On 18 July 2025, the UK Foreign, Commonwealth & Development Office, alongside the Home Office, Cabinet Office, and NCSC, released a landmark profile documenting three Russian GRU units—26165, 29155, 74455—and announced sanctions on 18 operatives plus the Kremlin-backed African Initiative media outlet.
📄 Read the full UK government report (PDF)
🕵️♂️ Who’s Been Sanctioned
Unit 26165 (“Fancy Bear” / APT28)
- Ran X-Agent malware, including the 2013 targeting of Yulia Skripal’s phone.
- Facilitated the 2022 missile strike on Mariupol’s theatre.
- Linked to the 2016 US election hack, IOC doping leaks and German Bundestag intrusion.
Source: The Times
Unit 29155
- Connected to the Skripal poisoning, WhisperGate malware and Czech ammunition depot blast.
- Operates via covert sabotage and hybrid cyberwarfare.
Source: Financial Times
Unit 74455
- Caused blackouts in Ukraine and sabotage of telecom infrastructure.
- Attempted to mislead Salisbury investigation.
Source: AP News
🌍 African Initiative: Russia’s Propaganda Arm
Launched in September 2023, the Kremlin-funded platform has published over 18,000 multilingual articles discrediting Ukraine and Western narratives. Sanctioned figures:
- Artyom Kureyev – Editor-in-Chief
- Anna Zamareyeva – Deputy Editor
- Victor Lukovenko – Kremlin Liaison
Source: The Guardian
🚫 What the Sanctions Enforce
- UK-wide travel bans and asset freezes for all 18 individuals.
- Business prohibitions with sanctioned media.
- Coordinated action with NATO, EU, and the FBI.
Source: Gov.uk
🔬 Why This Matters for Digital Forensics
- Attribution: Governments naming individual state actors heightens requirement for forensic accuracy.
- Hybrid Impact: Malware is linked to kinetic attacks—cyber forensics now requires cross-domain analysis.
- Disinformation Integration: Narrative campaigns function as a tool in the cyber kill chain.
- Global Collaboration: Cross-border intelligence coordination supports forensic investigations.
📌 Summary Table
| GRU Unit | Operations | Tools | Forensic Implications |
|---|---|---|---|
| 26165 | US election, Mariupol strike | X-Agent, credential theft | Clear malware attribution |
| 29155 | Skripal poisoning, Czech blast | WhisperGate | Hybrid sabotage signatures |
| 74455 | Ukraine grid, telecoms sabotage | Industroyer | SCADA forensic demand |
| African Initiative | Pro-Russian narratives | Bot networks, media ops | Metadata narrative tracking |
