Information operations units of the Russian military intelligence service GRU

Author: Col. (Ret.) Łukasz Paczesny

Veni, vidi, convinci ²

In recent weeks, a publication by a team associated with the Finnish technology company CheckFirst entitled “Unveiling GRU’s¹ Information Operations Troops with OSINT and Medals³” has appeared online. CheckFirst’s activities are part of a trend of activism against Russian propaganda and disinformation that has been observed and popular in the West for several years. The company declares partnerships with numerous well-known organizations such as the European Commission and France TV, and its staff—including former French media journalist Guillaume Kuster—has been involved for years in popular initiatives aimed at countering information aggression.

The purpose of this commentary is not, of course, to provide a thorough analysis of the material, but only to draw attention to its cognitive value for readers interested in the security of the Republic of Poland by pointing out a few important elements.

The mysteries of military emblems and OSINT ⁵

The material in question is worth noting for at least several reasons.

Firstly, it is an interesting proposal to broaden knowledge about the secretive information warfare structures of the Russian military intelligence service, the GRU.

Secondly, the publication is based on the analysis of information obtained using OSINT techniques.

This form of data collection and analysis requires special skills due to the uncertainty of sources, pitfalls in the form of websites containing dangerous or aggressive scripts, and widespread disinformation on the internet, which can mislead researchers. In the absence of the possibility of verifying data based on other types of sources, analytical work becomes very demanding and rewards experience and subject specialization. In the case in question, an interesting concept was implemented, previously used ⁶, of presenting the structures of the GRU’s Information Operations Departments based on the symbolism of 118 characters (emblems) of military units, supplementing their description with existing data from other open sources. This somewhat inductive model of work is characteristic of leading whistleblowing organizations using OSINT, such as Bellingcat and the Russian The Insider.

Checkfirst analysts have noted that there are many distinctive markings and symbols used by GRU information formations that reveal the nature of the activities of individual military intelligence formations. For example, the Greek letter Ψ (Polish: “psi”), a symbol associated with psychology, refers to structures related to psychological operations (PSYOPS), a scroll with a seal symbolizes the protection of secrets, i.e., a task characteristic of structures involved in decryption and cryptanalysis, and a sword as a sign of offensive activities often appears in units dedicated to hacking operations. 

Thirdly, and most importantly from the point of view of Poland’s security, the publication allows conclusions to be drawn that are useful in the discussion on the Polish model of countering Russian information aggression, including the role of our special services. It should be remembered that all materials prepared and published based on the described method should be treated with some caution by professionals. This is particularly important given that the authors have pointed out that some of the data may be out of date due to changes in the GRU’s structures that have taken place since the end of the first decade of the 2000s.

Main GRU information units

The authors show that the Russian information forces, formed within the Information Operations Command, i.e., military unit 55111, whose creation was announced by the Russians in 2014, remain under the control of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU) – the body responsible for reconnaissance and military intelligence in the army.

The tasks of these forces, comprising at least 15 units with different profiles, include:

• operations in computer networks,
• psychological operations,
• cryptology.

A number of individual military units grouped into departments are responsible for carrying out these activities, among which the most important ones, the so-called main centers, have been identified. These are the following military units:

• unit 74455 (associated with Sandworm or, since 2024, APT44 )^{7 8};
• unit 54777 (PSYOPS formation);
• unit 26165 (associated with Fancy Bear/APT28).

For years, these structures have been identified as formations conducting aggressive information and cyber operations against the West, both by companies specializing in cybersecurity and by official government publications in Western countries. ^{9 10}

An interesting element of the publication are the references to other military units that have not been previously reported on or associated with information warfare formations. These include units 20766, 48707, and 20978.

The authors of the material efficiently present the methodology used to identify the structure of information forces and describe individual divisions and units in an accessible manner, including their historical affiliations and links to other reference publications. The whole is presented in a neat and clear format.

Conclusions

1. The possibility of reconstructing the structure of foreign intelligence based on the analysis of military emblem symbolism may provide an impetus for in-depth reflection on the use of similar markings identifying membership in specific structures of the Polish Armed Forces. It seems reasonable to consider whether the scope and form of the symbolism displayed generate unintended sensitive information.
2. The existence of such extensive information structures of hostile special services, revealed as a result of an in-depth analysis of materials posted on internet forums and auction sites, should prompt experts and decision-makers to reflect in depth on the potential and organizational model of Polish state structures responsible for security. If the current solutions are found to be insufficiently effective, it would be reasonable to consider the necessary reforms, with particular emphasis on strengthening the coordination of activities carried out by the dispersed entities of the security system.
3. By revealing an important element of the Russian military intelligence structure, the CheckFirst report brings to a wider audience the scale of the threats posed by the GRU in the area of influence operations. An analysis of the disclosed structure and specialization of individual units indicates that the Russian Federation’s catalog of activities is not limited to classic forms of propaganda. It also includes complex information operations, the impact of which can be directed at states, institutions, economic entities, and potentially also individuals. Hostile information activities can be further reinforced by interference in communication systems and cyberattacks targeting infrastructure and electronic devices.
4. Due to the clear lack of scientific research on the contemporary structures and mechanisms of the Eastern secret services in the context of information operations targeting Poland’s national security, it is reasonable to undertake in-depth analyses in this area. Their results could provide significant support to state institutions responsible for the security system.