headed the 161st Center for the Training of Intelligence Specialists from 1962 to 1968, the period when Unit 29155 emerged.
The unit kept a low profile until the second decade of this century, when it gained a reputation for violent, even lurid acts. Agents from the unit allegedly poisoned Bulgarian arms dealer Emilian Gebrev in 2015 and Russian GRU operative-turned-defector Sergei Skripal and his daughter in Salisbury, England in 2018. All three were dosed with novichok, a military-grade nerve agent developed by the former Soviet Union. They became severely ill but survived.
In 2021, Czech authorities concluded that a pair of explosions at arms warehouses that had killed two Czechs were the work of Unit 29155 saboteurs. That determination led to the expulsion of more than 70 Russian envoys from the Czech Republic, and in May 2024, Czech police posted a wanted notice for Russian general Andrei Averyanov, the former commander of Unit 29155. The Czech investigation led Bulgarian prosecutors to launch their own inquiry into Unit 29155 over unexplained explosions at several Bulgarian ammunition depots.
The GRU unit has also been blamed for an attempted coup in Montenegro in 2016, a destabilization campaign in Moldova in 2023, and – most recently – the attacks against U.S. diplomats, intelligence officers and soldiers with acoustic or electromagnetic weapons that led to debilitating symptoms now known as “Havana Syndrome.”
Last May the Cipher Brief spoke with respected investigative journalists and a former senior CIA officer who alleged that members of Unit 29155 were behind the Havana Syndrome attacks. Congress is investigating a possible Russian connection.
From assassins to "geeks"
For some years, Unit 29155 likely used computers much as other intelligence groups did – for the relatively passive activities involved in collecting, storing and analyzing data. Around 2020, U.S. and U.K. officials say, Unit 29155 pivoted. It began recruited more tech-savvy operatives and developing a powerful new tradecraft: creating and deploying cyber weapons that can obliterate crucial data, disrupt chip-driven critical systems, and wreak havoc on government and civilian infrastructure.
This offensive capability showed up in Ukraine on January 2022, when the Microsoft Threat Intelligence Center, which works closely with federal intelligence and cybersecurity agencies, determined that a malware known as WhisperGate, designed to destroy vital systems, was being used to target organizations in Ukraine.
By June 2023, investigators from Microsoft, the FBI, the Cybersecurity and Infrastructure Security Agency and partners in the cybersecurity community had determined that WhisperGate malware had been unleashed by a new “threat actor” associated with the GRU.
But who? The investigators believed it wasn’t a GRU or FSB unit known for previous hacks; this outfit behaved differently. For one thing, the new player was obviously skilled at malicious hacking and at remaining unknown and undetected, which made it especially dangerous.
“The emergence of a novel GRU affiliated actor, particularly one which has conducted destructive cyber operations likely supporting broader military objectives in Ukraine, is a notable development in the Russian cyber threat landscape,” Microsoft said in an advisory to industry. It gave the threat actor a code name – “Cadet Blizzard” – but the names of GRU officers involved in the attacks remained elusive.
FBI agents kept working the case, grinding through fragmentary clues until a picture began to emerge. The agents got the name of a young hacker, Amin Timovich Stigal, born in Grozny, Chechnya, in 2002, and followed his digital trail to a surprising place – the United States. Armed with search warrants, the agents discovered that Stigal had set up five accounts with an American company that offered a messaging and voice-over-Internet (VOIP) communications platform. Stigal was using those accounts to send WhisperGate malware to computers used by businesses and government offices in Ukrainei. Stigal and other unnamed co-conspirators had allegedly hacked Ukrainian systems to steal medical, driver’s license and criminal records, then posted notices on Ukrainian websites that said, “Ukrainians! All information about you has become public, be afraid and expect the worst.” Such threats were aimed at shaking Ukrainians’ faith in their government, at the moment when Russian forces were poised to invade.
Other Russian hacks appeared aimed at convincing Europeans that Kyiv was unreliable and unworthy of the aid it would need to defend itself in a war with Russia.
All this went into a June 2024 U.S. indictment of Stigal. Next, FBI agents went after Stigal’s confederates, and there they made a shocking discovery: Stigal was working for the GRU’s notorious Unit 29155. Clearly, the unit had set up a squad of cyber warriors that brazenly used American companies, witting or unwitting, as fronts. But the fronts weren’t good enough; bit by bit, the FBI agents figured out the true names of the GRU cyber warriors.
An edge over their predecessors
Unit 29155’s new geek warriors do most of their work without ever leaving their desks, hunting and reaching their targets via the Internet. They enjoy a clear advantage over old-school practitioners of what the Russians used to call “active measures” – provocateurs, saboteurs, spies and assassins who had to get on boats, trains and airplanes, show fake passports and other skillfully forged credentials, and risk getting followed, photographed, intercepted and possibly detained.
“It's very difficult in today's environment to place intelligence officers abroad and to hide their activity,” Leatherman said. “But it is not difficult to sit in Moscow and to conduct espionage operations, without ever having to leave your seat within your government agency. Gaining persistent access to foreign devices and networks allows them to collect intelligence valuable to the regime.” For that reason, Leatherman said, “all units within GRU are shifting their mindset to cyber operations…The [GRU] mentality is, offensive cyber weapons have tremendous benefit at very low cost.” The GRU’s civilian counterparts – the Foreign Intelligence Service, SVR, and the FSB, Russia’s Federal Security Service – are also transitioning rapidly from physical to cyber operations.
