Britain has announced sanctions against 18 Russian spies and three GRU units for attacks on Britain and Europe. Photo / Getty Images
Dozens of Russian spies who targeted Sergei Skripal’s daughter and mounted a series of attacks on Britain have been exposed by the UK’s security services.
Two of the agents were accused of hacking Yulia Skripal’s mobile phone five years before Russia’s GRU military intelligence agency poisoned the pair with deadly Novichok nerve agent on the streets of Salisbury in 2018.
Others were said to be behind a string of covert bombings, arson attacks and damage to infrastructure on British and European soil in an attempt to derail support for Ukraine.
On Friday, the Foreign Office announced that it was sanctioning 18 spies and three GRU units as part of a crackdown on Russian President Vladimir Putin’s campaign to sow chaos on the continent.
The Telegraph understands Britain moved to sanction the Russians because officials were confident they would never travel to the UK for possible apprehension.
This is Britain’s largest-ever set of sanctions against Russian intelligence services.
Ed Bogan, a former CIA agent, told the Telegraph: “Sanctioning these GRU units in particular is crucial, given the depth and breadth of their grey zone operations across numerous countries, which often go unseen or at best, only partially understood. More light on them is needed, but more importantly, more pressure and more action against them.”
British efforts to expose the shadowy operations were supported by the US’s FBI as well as intelligence services from across the Nato military alliance.
Among the operatives named are Ivan Yermakov and Aleksey Lukashev, two senior members of GRU’s Unit 26165 of elite hackers accused of targeting Yulia Skripal’s devices before Moscow’s botched attempt to murder her father.
Authorities are keen to stress that cyber attacks not only disrupt key infrastructure but can also be used to facilitate physical attacks, such as the failed assassination attempt on Sergei Skripal.
The former Russian spy and his daughter were poisoned in one of the most brazen uses of chemical weapons on British soil in March 2018.
There remain concerns about the safety of the Skripals, although it is not thought Friday’s disclosures are linked to any renewed imminent threat to their lives.
British authorities later attributed the assassination attempts, using one of the deadliest man-made chemicals, to Russia’s military intelligence.
Yermakov and Lukashev also feature on an FBI wanted list for their alleged roles in interfering with the 2016 US presidential election, won by Donald Trump.
Unit 26165 has also been named in investigations into alleged hacks around the French presidential elections and political interference in Germany. It was responsible for the creation of “X-Agent”, a malware used to hack Yulia Skripal’s mobile phone.
The GRU intelligence officers targeted her phone with “malicious” malware known as X-Agent in 2013, five years before the assassination attempts in which an innocent British woman, Dawn Sturgess, was killed after she was poisoned with Novichok discarded by the GRU officers sent to kill Skripal.
X-Agent was developed by a Russian hacking gang known as Fancy Bear, which is linked to the GRU. It was first discovered by the West in 2015 and is used by Russia to infect Apple’s iPhones and Android devices and can activate a device’s microphone and record audio as well as harvest text messages, contact lists, photos and geolocation data.
X-Agent has been used by Russia to pinpoint the movements of Ukrainian troops on the battlefield. Yulia Skripal, who lived in Moscow, was tracked to Britain on a visit to her father in Salisbury. Two GRU agents followed her to Britain and smeared Sergei Skripal’s door handle with Novichok, a military-grade nerve agent.
British officials are confident the country’s voters would not be swayed by similar Russian disinformation attempts.
In 2022, their same unit was said to be responsible for conducting online reconnaissance to help position Russian strikes against the Mariupol theatre in Ukraine, killing hundreds of women and children who were sheltering from Putin’s invasion forces.
Outside the building in the port city, those sheltering had written the word “children” in giant Russian lettering. The theatre was later hit by Russian missiles, despite it obviously not being a military target.
The same unit was credited with hacking internet surveillance cameras between 2022 and 2024 across Bulgaria, France, Germany, Greece, Italy, Moldova, Poland, Romania, Slovakia, Ukraine, the Czech Republic and the Netherlands to monitor military assistance being sent to Kyiv.
GRU units 74455, 26165, 29155 were also hit with UK sanctions, which means businesses registered in Britain will not legally be allowed to provide them with services that could assist their sabotage campaigns.
