Main Directorate of the General Staff of the Armed Forces of the Russian Federation
Overview
The GRU — Glavnoye Razvedyvatelnoye Upravleniye — is Russia's largest foreign intelligence agency by personnel and operational scope, functioning as the military intelligence arm of the Russian Armed Forces' General Staff. Unlike the SVR (foreign political intelligence) or FSB (domestic security), the GRU combines human intelligence (HUMINT), signals intelligence (SIGINT), cyber operations, and special forces under a single military command structure. With an estimated 36,000 personnel including roughly 25,000 Spetsnaz operators across multiple brigades, the GRU maintains the most kinetic capability of any Russian intelligence service. Since Russia's deepening strategic partnership with Iran following the 2022 Ukraine invasion, the GRU has become a critical node in the Iran axis intelligence ecosystem — facilitating technology transfers for drone and electronic warfare systems, sharing satellite reconnaissance data, and coordinating signals intelligence collection against Coalition forces in the Middle East. The GRU operates under a culture of aggressive risk-taking that distinguishes it from more cautious intelligence services, a trait that has produced both spectacular operational successes and catastrophic exposure events. Its cyber units — particularly Unit 74455 (Sandworm) and Unit 26165 (Fancy Bear) — are among the most capable state-sponsored hacking organisations globally, responsible for destructive attacks on critical infrastructure across multiple continents.
History
The GRU traces its lineage to the Registration Directorate (Registrupravl) established by Leon Trotsky in October 1918 to coordinate military intelligence during the Russian Civil War. It was formally reorganised as the GRU in 1942 under the pressure of the Great Patriotic War, when Stalin demanded a dedicated military intelligence apparatus independent of the NKVD's political intelligence machinery. Throughout the Cold War, the GRU ran extensive agent networks across NATO countries, with its most famous asset — Colonel Oleg Penkovsky — ironically becoming the West's most valuable Soviet spy before his arrest and execution in 1963. The GRU's Spetsnaz units conducted covert operations in Afghanistan (1979–1989), Chechnya (1994–2009), Georgia (2008), and played a decisive role in the seizure of Crimea in 2014 using unmarked 'little green men.' The organisation suffered its worst modern exposure in 2018, when British and Dutch intelligence publicly identified GRU officers from Unit 29155 as responsible for the Salisbury nerve agent attack on Sergei Skripal, and Unit 26165 operatives were caught attempting to hack the OPCW in The Hague. The 2022 Ukraine invasion saw the GRU's Spetsnaz sustain heavy casualties in failed decapitation strikes against Kyiv, while its cyber units launched destructive wiper malware against Ukrainian infrastructure. Since 2023, the GRU has pivoted resources toward supporting Iran's military capabilities, providing satellite imagery, electronic warfare technology, and intelligence coordination as the Russia-Iran strategic axis deepened through mutual sanctions pressure and shared opposition to the Western-led order.
Capabilities
Primary Capabilities
The GRU's primary capabilities centre on offensive cyber operations, HUMINT networks, and Spetsnaz special operations. Its cyber units represent tier-one threats: Unit 74455 (Sandworm) specialises in destructive attacks on critical infrastructure — including the 2015 and 2016 Ukrainian power grid attacks, the 2017 NotPetya malware ($10 billion global damage), and the 2018 Olympic Destroyer attack. Unit 26165 (Fancy Bear / APT28) conducts espionage-focused cyber operations targeting military, government, and defence-industrial targets across NATO and partner nations. The GRU maintains HUMINT networks across the Middle East, leveraging Russia's diplomatic presence and military bases in Syria as staging platforms for intelligence collection against Coalition operations.
Secondary Capabilities
Secondary capabilities include satellite and signals intelligence collection through the Space Intelligence Directorate, which operates Russia's Liana ELINT satellite constellation and contributes to the broader Razvedka system. The GRU's 6th Directorate conducts signals intelligence from ground stations and deployed SIGINT platforms. Spetsnaz brigades (approximately 8 active brigades) provide unconventional warfare, sabotage, and direct action capabilities deployable globally. The GRU also maintains a robust covert action arm through Unit 29155, responsible for assassination, sabotage, and destabilisation operations across Europe, including the 2014 Vrbětice ammunition depot explosion in Czechia and the 2018 Salisbury poisoning.
