Politics In Ukraine, a Malware Expert Who Could Blow the Whistle on Russian Hacking

KIEV, Ukraine — The hacker, known only by his online alias “Profexer,” kept a low profile. He wrote computer code alone in an apartment and quietly sold his handiwork on the anonymous portion of the internet known as the Dark Web. Last winter, he suddenly went dark entirely.

Profexer’s posts, already accessible only to a small band of fellow hackers and cybercriminals looking for software tips, blinked out in January — just days after American intelligence agencies publicly identified a program he had written as one tool used in the hacking of the Democratic National Committee.

But while Profexer’s online persona vanished, a flesh-and-blood person has emerged: a fearful man who the Ukrainian police said turned himself in early this year, and has now become a witness for the F.B.I.

“I don’t know what will happen,” he wrote in one of his last messages posted on a restricted-access website before going to the police. “It won’t be pleasant. But I’m still alive.”

It is the first known instance of a living witness emerging from the arid mass of technical detail that has so far shaped the investigation into the D.N.C. hack and the heated debate it has stirred. The Ukrainian police declined to divulge the man’s name or other details, other than that he is living in Ukraine and has not been arrested.


That a hacking operation that Washington is convinced was orchestrated by Moscow would obtain malware from a source in Ukraine — perhaps the Kremlin’s most bitter enemy — sheds considerable light on the Russian security services’ modus operandi in what Western intelligence agencies say is their clandestine cyberwar against the United States and Europe.

It does not suggest a compact team of government employees who write all their own code and carry out attacks during office hours in Moscow or St. Petersburg, but rather a far looser enterprise that draws on talent and hacking tools wherever they can be found.

Also emerging from Ukraine is a sharper picture of what the United States believes is a Russian government hacking group known as Advanced Persistent Threat 28 or Fancy Bear. It is this group, which American intelligence agencies believe is operated by Russian military intelligence, that has been blamed, along with a second Russian outfit known as Cozy Bear, for the D.N.C. intrusion.

Rather than training, arming and deploying hackers to carry out a specific mission like just another military unit, Fancy Bear and its twin Cozy Bear have operated more as centers for organization and financing; much of the hard work like coding is outsourced to private and often crime-tainted vendors.

Russia’s Testing Ground
In more than a decade of tracking suspected Russian-directed cyberattacks against a host of targets in the West and in former Soviet territories — NATO, electrical grids, research groups, journalists critical of Russia and political parties, to name a few — security services around the world have identified only a handful of people who are directly involved in either carrying out such attacks or providing the cyberweapons that were used.

This absence of reliable witnesses has left ample room for President Trump and others to raise doubts about whether Russia really was involved in the D.N.C. hack.

“There is not now and never has been a single piece of technical evidence produced that connects the malware used in the D.N.C. attack to the G.R.U., F.S.B. or any agency of the Russian government,” said Jeffrey Carr, the author of a book on cyberwarfare. The G.R.U. is Russia’s military intelligence agency, and the F.S.B. its federal security service.

United States intelligence agencies, however, have been unequivocal in pointing a finger at Russia.

Seeking a path out of this fog, cybersecurity researchers and Western law enforcement officers have turned to Ukraine, a country that Russia has used for years as a laboratory for a range of politicized operations that later cropped up elsewhere, including electoral hacking in the United States.

In several instances, certain types of computer intrusions, like the use of malware to knock out crucial infrastructure or to pilfer email messages later released to tilt public opinion, occurred in Ukraine first. Only later were the same techniques used in Western Europe and the United States.

So, not surprisingly, those studying cyberwar in Ukraine are now turning up clues in the investigation of the D.N.C. hack, including the discovery of a rare witness.

Security experts were initially left scratching their heads when the Department of Homeland Security on Dec. 29 released technical evidence of Russian hacking that seemed to point not to Russia, but rather to Ukraine.

In this initial report, the department released only one sample of malware said to be an indicator of Russian state-sponsored hacking, though outside experts said a variety of malicious programs were used in Russian electoral hacking.

The sample pointed to a malware program, called the P.A.S. web shell, a hacking tool advertised on Russian-language Dark Web forums and used by cybercriminals throughout the former Soviet Union. The author, Profexer, is a well-regarded technical expert among hackers, spoken about with awe and respect in Kiev.

He had made it available to download, free, from a website that asked only for donations, ranging from $3 to $250. The real money was made by selling customized versions and by guiding his hacker clients in its effective use. It remains unclear how extensively he interacted with the Russian hacking team.

After the Department of Homeland Security identified his creation, he quickly shut down his website and posted on a closed forum for hackers, called Exploit, that “I’m not interested in excessive attention to me personally.”

Soon, a hint of panic appeared, and he posted a note saying that, six days on, he was still alive.

