1.0 Introduction 

Unit 29155 of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), Moscow’s military intelligence organ, is a clandestine unit under the Department for Special Tasks (SSD) that came to international attention after being linked to the 2018 Novichok poisoning of Sergei and Yulia Skripal in Salisbury, UK. Founded by Andrey Averyanov in its most kinetic, aggressive form around 2007-2008, the unit has since become a key instrument in the GRU’s broader hybrid warfare, particularly targeting Western and NATO states. The unit has been linked to sabotage, assassinations, and political subversion in foreign territories, and it has more recently expanded its remit to include cyber-enabled operations, including the WhisperGate malware attacks against U.S. and global critical infrastructure since at least 2020. [source]

2.0 Symbols

2.1 Symbols 

Symbol of the GRU, Russia’s military intelligence agency. 

3.0 Organisation

3.1 Place within Russian government

Command structure 

Unit 29155, located at the HQ of the 161st Specialist Training Centre in Eastern Moscow, is a clandestine sub-unit of Russia’s Main Intelligence Directorate (GRU), Russia’s military intelligence agency. Various reports indicate the unit operates under Major General Andrey Vladimirovich Averyanov, and it is commonly described as falling within the GRU’s broader Department for Special Tasks (SSD), which oversees particularly sensitive operations. The SSD is led by Averyanov and Ivan Sergeevich Kas’ianenko, the two officers who founded SSD in 2023. The SSD, according to Recorded Future and the think tank Royal United Services Institute (RUSI), also encompasses Unit 54654, commonly understood as being behind Russian military intelligence’s “illegals” programmes. [source, source]

Internal structure 

Identifying details of the unit’s internal structure is difficult due to the levels of secrecy about the unit, as well as the well-documented tendency of Russian state agencies to deliberately fragment or misrepresent their services and organisational arrangements. Nonetheless, it is clear that the unit includes field operatives who conduct overseas sabotage, assassinations, and destabilisation activities. This unit, according to Christo Grozev, head of investigations at The Insider, is called K2 or, sometimes, K200. More recently, the unit also includes a cyberespionage and cyber sabotage wing. They are often tracked under aliases such as Cadet Blizzard, Bleeding Bear, and DEV-0586 – which carries out reconnaissance, collection, disruption, and other related activities. [source, source, source] 

As noted in the 2024 analysis by Treadstone 71, consistent with broader Russian operational practice, the unit’s cyber and physical elements operate in a closely coordinated, synchronised manner. The analysis exemplified this aspect of their coordination through the use of cyber operations to degrade surveillance and security systems, creating windows of access for physical operatives. Operations in Ukraine illustrate this approach, where malware targeting energy networks has coincided with physical actions that further disrupted military and government responses. [source]

3.2 Key Figures 

Maj. Gen. Andrey Vladimirovich Averyanov

Several reports, including from BellingCat and the EU, claim Averyanov is the founding commander of Unit 29155. In addition, in 2025, the Wall Street Journal identified him as leading GRU’s Special Service for Special Tasks (SSD). Born in 1967, Averyanov has been linked to the 2014 Czech ammunition-depot explosions in Vrbetice, the failed 2016 Montenegro coup attempt, and activities tied to the 2018 Skripal poisoning. Additionally, according to a Council Decision report by the European Union, after the death of Wagner Group leader Yevgeny Prigozhin and the restructuring of the group, Averyanov was placed in charge of Russia’s military operations in Africa under the newly formed Africa Corps. [source, source, source] 

Telecom and travel data uncovered by Bellingcat show Averyanov coordinating directly with the operatives who carried out the Skirpal poisoning – including Denis Segeev, Alexander Mishkin and Anatoliy Chepiga – during the preparation phase. Moreover, he also held communication with Sergey Chepur, an expert in toxicology and director of the State Institute for Experimental Military Medicine. [source, source]

Since 19 December 2025, reports by Pravda, Charter 97, and other sources claim a Ukrainian strike on a shadow fleet tanker in the Mediterranean may have killed Averyanov. However, these reports are unverified and there is no independent verification from governments or forensic reporting. [source, source]

Sergey Chepur

Chepur is a military doctor and the director of the St Petersburg State Institute for Experimental Military Medicine, a defence research centre that specialises in organophosphate toxicology. An investigation by Bellingcat found that he visited the headquarters of the GRU during what appeared to be preparation meetings on the eve of the Salisbury attack, and that he repeatedly contacted members of the unit. [source]

