A comprehensive investigation has shed light on one of Russia’s most clandestine intelligence operations, revealing intricate details about the Federal Security Service’s (FSB) 16th Center and its expansive signals intelligence (SIGINT) network. This research, conducted by CheckFirst analysts over more than a year, employed a novel methodology that combined traditional open-source intelligence techniques with phaleristics—the academic study of military insignia and decorations.
Historical Context and Evolution
The FSB’s 16th Center, operating under the military designation Unit 71330, represents the modern incarnation of Soviet-era SIGINT capabilities. These capabilities trace back to KGB Order No. 0056, issued on June 21, 1973. Following the dissolution of the Federal Agency for Government Communications and Information (FAPSI) in 2003, the 16th Center inherited primary signals intelligence operations, evolving into what intelligence experts describe as Russia’s premier electronic eavesdropping organization.
Mission and Operational Scope
The Center’s current mission encompasses three critical domains:
1. Communications Interception: Monitoring and capturing communications across various channels.
2. Cryptanalysis: Deciphering encrypted information to extract valuable intelligence.
3. Computer Network Operations: Conducting cyber operations targeting government institutions, non-governmental organizations (NGOs), and private companies worldwide.
These operations are indicative of the FSB’s expanded mission to include foreign intelligence collection and offensive cyber operations. Cyber analysts have identified FSB hackers under various codenames, including Berserk Bear, Energetic Bear, Gamaredon, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala. ([en.wikipedia.org](https://en.wikipedia.org/wiki/Federal_Security_Service?utm_source=openai))
Organizational Structure and Personnel
Through systematic analysis of over 200 military insignia photographs collected from Russian manufacturers’ websites, collector forums, and specialized phaleristics communities, CheckFirst researchers identified the unit’s sophisticated operational structure. The investigation revealed that the 16th Center comprises at least ten distinct departments designated by letters, including A, B, V, D, K, P, S, SP (Special Programs), ST, and T. Based on FSB organizational standards—where departments require 55 employees and sections need at least eight—the Center employs a minimum of 560 personnel.
Technical Infrastructure and Surveillance Capabilities
The research uncovered a comprehensive network of ten ground-based SIGINT facilities strategically positioned across Russia’s vast territory, from the Estonian border to remote locations near China. These installations employ sophisticated interception equipment, including Circularly Disposed Dipole Arrays (CDAA), also known as Wullenweber systems, capable of 360-degree beamforming and signal tracking at ranges up to 15,000 kilometers.
The facilities feature Multibeam Tracking Antennas (MBTA) designed for simultaneous satellite communications (SATCOM) interception and parabolic antennas ranging from six to 25 meters in diameter. Investigators utilized digiKam, an open-source photo management software, to systematically catalog and analyze insignia containing geographic indicators, unit designations, and symbolic representations of the Center’s technical capabilities. Cross-referencing this data with satellite imagery and declassified intelligence documents enabled precise geolocation of previously undocumented interception sites, revealing facilities equipped with vertical antenna arrays optimized for omnidirectional signal capture and high-frequency communications monitoring across multiple spectral bands.
Cyber Operations and Global Impact
The FSB’s cyber operations have had a significant global impact. In May 2023, the U.S. Justice Department announced that it had disabled a sophisticated malware network used by the FSB for two decades to spy in 50 countries, including NATO allies. The FSB had successfully inserted the Snake or Uroburos malware on computer systems worldwide, focusing on government networks, research facilities, journalists, and other targets. Computers in the system also served as relay nodes to disguise traffic to and from Snake malware inserted on target computer systems. In a years-long operation, the FBI was able to defeat Snake by inserting its own bit of computer code into it, which issued commands causing the malware to overwrite itself. ([rfi.fr](https://www.rfi.fr/en/international-news/20230509-us-says-disabled-russian-spyware-used-for-two-decades?utm_source=openai))
Surveillance Expansion and Domestic Implications
Domestically, the FSB has been expanding its surveillance capabilities. In September 2023, reports indicated that the FSB intended to expand its own capabilities to spy on users of the Russian Internet, as well as disguise its operations. The FSB likely supported amendments to the bill of the State Duma of Russia, which would expand its digital authoritarianism tools to spy on users of the Russian Internet, banking, and telecommunications companies. Experts concluded that the FSB’s efforts to gain control over the databases of large companies were probably part of an attempt to strengthen surveillance measures over the population of the Russian Federation and occupied Ukraine. The FSB also intended to use potential new access to databases to disguise its operations more easily. ([pravda.com.ua](https://www.pravda.com.ua/eng/news/2023/09/30/7422042/?utm_source=openai))
Conclusion
The unveiling of the FSB’s 16th Center and its extensive SIGINT network provides a rare glimpse into the sophisticated and far-reaching capabilities of Russia’s intelligence apparatus. The combination of traditional intelligence methods with modern cyber operations underscores the evolving nature of global espionage and the continuous efforts by nation-states to monitor and influence both domestic and international affairs.