It is alleged the Russian spies are responsible for a series of hacks and attacks on European military support for Ukraine.
British and European intelligence officers have found repeated examples of targeted attacks against port infrastructure, transport hubs, border control points and government infrastructure involved in aid shipments.
British officials fear that the GRU has used the battlefields of Ukraine as a testing ground for further development of a range of cyber capabilities, which would one day be turned on Western countries.
In Britain, three men were recently found guilty of an arson attack on an east London warehouse involved in shipping humanitarian aid and Elon Musk’s Starlink satellite internet systems to Ukraine.
Prosecutors said the attack could be linked to Russia’s Wagner Group of mercenaries.
British investigators were also probing whether Russian agents had sent an incendiary device through the post after it ignited at a DHL hub in Birmingham last year.
A string of similar incidents has been reported across Europe, including warehouse fires and sabotage of train lines.
GRU Unit 29155 has been enlisted by Russia’s top decision-makers to mount a campaign of attempted assassinations, including that of the Skripals, in recent years.
In the past decade, it has been blamed for explosions at weapons depots, where products destined for Ukraine were stored, in the Czech Republic and Bulgaria.
It was also behind a Russian proxy campaign to hire young Afghans to advise and fund Taliban attacks against US-led coalition forces before the American withdrawal in 2022.
David Lammy, Britain’s Foreign Secretary, said: “GRU spies are running a campaign to destabilise Europe, undermine Ukraine’s sovereignty and threaten the safety of British citizens.
“The Kremlin should be in no doubt: we see what they are trying to do in the shadows and we won’t tolerate it. That’s why we’re taking decisive action with sanctions against Russian spies. Protecting the UK from harm is fundamental to this Government’s Plan for Change.
“Putin’s hybrid threats and aggression will never break our resolve. The UK and our allies’ support for Ukraine and Europe’s security is ironclad.”
Another group targeted is the “Africa Initiative”, which runs social media troll farms ultimately controlled by Putin’s spies, accused of pushing fake news and trying to scupper life-saving global health initiatives.
The Russian spies on the sanctions list will be hit with travel bans and asset freezes, as well as British-registered businesses being barred from assisting them in any form.
Sir Gavin Williamson, the former Tory defence secretary, said the news shows how Britain needed to ramp up defence spending as soon as possible.
“This is incredibly serious, and it shows the ever-mounting threat that we have to face. It also underlines the fact that it’s right to continue to increase the investment, not just in terms of our Armed Forces, but how essential it is for our security services as well,” Williamson said.
“It shows that the threats abroad are also threats at home. It shows that the urgency for the extra money is absolutely acute, because what you can guarantee is while these [spies] have been revealed, there’ll be many more that continue to operate.
“We need to make sure our security services and our military have those resources to properly tackle them, and that needs to happen today and not tomorrow.”
Williamson added: “It shows how pervasive the tentacles of Russia really are. We saw that very starkly with the Skripal poisonings and the Salisbury attack. This was a foreign nation conducting a kill operation here in the United Kingdom. We shouldn’t forget that, because it demonstrates how far that they will go to deliver on their aims.”
US President Donald Trump joined Nato allies in condemning Russia, including for its war against Ukraine, in a statement issued by the alliance after Britain’s sanctions were announced.
“These attributions and the continuous targeting of our critical infrastructure, with the harmful impacts caused across several sectors, illustrate the extent to which cyber and wider hybrid threats have become important tools in Russia’s ongoing campaign to destabilise Nato allies and in Russia’s brutal and unprovoked war of aggression against Ukraine,” the Nato statement said.
Insiders hailed the statement as another sign of Trump’s newfound support for Ukraine’s efforts to defend itself against Russian aggression.
The US President has previously vetoed statements blaming Moscow for Europe’s largest conflict since World War II, including in a communique for the recent Nato summit in the Hague.
The British Government made the announcement after mounting scandal over a leaked list of 24,000 Afghans, British spies and special forces soldiers, which has been covered up for years by super-injunctions.
Aleksandr Vladimirovich Osadchuk has risen through the ranks of the Russian Ministry of Defence to become the head of the main directorate for innovative development – a key “cyber-thinker” within the military hierarchy.
A career military officer and longstanding GRU operative (Unit 26165), Osadchuk was accused by the FBI of orchestrating large-scale cyber operations targeting international entities, particularly during the 2016 US presidential election, focusing on hacking and document leaks.
