Cyber Threat Actor: Evgeniy Serebriakov

The threat actor known by thealiases Evgenii Merezhko, Evgenii Mikhaylovich Serebriakov, Evgeniy Serebriakov, and Evgenii Merezhko (aka Evgeniy Serebriakov) is associated with the Russian GRU. Publicly available information places the individual’s location in Russia. The actor operates under the direction of Russia’s military intelligence service, which conducts cyber operations abroad. These attributes establish a clear state nexus for the actor’s activities.

Targeting has been observed against international anti‑doping organizations and sports governing bodies such as FIFA, with a focus on entities that hold confidential medical records and anti‑doping strategies. The geographic scope of the targeting is global, reflecting the international nature of the victim organizations. The primary strategic objective observed in the attributed campaign is espionage, specifically the theft of therapeutic use exemptions and related medical data. A secondary objective involves the use of stolen information in disinformation efforts aimed at undermining investigations into alleged state‑sponsored doping.

The actor’s typical initial access vectors include spearphishing messages designed to steal credentials and close‑access Wi‑Fi compromises during major sporting events. Operational security is supported by the creation of false hacktivist personas, most notably the "Fancy Bears' Hack Team," which is used to claim responsibility for leaks. Tooling style emphasizes the modification of stolen data before release to support fabricated narratives. The actor also engages directly with journalists to amplify the disinformation derived from the compromised information.

The most publicly reported operation linked to this actor occurred in November 2014, when GRU officers executed a coordinated cyber espionage campaign against anti‑doping agencies and FIFA to obtain and later weaponize sensitive data. This campaign is representative of broader GRU activities that target organizations deemed strategically important to the Russian government. No other specific campaigns are detailed in the provided source material, but the described incident illustrates the actor’s pattern of combining technical intrusion with influence operations. The profile is based exclusively on the facts presented in the incident report and associated attribution.