Ukrainian malware expert could blow whistle on Russian hacking of DNC - media
The hacker, known only by his online alias “Profexer,” is reportedly the first known living witness in the FBI probe into the DNC hack after he turned himself in to the Ukrainian police earlier this year, The New York Times reported.
The Ukrainian police declined to divulge the man’s name or other details, other than that he is living in Ukraine and has not been arrested, NYT wrote.
There is no evidence that Profexer worked, at least knowingly, for Russia’s intelligence services, but his malware apparently did.
That a hacking operation that Washington is convinced was orchestrated by Moscow would obtain malware from a source in Ukraine — perhaps the Kremlin’s most bitter enemy — sheds considerable light on the Russian security services’ modus operandi in what Western intelligence agencies say is their clandestine cyberwar against the United States and Europe.
Read alsoMacron campaign was target of cyber attacks by GRU-linked hackers - ReutersIt does not suggest a compact team of government employees who write all their own code and carry out attacks during office hours in Moscow or St. Petersburg, but rather a far looser enterprise that draws on talent and hacking tools wherever they can be found.
The publication says that also emerging from Ukraine is a sharper picture of what the United States believes is a Russian government hacking group known as Advanced Persistent Threat 28 or Fancy Bear. It is this group, which American intelligence agencies believe is operated by Russian military intelligence, that has been blamed, along with a second Russian outfit known as Cozy Bear, for the DNC intrusion.
Rather than training, arming and deploying hackers to carry out a specific mission like just another military unit, Fancy Bear and its twin Cozy Bear have operated more as centers for organization and financing; much of the hard work like coding is outsourced to private and often crime-tainted vendors.
Read alsoNATO Allies should spend more on counterintel, cyber-defenses to repel hybrid aggressionThis absence of reliable witnesses has left ample room for President Trump and others to raise doubts about whether Russia really was involved in the DNC hack.
“There is not now and never has been a single piece of technical evidence produced that connects the malware used in the D.N.C. attack to the G.R.U., F.S.B. or any agency of the Russian government,” said Jeffrey Carr, the author of a book on cyberwarfare. The G.R.U. is Russia’s military intelligence agency, and the F.S.B. its federal security service.
United States intelligence agencies, however, have been unequivocal in pointing a finger at Russia.
Read alsoU.S. accuses Russia of directing cyberattacks to 'interfere' with electionsSeeking a path out of this fog, cybersecurity researchers and Western law enforcement officers have turned to Ukraine, a country that Russia has used for years as a laboratory for a range of politicized operations that later cropped up elsewhere, including electoral hacking in the United States.
In several instances, certain types of computer intrusions, like the use of malware to knock out crucial infrastructure or to pilfer email messages later released to tilt public opinion, occurred in Ukraine first. Only later were the same techniques used in Western Europe and the United States.
So, not surprisingly, those studying cyberwar in Ukraine are now turning up clues in the investigation of the DNC hack, including the discovery of a rare witness.
Profexer was not arrested because his activities fell in a legal gray zone, as an author but not a user of malware, the Ukrainian police say. But he did know the users, at least by their online handles. “He told us he didn’t create it to be used in the way it was,” chief of Ukraine’s cyber police Serhiy Demediuk said.
Read alsoUkraine "playground" for Russian cyberattacks - mediaWhile it is not known what Profexer has told Ukrainian investigators and the FBI about Russia’s hacking efforts, evidence emanating from Ukraine has again provided some of the clearest pictures yet about Fancy Bear, or Advanced Persistent Threat 28, which is run by the GRU.