This shift in Russia, and similar moves in China and Iran, have caused the FBI to expand its Cyber Division, created in 2002, and to network intensely with other U.S. and allied law enforcement and intelligence agencies.
“Cyber transcends everything now,” Leatherman said, “whether it's criminal investigations, counter-intelligence investigations or counterterrorism investigations.”
Advantage, U.S. law enforcement?
As the FBI agents found, the Russians’ cyber operations have at least one weakness U.S. agencies are learning to exploit: The Russians like to do their dirty work on the American cloud. When they’re trying to hack potential victim companies and government agencies, they find they’re more successful if they route their approaches through U.S.-based internet service providers and cloud servers.
“They are using U.S.-based infrastructure to conduct their cyber operations,” Leatherman said. “They're using U.S. cloud-based infrastructure because it’s trusted across the globe, much more trusted than Russian infrastructure. So they're leveraging the trust that U.S. technical infrastructure has, in order to increase the scope and impact of their cyber targeting.”
The FBI and its partners discovered that GRU hackers were able to prey on American companies or government agencies that use older hardware, so-called “end-of-life edge devices,” to connect their internal networks to the Internet. An edge device sits at the perimeter of an organization’s network, routes incoming and outgoing traffic, and filters out data that shouldn’t pass its gateway. As The Cipher Brief has reported, edge devices kept in place beyond their useful lives are no longer updated with new security patches. That leaves them vulnerable to intruders, like a house with broken windows and busted door locks. The FBI and its partners found that Unit 29155 hackers were seeking out the old edge devices, so they could penetrate them and then pivot to connect with another U.S. or NATO network.
A compromised edge device “provides a pathway for actors to obfuscate their malicious activity and target others from those devices,” Leatherman said, in this case by creating a spoof that made it appear that a communication was coming from a U.S. network instead of a foreign one. A network contacted by a compromised edge device could give up secrets before its administrators realized their system was talking to a Russian foe masquerading as an American friend. GRU cyber spies could also collect sensitive transmissions traveling through a leaky old edge device.
The GRU’s preference for American companies and cloud servers has afforded the FBI a major advantage: agents can swear out search warrants, gain access to company records and follow digital trails to other U.S. companies and companies and government agencies in allied nations.
It was just such an opportunity that allowed the FBI to penetrate Unit 29155’s cyber team. Investigating the WhisperGate case, FBI agents figured out the true names of the GRU officers who had worked with Stigal, the hacker, and charged five of them with crimes in a federal indictment unsealed earlier this month. The indictment also charged that in 2021 and 2022, the Unit 29155 team probed protected computer systems associated with 26 NATO members and a U.S. agency in Maryland, presumably the U.S. Cyber Command or the National Security Agency, which are both based at Fort Meade, Maryland. Armed with this information, the State Department has posted $10 million rewards for each member of the GRU team, $60 million in all.
Fears of more to come
Unit 29155’s malicious cyber activities are currently the target of Operation Toy Soldier, an international initiative marshaled by the FBI, NSA and Cybersecurity and Infrastructure Security Agency, together with the governments of nine countries – the U.K., Germany, the Netherlands, the Czech Republic, Estonia, Latvia, Canada, Australia and Ukraine.
It's an impressive alliance, but no one claims Toy Soldier or any other measure will stop Russia from wreaking havoc wherever it can.
“We are doing this over and over again,” says the FBI’s Leatherman. “They continue to pressure us with various cyber operations. And we continue to pressure them through these enforcement operations. We also want to help the private sector understand that they have a key role in this fight…to help to deter the actors.”
General Averyanov, who commanded Unit 29155 during the Czech explosions and Gebrev and Skripal poisonings, is now deputy head of the GRU and responsible for all unconventional Russian military operations except those in Ukraine. The U.K.’s Royal United Services Institute reported last February that many members of Unit 29155 have followed Averyanov to the service headquarters to plan and manage operational activities.
Averyanov's ascension suggests that more episodes of GRU-generated violence may be in the works. In 2019, Radio Free Europe/Radio Liberty and the research group Bellingcat unearthed what may be the most chilling wedding photos ever made. Averyanov was depicted escorting his lace-and-tulle-bedecked daughter at her 2017 nuptials, past a bearded guest with an expensive watch, raising a celebratory glass of wine. That guest was identified as Col. Anatoly Chepiga, one of two GRU officers who would be indicted in Britain for the attack on the Skripals in Salisbury. The wedding photo was later seen as evidence that Averyanov and Unit 29155 had embraced the fame they achieved with the attack on the Skripals, even though they had failed to kill their targets.
“They’re not doing this completely behind the scenes,” former U.S. Ambassador to Russia John Sullivan told The Cipher Brief. “Putin honored the GRU officers involved [in the Salisbury poisonings.] It’s a badge of honor for them.” With Averyanov in ascendance, the operators of Unit 29155 are likely to be bolder, more free-wheeling and more dangerous than ever – thugs and geeks alike.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief.
It’s not just for the President anymore. Cipher Brief Subscriber+Members have access to their own Open Source Daily Brief, keeping you up to date on global events impacting national security. It pays to be a Subscriber+Member.