Notable Operations
Role in Conflict
In the current Coalition–Iran Axis conflict, the GRU functions as a critical intelligence enabler for Iranian and proxy forces rather than a direct combatant. Its primary contributions include sharing satellite reconnaissance and signals intelligence on Coalition force dispositions in the Gulf, Eastern Mediterranean, and Red Sea — data that feeds directly into Iranian ballistic missile targeting and Houthi anti-ship operations. The GRU's technical intelligence directorate has facilitated transfers of electronic warfare technology to Iran, including GPS jamming and spoofing systems deployed around the Strait of Hormuz. Russian military advisers with GRU affiliations are assessed to be present at Iranian command centres, providing tactical intelligence coordination. The GRU's cyber units have also conducted parallel operations against Coalition nations' critical infrastructure, creating a secondary front that diverts Western cyber defence resources. Notably, Sandworm-attributed attacks against European energy infrastructure in early 2026 coincided with major Iranian escalatory actions, suggesting operational coordination. The GRU's HUMINT networks in Iraq, Syria, and Lebanon provide early warning of Coalition military planning to Iranian-aligned forces. Russia's UN Security Council veto power provides diplomatic cover, with GRU intelligence assessments informing Russia's diplomatic posture and information warfare narratives that frame Coalition operations as illegitimate aggression.
Order of Battle
The GRU's current force structure relevant to the Iran conflict theatre includes: the Space Intelligence Directorate operating the Liana constellation (Lotos-S1 ELINT and Pion-NKS SIGINT satellites) providing coverage of the Persian Gulf and Eastern Mediterranean; the 6th Directorate running SIGINT collection from the Khmeimim Air Base in Syria and naval facilities at Tartus; Unit 74455 (Sandworm) and Unit 26165 (Fancy Bear) maintaining standing cyber operations against Coalition military networks and critical infrastructure; elements of the 22nd Guards Spetsnaz Brigade assessed to be operating in Syria for force protection and intelligence collection; and the Strategic Operational Intelligence Directorate coordinating HUMINT assets across Iraq, Lebanon, Syria, and Yemen. The GRU's Technical Intelligence Directorate manages technology transfer programmes with Iran's defence establishment. Total personnel engaged in or supporting Iran-theatre operations is estimated at 2,000–4,000, primarily in SIGINT, cyber, and analytical roles rather than combat positions.
Leadership
| Name | Title | Status | Significance |
|---|---|---|---|
| Admiral Igor Kostyukov | Director of the GRU | active | Appointed GRU Director in November 2018 following the death of Igor Korobov. A naval intelligence specialist, Kostyukov has overseen the GRU's pivot toward deeper Iran cooperation and expanded cyber operations against Western targets. |
| Lieutenant General Pavel Fedotov | First Deputy Director of the GRU | active | Manages day-to-day GRU operations and is assessed to oversee the coordination of intelligence sharing with Iran's IRGC Intelligence Organisation. Previously served in the GRU's Middle East division. |
| Colonel General Andrey Averyanov | Commander, Unit 29155 | active | Identified by Bellingcat and The Insider as head of the GRU's covert action unit responsible for assassinations and sabotage. Sanctioned by the EU and US following the Salisbury attack investigation. |
| Yevgeniy Serebriakov | Senior Cyber Operations Officer, Unit 26165 | active | Identified during the failed 2018 OPCW hacking operation in The Hague. Represents the GRU's hands-on technical cyber capability deployed for close-access hacking operations. |
Strengths & Vulnerabilities
Relationships
The GRU maintains its most operationally significant relationship with the IRGC Intelligence Organisation (IRGC-IO) and IRGC Aerospace Force, providing satellite imagery, SIGINT, and electronic warfare technology in exchange for Iranian drone technology transferred to Russia for use in Ukraine. Relations with Iran's Quds Force include intelligence coordination on proxy operations in Iraq, Syria, and Lebanon. The GRU competes domestically with the SVR for foreign intelligence primacy and with the FSB over counterintelligence jurisdiction. In Syria, the GRU operates alongside but sometimes in tension with the Russian Ministry of Defence's command structure. The GRU has facilitated North Korean–Iranian arms transfers and maintains liaison relationships with Chinese military intelligence (MID/2PLA). Its Spetsnaz units coordinate with Hezbollah and Iraqi PMF elements through forward-deployed advisers in the Levant.