Another hacker, with the nickname Zloi Santa, or Bad Santa, suggested the Americans would certainly find him, and place him under arrest, perhaps during a layover at an airport.

“It could be, or it could not be, it depends only on politics,” Profexer responded. “If U.S. law enforcement wants to take me down, they will not wait for me in some country’s airport. Relations between our countries are so tight I would be arrested in my kitchen, at the first request.”

In fact, Serhiy Demediuk, chief of the Ukrainian Cyber Police, said in an interview that Profexer went to the authorities himself. As the cooperation began, Profexer went dark on hacker forums. He last posted online on Jan. 9. Mr. Demediuk said he had made the witness available to the F.B.I., which has posted a full-time cybersecurity expert in Kiev as one of four bureau agents stationed at the United States Embassy there. The F.B.I. declined to comment.

Profexer was not arrested because his activities fell in a legal gray zone, as an author but not a user of malware, the Ukrainian police say. But he did know the users, at least by their online handles. “He told us he didn’t create it to be used in the way it was,” Mr. Demediuk said.

A member of Ukraine’s Parliament with close ties to the security services, Anton Gerashchenko, said that the interaction was online or by phone and that the Ukrainian programmer had been paid to write customized malware without knowing its purpose, only later learning it was used in the D.N.C. hack.

Mr. Gerashchenko described the author only in broad strokes, to protect his safety, as a young man from a provincial Ukrainian city. He confirmed that the author turned himself in to the police and was cooperating as a witness in the D.N.C. investigation. “He was a freelancer and now he is a valuable witness,” Mr. Gerashchenko said.

https://www.nytimes.com/2017/08/16/...acking-witness.html?smid=tw-nytimes&smtyp=cur

 

http://www.politico.com/story/2017/08/16/urkaine-andrei-derkach-clinton-investigation-241704

Ukrainian MP seeks probe of Ukraine-Clinton ties
Parliament member demands to know whether his country's government targeted Trump in the 2016 campaign.

 

One of the greatest frauds pulled against the masses since Orson Welles' War of the Worlds is unraveling.

The government is supposed to tell the truth, but we know they don't. The media is supposed to tell the truth in the face of government lies, but they are complicit in the whole thing.

Until recently, the non-existent evidence, dubious sources, and technical details have been ignored or explained away. It's left wing news sites that are beginning to tell the truth.

NYTimes may be warming up to doing its job.

The OP explains how 400lb guy in his bedroom could be a dangerous hacker.

 

This is today's news, related to Ukraine. I just happened to read it and was going to post in another thread, but saw this more appropriate one.

 

https://www.bloomberg.com/view/articles/2017-08-10/why-some-u-s-ex-spies-don-t-buy-the-russia-story

Why Some U.S. Ex-Spies Don't Buy the Russia Story
Evidence that undermines the "election hack" narrative should get more attention.

The January assessment of the U.S. intelligence community, which serves as the basis for accusations that Russia hacked the election said, among other things: "We assess with high confidence that Russian military intelligence (General Staff Main Intelligence Directorate or GRU) used the Guccifer 2.0 persona and DCLeaks.com to release U.S. victim data obtained in cyber operations publicly and in exclusives to media outlets and relayed material to WikiLeaks."

VIPS instead surmises that, after WikiLeaks' Julian Assange announced on June 12, 2016 his intention to publish Hillary Clinton-related emails, the DNC rushed to fabricate evidence that it had been hacked by Russia to defuse any potential WikiLeaks disclosures. To this end, the theory goes, the DNC used the Guccifer 2.0 online persona to release mostly harmless DNC data. Guccifer 2.0 was later loosely linked to Russia because of Russian metadata in his files and his use of a Russia-based virtual private network.

The VIPS theory relies on forensic findings by independent researchers who go by the pseudonyms "Forensicator" and "Adam Carter." The former found that 1,976 MB of Guccifer's files were copied from a DNC server on July 5 in just 87 seconds, implying a transfer rate of 22.6 megabytes per second -- or, converted to a measure most people use, about 180 megabits per second, a speed not commonly available from U.S. internet providers. Downloading such files this quickly over the internet, especially over a VPN (most hackers would use one), would have been all but impossible because the network infrastructure through which the traffic would have to pass would further slow the traffic. However, as Forensicator has pointed out, the files could have been copied to a thumb drive -- something only an insider could have done -- at about that speed.

Adam Carter, the pseudonym for the other analyst, showed that the content of the Guccifer files was at some point cut and pasted into Microsoft Word templates that used the Russian language. Carter laid out all the available evidence and his answers to numerous critics in a long post earlier this month.

 

https://www.thenation.com/article/a-new-report-raises-big-questions-about-last-years-dnc-hack/

A New Report Raises Big Questions About Last Year’s DNC Hack
Former NSA experts say it wasn’t a hack at all, but a leak—an inside job by someone with access to the DNC’s system.