Yevgeniy Mikhaylovich Serebriakov, 44, is a seasoned cyber-operator assigned to the GRU’s Main Directorate (Unit 26165).
Serebriakov is officially linked to the 2018 cyber attack on the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands, which was disrupted by Dutch officials before hackers could breach it.
According to the FBI, he specialises in covert operations abroad targeting anti-doping agencies and sporting federations, including during the 2016 Summer Olympics and Paralympics, which were held in Brazil.
Serebriakov has been linked to high-profile incidents involving reconnaissance and targeted attacks, often operating under diplomatic cover, holding seven known aliases.
Anatoliy Sergeyvich Kovalev embodies a range of GRU tactics: cyber, biological and covert operations.
A high-profile GRU operative (Unit 26165), he is known for allegedly spearheading cyber attacks on US state and federal election systems, most notably in 2016, plus interference into critical infrastructure in Ukraine and French political organisations.
He has been criminally indicted in Pennsylvania, US, alongside six GRU officers, facing charges for conspiracy to commit computer fraud, wire fraud and interference in critical infrastructure and democratic processes.
Kovalev is also under investigation by the FBI for possible ties to Kremlin-directed nerve agent investigations.
Ochichenko is a GRU operative associated with Unit 29155, involved in covert operations, including cyber espionage and sabotage.
His role is thought to involve technical support or operational deployment of cyber tools used to infiltrate networks, disrupt communications, and gather intelligence.
Artem Valeryvich Ochichenko is a GRU operative associated with Unit 29155, involved in covert operations, including cyber espionage and sabotage.
His role is thought to involve technical support or operational deployment of cyber tools used to infiltrate networks, disrupt communications, and gather intelligence.
Ochichenko joined Kovalev in being charged by a federal grand jury for targeting critical infrastructure in Ukraine and political organisations in France, as well as operations against Georgia.
Vladislav Yevgenyevich Borovkov is a mid-ranking GRU officer implicated in cyber espionage and hacking campaigns targeting Western governments.
The FBI has accused him of targeting and compromising critical infrastructure in dozens of Western countries. He is wanted by the FBI for alleged cyber attacks between December 2020 and August 2024.
Unlike his colleagues, the spy agency does not know where Borovkov is located. The FBI has a US$10 million ($16.7m) reward for anyone who can provide information leading to his whereabouts.
Nikolay Aleksandrovich Korchagin is another GRU operative within Unit 29155, involved in cyber operations targeting critical infrastructure and political entities.
Like Borovkov, the FBI has accused him of criminal cyber activities between December 2020 and August 2024, and has a $10m reward for information on his whereabouts.
He is known for his role in hacking campaigns aimed at stealing sensitive data and disrupting systems, with a focus on international targets.
Yuriy Federovich Denisov, another GRU operative within Unit 29155, hacked campaigns targeting global infrastructure, focusing on espionage and data theft.
Like Borovkov and Korchagin, he is accused of criminal cyber activities by the FBI between December 2020 and August 2024, and stands accused of targeting critical infrastructure across dozens of Western countries.
Denisov is wanted by the FBI with a US$10m reward for information leading to his arrest.
A senior GRU officer in Unit 26165, Ivan Sergeyevich Yermakov is known for orchestrating spear-phishing campaigns during the 2016 US presidential election.
With Osadchuk, he was accused of stealing documents from US officials during the election before releasing them to interfere with its outcome. He was also accused of targeting anti-doping agencies during the 2016 Summer Olympics, with Serebriakov.
Aliases include “Kate S Milton”, “James McMorgans” and “Karen W Millen”, according to the FBI.
Aleksey Viktorovich Lukashev has served as a senior lieutenant in Russia’s GRU.
Like many others on this list, he has been charged in the US for his part in the conspiracy to interfere with democracy during the 2016 US election, including by focusing on stealing and leaking sensitive documents.
Aleksey Sergeyevich Morenets, an officer assigned to Unit 26165, is known for his involvement in the GRU’s cyber activities targeting international organisations, particularly the 2018 cyber attack attempt against the OPCW in The Hague, with Serebriakov.
