The UK Government sanctioned three units of Russia’s military intelligence agency (GRU), along with 18 of its military intelligence officers. The GRU units named have been involved in a years-long operations, including cyberattacks, disinformation campaigns, and even acts of physical violence.
Among sanctioned entities is Unit 26165, now directly linked to reconnaissance operations aiding the 2022 bombing of the Mariupol Theatre in Ukraine, a brutal attack that killed hundreds of civilians, including children, sheltering from Russian shelling.
Another sanctioned group of GRU operatives is accused of conducting a cyberattack on Yulia Skripal, deploying malware known as X-Agent to target her device in the UK. In 2018, GRU agents used Novichok nerve agent in a failed assassination attempt on Yulia and her ex-spy father Sergei Skripal in an attack referred to as Salisbury poisonings. Sergei Skripal worked as double agent for Britain's MI6 intelligence agency before he was arrested by Russian security officials in 2004 on suspicion of treason. He was then exchanged as part of spy swap between Russia and the West.
British intelligence reports say that Russia has targeted UK media, telecoms, energy infrastructure, and democratic institutions through cyber and information warfare. The operations are described as part of a broader Kremlin strategy to weaken the West while supporting Putin’s illegal war in Ukraine.
Cyber operations, including attacks on Viasat satellite communications, were used to cripple Ukrainian defense capabilities on the eve of Russia’s full-scale invasion in 2022.
In a related move, the UK’s National Cyber Security Centre (NCSC) has publicly attributed the deployment of a sophisticated new malware dubbed ‘AUTHENTIC ANTICS’ to APT28, a threat actor long thought to be a unit of the GRU (Military Unit 26165).
According to NCSC analysts, the malware is designed to infiltrate Microsoft cloud accounts by mimicking legitimate login activity, stealing credentials and OAuth tokens, and exfiltrating user data. The malware sends stolen data from compromised email accounts to GRU-controlled addresses, bypassing detection by avoiding traditional "sent" folders.
APT28, also known as Fancy Bear, has been linked to numerous cyberattacks worldwide, including interference in democratic elections, espionage against NATO allies, and operations supporting Russia’s geopolitical ambitions.
Beyond Europe, the UK has also sanctioned three Russian intelligence-linked leaders of the "African Initiative", a Kremlin-backed propaganda operation in West Africa.