• There was no hack of the Democratic National Committee’s system on July 5 last year—not by the Russians, not by anyone else. Hard science now demonstrates it was a leak—a download executed locally with a memory key or a similarly portable data-storage device. In short, it was an inside job by someone with access to the DNC’s system. This casts serious doubt on the initial “hack,” as alleged, that led to the very consequential publication of a large store of documents on WikiLeaks last summer.

• Forensic investigations of documents made public two weeks prior to the July 5 leak by the person or entity known as Guccifer 2.0 show that they were fraudulent: Before Guccifer posted them they were adulterated by cutting and pasting them into a blank template that had Russian as its default language. Guccifer took responsibility on June 15 for an intrusion the DNC reported on June 14 and professed to be a WikiLeaks source—claims essential to the official narrative implicating Russia in what was soon cast as an extensive hacking operation. To put the point simply, forensic science now devastates this narrative.

 

http://www.salon.com/2017/08/15/wha...ions-media-and-democrats-would-rather-ignore/

What if the DNC Russian “hack” was really a leak after all? A new report raises questions media and Democrats would rather ignore
A group of intelligence pros and forensic investigators tell The Nation there was no hack— the media ignores it

If all this is true, these findings would constitute a massive embarrassment for not only the DNC itself but the media, which has breathlessly pushed the Russian hacking narrative for an entire year, almost without question but with little solid evidence to back it up.

You could easily be forgiven for not having heard about this latest development — because, perhaps to avoid potential embarrassment, the media has completely ignored it. Instead, to this point only a few right-wing sites have seen fit to publish follow-ups.

...

The silence from mainstream outlets on this is interesting, if for no other reason than the information appears in a highly-regarded liberal magazine with a reputation for vigorous and thorough reporting — not some right-wing fringe conspiracy outlet carrying water for Donald Trump.

 

Denny attempting to hijack the thread with articles he's already posted.

 

On topic here.

 

Your Dear Leader has told me that the press is all Fake News, so I'm afraid your links are all bullshit, Denny. Sorry.

barfo

 

Figures. You'd call it fake news. They're written by your kind.

Figures that stories about Russia and Ukraine and hacking are somehow hijacking a thread about Russia and Ukraine and hacking.

 

You are fake news Denny.

barfo

 

Careful, or the dog will complain about his thread getting derailed.

 

It is odd that a newspaper claiming to be presenting the news simply repeats the government's lies as if they're true, and buries the one truth in the middle and tries to dismiss it.

I'm talking about this part:

“There is not now and never has been a single piece of technical evidence produced that connects the malware used in the D.N.C. attack to the G.R.U., F.S.B. or any agency of the Russian government,” said Jeffrey Carr, the author of a book on cyberwarfare. The G.R.U. is Russia’s military intelligence agency, and the F.S.B. its federal security service.

So who is Jeffrey Carr?

https://en.wikipedia.org/wiki/Jeffrey_Carr

Jeffrey Carr is a cybersecurity author, researcher, entrepreneur and consultant, who focuses on cyber warfare.[1]

In 2008, Carr founded Project Grey Goose, a crowd-sourced open-source intelligence effort to attribute major cyber attacks.[2][3][4] The Project soliticited the expertise of vetted volunteers, while seeking to filter out non-experts and cyber criminals. The Project's first area of research was the campaign of cyberattacks during the Russo-Georgian War.[1]

In 2011, Carr created the Suits and Spooks conference series, which offered a private forum for intelligence veterans to meet with technologists, academics, hackers, and business executives. The forum was acquired by Wired Business Media in 2014.[5]

He is currently founder and principal consultant at "The 20K League", a cybersecurity consultancy network.[6] Carr has served as CEO of cybersecurity firms Taia Global Ltd (also founder) and GreyLogic.[1][7]Carr has lectured on cybersecurity issues at the Defense Intelligence Agency, U.S. Army War College, Air Force Institute of Technology, NATO’s CCDCOE Conference on Cyber Conflict, and DEF CON.[8]

 

And this nugget:

In March 2017, Carr stated there was growing doubt in the computer security industry regarding the narrative of Russian state sponsorship of hacks associated with the 2016 US elections. Carr described that the FBI never examined the servers that were hacked at the DNC, and the DNC instead employed cybersecurity firm CrowdStrike to investigate the penetrations. According to Carr, "All the forensic work on those servers was done by CrowdStrike, and everyone else is relying on information they provided." Carr described that CrowdStrike's narrative relied on the argument that the AGENT-X malware used in the operation was exclusively possessed by the Russian government, but that in reality AGENT-X was also in the possession of Ukrainian hackers, an American cybersecurity company, and likely others.[18]

(The NYTimes article actually confirms the last sentence above)