Colonel Alexander Mishkin

Miskhin, also known under the cover identity “Alexander Petrov,” is a trained military doctor and a senior officer of the GRU. Bellingcat identified Mishkin as one of the two operatives who carried out the 2018 Novichok attack in Salisbury. Following Bellingcat’s investigation of the poisoning, Mishkin was identified as a member of Unit 29155. Born in 1979 in the village of Loyga, Arkhangelsk Oblast, he trained at the elite Kirov Military Medical Academy.  [source, source, source]

Ivan Anatolyevich Burklakov

According to Treadstone 71, Burklakov serves as a logistics coordinator for the unit. Within this, he facilitates covert movement of personnel and equipment across Europe and supporting operational security measures to reduce detection. [source]

Lieutenant General Ivan Kasianenko

Kasianenko is, according to the Insider, deputy commander of Unit 29155, as well as the deputy head of the SSD. He worked as a military attache in Tehran in 2008, and in 2015 was transferred to Kabul, where he reportedly headed a Russian covert action programme offering USD $200,000 bounties to Taliban fighters for killing U.S. soldiers in Afghanistan. [source, source, source]

Maj. Gen. Denis Sergeev

Sergeev is a senior GRU officer from Unit 29155, operating under the alias “Sergey Fodotov” and identified by Bellingcat and The Insider as one of the three members of the team directly behind the Salisbury attack. It is believed that Sergeev acted as the command-and-control link between the operatives on the ground and GRU leadership in Moscow, overseeing the Salisbury attack from a London hotel room, according to Bellingcat. [source, source] 

Other key figures:

The FBI identifies the individuals below as members of the unit who are specifically responsible for cyber operations and has posted a USD $10 million award for information leading to their arrest. According to U.S. authorities, these individuals are linked to operations targeting critical infrastructure and are associated with the deployment of WhisperGate malware used in attacks against Ukrainian government systems, as well as US targets. [source]

• Vladislav Borovkov
• Denis Denisenko
• Yuriy Denisov
• Dmitry Goldshubov
• Nikolay Korchagin
• Amin Timovich Stigal

3.3 Connections to Silk Way Rally

The Silk Way Rally is an annual off-road motorsport event that runs across Russia, Asia, and sometimes Europe. While it is publicly a sporting competition, investigative reporting from a joint project by The Insider, Bellingcat, Le Monde, and Der Spiegel revealed another purpose. More specifically, internal documents present the company as a “universal platform for people’s diplomacy” that pushes Russia’s geopolitical agenda. In addition to this, the infrastructure and leadership of Silk Way Rally has been used by the GRU for cover, logistics, and travel permissions to move covert operatives across Europe and Asia. Call logs obtained in this investigation indicate connections with Unit 29155. Bulat Yanborisov, the rally’s director, had repeated phone contact with Rustam Dzhafarov, a member of the unit, as well as two others. [source] 

3.4 Recruitment

The personnel recruited by Unit 29155 varies widely. A report by RUSI states that many of the long-standing members of Unit 29155 have transitioned alongside Averyanov into the SSD HQ roles, while new personnel are increasingly recruited to conduct field activity. Additionally, whilst the unit previously drew a substantial proportion of its personnel from the Spetsnaz formations, newer recruits “disproportionately” have no military instruction. As RUSI stated, this borrows from the “cleanskin” tradecraft – in which personnel lack associations with state security, reflecting a recruiting priority on assuring a low signature. [source]

In parallel, several reports, including that by The Guardian, indicate low-level collection and sabotage operations are increasingly carried out by disposable, one-time operatives. These agents are typically local, recruited online through informal networks like Telegram, and compensated via cryptocurrency, cash, or gems. A report by the Austrian Center for Intelligence, Propaganda and Security Studies (ACIPSS) refers to how the recruited individuals rarely know who employs them, and generally have no ethnic, ideological, or political affinity to Russia. [source, source] 

It is likely that Unit 29155 recruits European nationals with violent tendencies or criminal backgrounds, a pattern consistent with the broader Russian practice of mobilising socially marginal, radicalised or grievance-driven individuals to sow discord around the continent. [source] 

4.0 Tactical-Operational Information

4.1 Operations 

4.1.1. Assassination attempts

• Maxim Kuzminov

Maxim Kuzminov, aged 28, was a Russian military pilot who opposed the war and defected to Ukraine with his Russian MI-8 helicopter in an agreement with Ukrainian intelligence. According to the Lansing Institute, the unit located Kuzminov in Spain, likely after Russian counterespionage tracked his contact with his ex girlfriend, and deployed members of the unit to assassinate him. Kuzminov was found on 13 February 2023 inside a parking garage of an apartment building in Alicante, after he was shot and run over with his own car. Spanish intelligence agencies “have no doubt” that Russian intelligence was behind Kuzminov’s killing, albeit acknowledging the difficulty with attributing complete responsibility. [source, source, source]