The FBI has also accused him of targeting anti-doping agencies across the US and globally during the Summer Olympics and Paralympics in 2016, joining charges that were filed against Yermakov and Serebriakov.
Sergey Aleksandrovich Morgachev is another GRU officer and a senior member of Unit 26165, holding the rank of lieutenant colonel.
He is accused of hacking campaigns targeting political and governmental entities during the 2016 US presidential election.
Artem Adreyevich Malyshev is another GRU officer and a senior lieutenant of Unit 26165.
The FBI has accused him of hacking campaigns targeting political and government entities during the 2016 US presidential election. He was also charged with aggravated identity theft, false registration of a domain name, and conspiracy to commit money laundering during this period.
Malyshev is also one of seven Russians to be accused of targeting anti-doping agencies during the 2016 Summer Olympics.
Sergey Sergeyevich Vasyuk and Andrey Eduardovich Baranov are linked with Unit 29155, involved in cyber and covert operations.
Suspected activities include hacking and espionage efforts targeting foreign infrastructure and political entities to support Russian intelligence.
Vitaly Aleksandrovich Shevchenko, another member of Unit 29155, was one of three Russian nationals previously sanctioned by the Council of the European Union for carrying out “malicious cyber activities” against Estonia.
Yuriy Leonidovich Shikolenko is a GRU operative associated with Unit 29155.
His activities include hacking and espionage efforts targeting foreign infrastructure and political organisations.
Victor Borisovich Netyksho is one of the 12 GRU officers wanted by the FBI for interference in the 2016 presidential election. The FBI had photos of 11 officers but Netyksho remained faceless until a Ukrainian “hacktivist” group intervened.
The personal data and a photograph of Netyksho was published by “Kiber Sprotyv”, which translates to “Cyber Resistance” in 2023. They managed to get hold of the information by hacking the email account of his wife, Oksana Serhiyivna Netyksho.
He is thought to be a senior GRU officer and commander of Unit 26165.
Dmitriy Aleksandrovich Mikhaylov is a GRU operative within Unit 29155, involved in cyber operations targeting global infrastructure.
His activities focus on hacking and espionage, targeting political and governmental entities.
Artyom Sergeevich Kureyev is a Russian individual associated with disinformation campaigns.
As chief editor of the African Initiative, Kureyev is allegedly involved in creating and spreading false narratives to manipulate public perception.
According to Bloomberg, he has had frequent contacts with around half a dozen European journalists, often arranging and covering their travel costs for some of them to visit occupied territories in Ukraine.
Documents seen by the news outlet show he appears to have paid to plant news articles.
African Initiative is a Russian media and influence organisation, masquerading as a news agency and information platform.
It has sought to present itself as a Moscow-based news agency that covers events across the continent.
But in reality, it is considered to be the “main vehicle” for Russia’s disinformation activities across the continent, according to a report by Viginum, a French agency which monitors foreign digital interference.
This unit, known as Unit 29155 – which includes Ochichenko – is a covert Russian military intelligence facility under the GRU. It is tasked with training operatives in sabotage, assassination, and unconventional warfare.
Unlike traditional cyber units, this secretive centre prepares agents for covert operations abroad, including targeted assassinations and subversion tactics.
It has been linked to several high-profile incidents such as the poisoning of Sergei Skripal in Britain and the attempted assassination of defectors across Europe.
Unit 26165, also known as the 85th Main Special Service Centre, is a key cyber warfare unit of the Russian GRU, based in Moscow.
Led by Netyksho, it specialises in offensive cyber operations, including hacking, data theft and spear-phishing campaigns targeting government, political and private sector entities around the world.
Unit 26165 is notorious for its role in high-profile cyber attacks, including the Democratic National Committee (DNC) email hack during the 2016 US presidential election.
Unit 74455, known publicly as Sandworm, is another specialised division focusing on cyber operations, including the deployment of malware, hacking campaigns, and disinformation.
The military unit is suspected of being behind a cyber attack against the Ukrainian power grid in 2015, interference into the French presidential election in 2017, and a cyber attack on the 2018 Winter Olympics opening ceremony.
In August 2023, a joint report by the intelligence agencies in the US, Britain, Canada, Australia and New Zealand accused Sandworm of a new malware campaign. The malware, dubbed “Infamous Chisel”, targeted Android devices used by the Ukrainian military.