Tracking the GRU online
Updated: Oct 17, 2020
Russia-based threat actors continue to launch large-scale cyber campaigns that target countries holding elections. Recently, Russia-based threat actors are targeting European governments ahead of the upcoming European Parliament elections. One of the most prolific campaigns launched by Russia-based threat actors is the interference in the 2016 US presidential election. According to an indictment by the US Department of Justice, Russia’s military intelligence agency called the Main Intelligence Directorate of the General Staff (GRU) engaged in cyber operations to interfere with the 2016 US presidential election. The GRU units responsible for this campaign are Units 26165 and 74455, and are comprised of at least 12 intelligence officers. Open-source intelligence (OSINT) identified three of these GRU officers having an online presence, which includes information previously not reported by the FBI and profiles on the Russian social media platform VKontakte (VK).
Using OSINT to identify GRU officers
A new image search site allows a user to upload a photograph, which it then recognizes a face in the image, and matches the face to profiles on VK. The accuracy of the results varies but a score from 0 to 1 is assigned to each match to determine its likeness score. Usually results with a score of 0.60 and above match the entity being searched. The results include images of VK profiles that are currently active but also from deleted, suspended, and private profiles. Furthermore, the results only produce images without a link to the specific VK profile – requiring a reverse image search to find the specific VK profile.
ARTEM ANDREYEVICH MALYSHEV (Малышев Артём Андреевич)
According to the FBI, Malyshev is a Second Lieutenant in the Russian military assigned to Unit 26165. Malyshev uses a variety of monikers, including “djangomagicdev” and “realblatr.”
Figure 1 - Mr. Malyshev's FBI Most Wanted Page
Uploading Malyshev’s most wanted picture results in multiple matches that range from a likeness score of 0.68 to 0.78. Many of the results closely resemble Malyshev and some even contain the same facial expression observed in his most wanted picture. Several of the images contain females kissing or physically touching Malyshev, which likely indicates a close relationship.
Figure 2 - Mr. Malyshev's results
Multiple reverse image searches did not produce any VK profiles associated with Malyshev. As previously mentioned, the results may contain images from deleted VK profiles. However, reverse image searching one of the female subjects that appears to be close with Malyshev, produces her VK profile. The female subject identified is likely Malyshev’s sister based on her last name and pictures with Malyshev. A search of her friends did not result in a profile for Malshev, which is another indicator that his profile is deleted. Individuals that have a minimal online presence often require pivoting to their known associates, such as family, friends, or colleagues. Sometimes these associates post images or comments about the person of interest, as observed with Malyshev and his likely sister.
The image with the lowest likeness score produced two different profiles for Malyshev. Malyshev joined two online market places in April 2016 and August 2017; where he sold a television, guitar, and cell phone.
Figure 3 - Items for sale
ANATOLIY SERGEYEVICH KOVALEV (Ковалев Анатолий Сергеевич)
According to the FBI, Kovalev is an officer in the Russian military assigned to Unit 74455 who worked in the GRU’s 22 Kirova Street building (the Tower).
Figure 4 - Mr. Kovalev's FBI Most Wanted Poster
In the case of Anatoliy Sergeyevich Kovalev, his most wanted picture also produced several results.
Figure 5 - Mr. Kovalev's results
One of the results depicts Kovalev participating in a military competition and wearing a race bib with the number 155. A reverse image search of this photograph produced a VK profile associated with Kovalev. The profile picture shows Kovalev in the competition and wearing the same race bib with number 155.
Figure 6 - Mr. Kovalev with race bib
The information observed in the VK profile includes but is not limited to a date of birth, hometown, university, and relationship status. The date of birth and hometown observed in the profile are not listed on the FBI’s most wanted poster. However, the FBI uses the term “Date(s) of Birth Used”, which suggests they list all identified dates of birth associated with a suspect. This notion could indicate the FBI have not identified this VK profile associated with Kovalev.
FBI Most Wanted Poster
Date(s) of Birth Used: 2 August 1991
Place of Birth: Totma, Vologda Oblast, Russia
Date(s) of Birth Used: 12 April 1994
Place of Birth: Irkutsk, Russia
Figure 7 - New DOB for Mr. Kovalev
IVAN SERGEYEVICH YERMAKOV (Ермаков Иван Сергеевич)
According to the FBI, Yermakov is a Russian military officer assigned to Unit 26165. Since in or around 2010, Yermakov used various online personas, including “Kate S. Milton,” “James McMorgans,” and “Karen W. Millen,” to conduct hacking operations on behalf of Unit 26165.
Figure 8 - Mr. Yermakov's FBI Most Wanted Poster
Analyzing Yermakov produced a similar outcome as observed with Malyshev. No VK profile associated with Yerkakov is identified. However, several other online associations are observed, including an amateur football league profile and numerous wedding pictures.
Figure 9 - Mr. Yermakov's results
The date of birth stated on Yerkakov's football profile matches the reported date(s) of birth used by the FBI.
This OSINT analysis is not comprehensive but demonstrates that at least one technique can reveal information not previously reported by the FBI. Furthermore, at least three of the twelve GRU officers wanted by the FBI have an online presence and those with limited presences are identifiable from their close associates. Identifying an individual's online presence provides valuable insights into their behavior, knowledge, usernames, location, etc. This information can be used to help track cyber threat actors and their large-scale cyber operations.