• Sergei and Yulia Skripal

Unit 29155 is the GRU unit attributed to the March 2018 attack on Sergei and Yulia Skripal in Salisbury using Novichok, a highly specialised skin-absorbed chemical nerve agent. Sergei was a former GRU officer who moved to the UK under a spy swap deal, working as a double agent for British intelligence. Investigations by Bellingcat and its independent Russian media partners revealed that members of Unit 29155 entered the UK under false identities and exposed the victims to the nerve agent on a public door handle. The agent caused both Yulia and Sergei to fall critically ill for several weeks. Investigators later found a perfume bottle containing the nerve agent in a trash bin, reportedly containing enough of the compound to kill thousands of people. [source, source, source]

Location in Salisbury where Sergei and Yulia Skripal fell unconscious. [source]

• Reported payments of bounties to Taliban militants who attacked US forces in Afghanistan

U.S. intelligence assessments from 2020 claimed that a GRU unit likely offered financial incentives to Taliban linked militants for attacks on coalition forces in Afghanistan. A former Afghan National Directorate of Security (NDS) official estimated the GRU paid the Taliban a minimum of $30 million overall. Payments for killing U.S. or coalition soldiers were said to average $200,000 each. According to The Insider, by 2015, the unit recruited Afghan smuggler Rahmatullah Azizi and several of his family members to organise the scheme to funnel the payments. Azizi’s travel records show he shared bookings with members from the unit and used a Russian passport from the same series as those used by Unit 29155 operatives. There are no confirmed incidents in which bounties led to casualties and, while the CIA and National Counterterrorism Center stated they were moderately confident about the fact that Russian operatives paid bounties for killing Americans, other U.S. agencies were less confident in the strength of evidence. [source, source]

4.1.2. Sabotage 

• 2014 Czech Republic ammunition depot explosions

Czech authorities and Bellingcat attribute the October and December 2014 Czech arms depot explosions at Vrbětice to Unit 29155. Two blasts destroyed ammunition warehouses used by a Czech company supplying weapons to Ukraine and other states, killing two people and causing extensive damage. Czech investigators later identified suspects in the blasts as officers from the unit who were operating under false identities. [source, source]

4.1.3.Cyber operations

• WhisperGate

In January 2022, cyber operators affiliated with Unit 29155 first deployed the highly destructive WhisperGate malware against several Ukrainian government networks shortly before the invasion. The attacks were not limited to Ukraine, however, and went on to target computer systems in other nations that support Ukraine, including 26 NATO partners, including the United States. WhisperGate was designed to resemble ransomware, but instead, corrupted master boot records and destroyed data. In 2024, U.S. and allied indictments charged five Unit 29155 officers, including a commanding officer and a civilian. [source, source, source]

4.1.4. Political subversion/election interference

• Montenegro 2016 

Investigations by Bellingcat and its partner agencies link the Russian operatives involved in the 2016 Montenegro coup attempt – Eduard Shishmakov and Vladimir Popov – to Unit 29155. Western security officials also believe the unit is responsible for this operation. In an attempt to overthrow the Montenegro government and assassinate former Prime Minister Milo Đukanović, the men allegedly provided weapons, funding and guidance to local actors. The plot was foiled after authorities, reportedly tipped off by Western intelligence, intercepted the operatives’ plans and subsequently arrested the key collaborators. [source, source, source, source, source]

• Inflaming social and political tensions in France

In 2025, French authorities investigated a series of provocative acts, including pig heads placed outside at least nine mosques in and around Paris, as well as green paint thrown on Holocaust memorials and synagogues. CCTV and vehicle tracking showed the perpetrators were foreign nationals who left France immediately after the acts, and Serbian police subsequently arrested 11 Serbian suspects, four of which were believed to be acting on orders of a foreign intelligence service. French investigators linked the operation to Unit 29155, albeit without concrete evidence of involvement. [source]

4.2 Core Purpose

Unit 29155 is a specialised GRU unit dedicated to conducting covert action operations that advance Russia’s hybrid warfare objectives abroad. The unit conducts sabotage, assassinations and infiltration aimed at undermining the political, social and security stability of target states. Such operations are part of the broader Russian strategic approach designed to impose costs on adversaries and shape their political environment without escalating to conventional, open conflict. 

