Russian Vehicle Registration Leak Reveals Additional GRU Hackers
For more details on the six indicted hackers, see The Insider’s recent publication (Russian) on the topic.
On October 15th, the United States filed an indictment against six Russian nationals accused of being hackers with Russian military intelligence (GRU). These six men, per the indictment, were involved in a number of high-profile cyberattacks, with targets including French President Emmanuel Macron’s election campaign, the Winter Olympics, Ukrainian energy infrastructure, the UN’s chemical watchdog (OPCW), and others.
In 2018, the Netherlands and United Kingdom issued a similar cache of information about a number of GRU hackers involved some of the same cyberattacks. In both this week’s and the 2018 disclosure of the identities of GRU hackers, the incompetence of the Russian state and its information security becomes quite clear: many of these secretive hackers have registered their vehicles to their workplace in Moscow, that is to say to the publicly accessible address of GRU military units. By running simple queries in widely available leaked databases showing Moscow Oblast vehicle registration data, we can easily discover the identities of dozens of additional hackers who registered their vehicles to the same non-existent Moscow address.
Indicted Hackers at Svobody
When searching the names of three of the six indicted hackers, we found that they have all registered their vehicles to the same address: Svobody 21В [referring the the Russian “в”, the third letter of the alphabet, not the English “b”]. It is important to note that none of these hackers actually live at this address — which would make it a very crowded communal apartment. Rather they simply used their workplace as a vehicle registration address, as is done by many Russians serving in the military. In this case, the GRU’s military unit 74455 operates out of the address Svobody 21.
The biographical information in this leaked vehicle registration database matches the information in the FBI warrants for Pavel Frolov, Pyotr Pliskin and Anatoly Kovalev, except for the FBI noting Pliskin’s date of birth as August 6, instead of August 26. This indicates either an error on the FBI’s part, or a typo in the leaked database.
Kovalev was previously indicted in 2018 along with 11 other GRU hackers linked to the same military unit 74455.
As detailed by The Insider, the vehicle of another of the six indicted hackers, Yuri Andrienko, is registered to a different known GRU address — Khoroshevskoe 76B.
A Hacker Registry
Conducting a wider search by an address on the same leaked Moscow vehicle registration database returns dozens of other people — all born between 1978 and 1998 — who registered their vehicles to the same Svobody 21 address. While there are slight variations in the data, it is safe to assume that all of these people are somehow connected to the GRU.
In sum, there are :
- 38 people registered to Svobody 21 В
- Six people registered to Svobody 21 В Ч (V Ch)
- Five people registered to Svobody 21 ВЧ (VCh)
The eleven people who registered their address to the non-existent apartments at Svobody 21 ВЧ and В Ч, instead of just В (also non-existent), likely refers to the Russian abbreviation for “military unit” — в/ч (войсковая часть or voyskovaya chast’).
Of these 49 people registered to this GRU-associated address:
- 38 are men, 11 are women [some of the people registered at this address could be the spouse of a GRU officer and just have the vehicle registered in their name, but it is highly likely that the majority of these 49 people are directly associated with the GRU themselves]
- The average birth year is 1988, making the approximate average age 32 years old
- The youngest person listed to the GRU military unit’s address was born in 1998 (22 years old), while the oldest was born in 1978 (42 years old).
Except for the three hackers indicted this week, none of the other 46 individuals with a Svobody 21 vehicle registration have been publicly named or indicted by any Western country.
For more information on the GRU’s cyberwarfare activities and the Svobody 21 address, see:
- The Insider: “«Песчаный червь». Как хакеры ГРУ отключали электростанции в Украине, взламывали избирком США и создали самый разрушительный вирус в мире“
- RFE/RL: “Investigative Report: On The Trail Of The 12 Indicted Russian Intelligence Officers”
- Meduza: “Козачек, он же Kazak, он же blablabla1234565”
- RFE/RL: “Высланный из Голландии Олег Сотников жил напротив “хакерской” части ГРУ”