Analysis
Threat Assessment
The GRU represents a high-tier indirect threat to Coalition operations in the Iran conflict theatre. While it is not a direct combatant, its intelligence-sharing with Iran materially enhances Iranian targeting accuracy for ballistic missiles and anti-ship weapons. The GRU's cyber capabilities pose a parallel strategic threat: Sandworm's demonstrated ability to attack energy infrastructure could be leveraged for retaliatory strikes against Coalition nations' home-front critical systems. The combination of satellite intelligence provision, EW technology transfer, and cyber operations makes the GRU a force multiplier for the Iran axis that is difficult to counter without escalation against Russian assets directly. Its Spetsnaz presence in Syria creates latent escalation risk.
Future Trajectory
The GRU's role in the Iran axis is likely to deepen as Russia seeks to impose costs on the Coalition without direct military engagement. Expect expanded satellite intelligence sharing as Russia launches replacement Liana constellation elements, potentially providing near-real-time targeting data for Iranian missile forces. Cyber operations against Coalition energy and financial infrastructure will likely intensify if the conflict escalates further. The GRU may increase technical advisory support to Houthi forces for anti-ship operations in the Red Sea. However, sustained Ukraine front demands will constrain the GRU's ability to deploy significant Spetsnaz or HUMINT resources to the Middle East theatre.
Key Uncertainties
- Whether Russia has provided Iran with access to classified satellite imagery of Israeli nuclear and military facilities, and if so, at what resolution and refresh rate
- The extent of GRU cyber pre-positioning within Coalition military networks and Gulf state critical infrastructure for potential retaliatory operations
- Whether GRU Spetsnaz units in Syria have conducted or planned direct kinetic operations against Coalition assets under false-flag cover
- The degree of real-time intelligence coordination between GRU and IRGC during active Iranian missile and drone strikes against Coalition targets
- Whether GRU technology transfers include advanced radar or sensor technology that could significantly improve Iranian air defence capabilities against Coalition stealth aircraft
Frequently Asked Questions
What is the GRU and how is it different from the FSB?
The GRU (Main Directorate of the General Staff) is Russia's military intelligence agency, focused on foreign military threats, cyber warfare, and special operations. The FSB (Federal Security Service) is primarily a domestic security and counterintelligence agency, successor to the KGB's internal directorates. The GRU reports to the military General Staff while the FSB reports directly to the President, and the GRU uniquely controls its own Spetsnaz special forces brigades.
How is Russia helping Iran in the 2026 conflict?
Russia's GRU provides Iran with satellite intelligence on Coalition force positions, electronic warfare technology for GPS jamming operations around the Strait of Hormuz, and SIGINT data from its Syria-based collection platforms. The GRU also conducts parallel cyber operations against Coalition nations' critical infrastructure, creating a secondary front. Russian military advisers with GRU links are assessed to be present at Iranian command facilities providing tactical intelligence coordination.
What are the GRU's most dangerous cyber units?
The GRU's two most dangerous cyber units are Unit 74455 (Sandworm), which specialises in destructive attacks on critical infrastructure — responsible for NotPetya ($10 billion in damages), Ukrainian power grid attacks, and Olympic Destroyer — and Unit 26165 (Fancy Bear / APT28), which focuses on espionage and data theft targeting military, government, and election systems. Both units are assessed to be conducting operations relevant to the current Iran conflict.
How many Spetsnaz does the GRU have?
The GRU controls approximately 25,000 Spetsnaz special operations personnel across roughly 8 active brigades, making it the largest special forces command within any intelligence agency globally. However, significant numbers have been deployed to and suffered casualties in Ukraine since 2022, reducing available capacity for other theatres. Elements of the 22nd Guards Spetsnaz Brigade are assessed to be operating from Syria in intelligence and force protection roles.
Has the GRU been caught spying on Western countries?
The GRU has been publicly exposed in multiple major operations: the 2018 Salisbury Novichok poisoning (Unit 29155 officers identified by name), the attempted OPCW hacking in The Hague (Unit 26165 operatives expelled), the 2016 DNC hack (12 GRU officers indicted), and the 2014 Vrbětice ammunition depot explosion in Czechia. These exposures have led to the identification of hundreds of GRU officers through open-source investigation by groups including Bellingcat and The Insider.