Unit 29155’s operations are best understood as cumulative. A single act may not pose an immediate tactical outcome, however, their strategic value lies in aggregation. Over time, the repeated infiltration sows discord, intimidates target societies, and erodes confidence in state authority. As Europol notes, “hybrid threat actors engage in ongoing, seemingly minor actions that collectively erode stability, security, and trust in institutions.” Europol likened the approach to a “woodpecker” modus operandi, where repeated small actions gradually produce strategic impact. [source] 

4.3 Tactics 

Unit 29155’s tactics are flexible and context-dependent. The unit has employed a wide range of methods across different theatres, adjusting its activities to strategic intent and locations. Their tactics include:

• Physical sabotage of critical infrastructure: Covert destruction of ammunition depots, weapon stockpiles, and storage facilities connected to arms transfers. [source] 
• Assassinations: Tactical analysis by Treadstone 71 states the unit’s reliance on precision assassinations, sometimes using weapons that leave minimal traces, such as Novichok nerve agents and custom explosives. [source, source]
• Weaponising financial systems to fund disinformation and influence campaigns: Treadstone 71’s analysis also identifies a “discernible trend” toward integrating financial warfare into its repertoire. [source]
• ‘Cleanskin’ personnel: The unit leverages proxies and one-time operatives to reduce attribution and extend operational reach. [source] 
• Synchronised cyber and kinetic operations: Integration of both elements with the aim to increase the effectiveness of operations. [source]
• Leveraging diplomatic cover to facilitate movement and provide a degree of immunity. [source]

4.3.1 Cyber tactics

Since approximately 2020, Unit 29155 has developed operational cyber capabilities, employing a range of techniques that include: [source]

• Use of virtual private servers (VPS) to “host their operational tools, perform reconnaissance, exploit victim infrastructure, and exfiltrate victim data.” The use of VPS obscures their true country of origin. [source]
• Use of Domain Name System (DNS) tunnelling tools to attack IPv4 network traffic. [source]
• Open sources: The unit’s cyber actors have used publicly available tools to perform reconnaissance. This includes the use of tools such as Amass and VirusTotal to obtain information about victims’ DNS for possible use during targeting, such as subdomains for target websites. Additionally, the unit was reported using Acunetix, Droopescan, eScan to enable their discovery of IoT devices and exploitable vulnerabilities, as well as Shodan to identify internet connected hosts. [source]
• Utilises ProxyChains to route internal traffic through a series of intermediary proxies, obscuring their true location and to help bypass network restrictions. [source]
• Password spraying: targeting victims OWA infrastructure with brute force tactics to obtain usernames and passwords. [source]

4.4 Staffing 

Approximating Unit 29115’s personnel size remains difficult and is subject to significant error, especially given the unit’s reliance on proxies, one time operatives and other externally recruited assets. Open source estimates of the unit also vary. Bellingcat’s 2019 investigation assessed that there are likely 20 officers within their kinetic wing. A Wired report citing Western intelligence officials assessed the cyber unit as consisting of 10 individuals. Joseph Fitsanakis, an intelligence and securities studies academic from NGO Support4Partnership, suggested the unit could encompass up to 200 personnel when accounting for planners, trainers, handlers and others beyond the deployable core. Christo Grozev, the head of investigations at The Insider, in January 2024 claimed during an interview that the unit is “a very large unit” of roughly 400 personnel, with smaller subunits of about 70 operatives responsible for overseas sabotage and assassinations. [source, source, source, source]

5.0 The Future 

The current trends in Russia’s operational and strategic culture indicates Unit 29155 will likely continue, if not intensify, as a central instrument of Russian hybrid warfare directed against NATO and partner states. Regions of elevated risk include the Balkans, the Baltic States, Europe and other states which support Ukraine in the ongoing invasion. Unit 29155 is also likely to further integrate the growing advancements of AI-enabled tools in cyber warfare to support operations. Furthermore, its expanding use of cyber operations is likely to become central to the unit’s operational character, parallel to increased integration of cyber capabilities in Russia’s destabilisation techniques. [source, source] 

6.0 Conclusion

Unit 29155 remains one of Russia’s most dangerous instruments against foreign states, as exemplified by the Skripal poisoning in the UK, the WhisperGate cyberattack and the 2016 Montenegro coup attempt. As the unit ramps up its technical and hybrid abilities, and tensions between major powers continue to increase, governments must enhance resilience and continue its preparation for Russia’s persistent covert grey-zone threats. [source]