Fancy Bear's New Faces
Updated: Oct 17, 2020
A Look at GRU’s Intelligence Officers and Possible Recruitment Processes
Uncovered VKontakte (VK) accounts that are ostensibly linked to officers of the Russian military’s Main Intelligence Directorate of the General Staff (GRU) shed light on unreported personal details, including the individuals’ aliases and military training. The accounts relate to Artem Andreyevich Malyshev, Anatoliy Sergeyevich Kovalev, and Pavel Vyacheslavovich Yershov who are listed on the Federal Bureau of Investigations’ (FBI) Most Wanted list. According to the FBI, the individuals served in GRU units 26165 and 74455, popularly known as Fancy Bear or APT28, and are wanted in connection to cyber operations that targeted the US Presidential Elections in 2016. The details contained in these accounts have not been publicly reported by the FBI.
Artem Andreyevich Malyshev (Артём Андреевич Малышев)
We previously identified several VK accounts that are ostensibly associated with Artem Andreyevich Malyshev, hereinafter Mr. Malyshev. At the time, it was not possible to locate the accounts or view their contents. However, using a new open-source intelligence (OSINT) tool, we were able to locate these accounts and review their contents. The accounts contained aliases and military units that have not been previously reported by the FBI. As shown in Figure 1, the aliases are “Artem Ivanov” and “Artyom Mao”.
Figure 1 - VK accounts of Mr. Malyshev
The other images posted to these accounts almost certainly match Mr. Malyshev. According to timestamps, the images were posted at least six months before the US Department of Justice exposed Mr. Malyshev’s identity, meaning that the possibility that someone “faked” the profiles is remote. As seen in Figure 2, the account also lists the 2 February 1988 date of birth reported by the FBI. Therefore, these accounts are likely created by Mr. Malyshev himself and not someone else.
Figure 2 - Date of birth matches FBI reporting
The VK accounts observed in Figure 2 list Mr. Malyshev’s military education and service, which provide insight into his background prior to becoming a Senior Lieutenant in Unit 26165. Mr. Malyshev purportedly served in the Russian military’s Unit 190 ВШП from 2006 to 2007. Unit 190 ВШП is a military school for cooks and is located at Naro-Fominsk, Moscow Oblast. After serving a year with Unit 190 ВШП, Malyshev reportedly transferred to Unit 54817 until 2008. Open source information on Unit 54817 is quite limited; however, based on associations with test aviation squadrons and Mr. Malyshev’s education and training at the Yaroslavl Higher Military School of Air Defense, hereinafter “Yaroslavl Military School”), it is likely a unit within the Russian Aerospace Forces.
Artem Malyshev likely attended Yaroslavl Military School between 2008 and 2013. The duration of schooling and training is five years, which aligns with the dates reported on his VK profile. Mr. Malyshev notably left Unit 54817 in 2008 and graduated from Yaroslavl Military School in 2013. According to that school’s website, Yaroslavl is responsible for training air defense specialists in the operation of anti-aircraft missile systems, radar stations, radio engineering facilities, and automatic control systems of operational and tactical level air defense units and subunits. Malyshev purportedly studied Automated Information Processing and Management Systems while at Yaroslavl Military School. According to State Authorities of Yaroslavl Region, the military school is responsible for training personnel in “six military specialties within the framework of three civil specialties [and] with higher professional education.” The statement by the Regional Authorities on inclusion of higher education at Yaroslavl Military School aligns with the other reported educational experience on the VK account.
Figure 3 – Yaroslavl Military School located at 150001, Yaroslavl, Moscow Avenue, 28
Malyshev purportedly attended Saint Petersburg State University of Aerospace Instrumentation and graduated in 2010. He also claims to have attended the private Yaroslavl State University; Mr. Malyshev reports that he studied Information Security and Methods and Systems of Information Security before graduating in 2013. Sometime between his graduation and involvement in cyber operations targeting US elections, Malyshev almost certainly became a GRU intelligence officer. The mentioned schools and programs attended by Malyshev may give some insight into the GRU’s process for recruiting cyber-focused intelligence officers.
Anatoliy Sergeyevich Kovalev (Ковалев Анатолий Сергеевич)
We previously identified Anatoliy Kovalev’s then-unknown date of birth. Using the same tool referenced above, we identified a new VK account that is likely associated with Mr. Kovalev. The account, which is under a previously unreported alias, “Nikita Abramov,” contains at least one of the images that we had previously identified, one of him wearing a race bib, as shown in Figure 4. The account also contains an unreported date of birth of 17 April. The images are almost certainly of Mr. Kovalev, and they were posted at least 36 months before the DOJ exposed his identity, meaning the possibility of this being “fake” is remote. Therefore, this account was likely created by Mr. Kovalev himself and not someone else.
Figure 4 – Previously identified account (left) and newly uncovered account (right)
Pavel Vyacheslavovich Yershov (Павел Вячеславович Ершов)
We also identified a deleted VK profile for Pavel Yershov. The account, which is under a previously unreported alias, “Maksim”, is a visual match of Mr. Yershov. However, no additional information was obtained.
Figure 5 – A match for Mr. Yershov but the account was deleted
OSINT revealed two aliases for Mr. Malyshev and one alias each for Mr. Kovalev and Mr. Yershov that had not been previously reported. Analysis of Mr. Malyshev’s military schooling and training provide new insights into the background and competencies of cyber-focused GRU officers. Further analysis of the particular schools and programs that Mr. Malyshev attended could shed light on GRU recruit pipelines. Overall, this information may be useful for tracking Russia-based cyber threat actors and their large-scale cyber operations.