Ukrainian expert on malware, which might tend to incriminate the Russian hacking

The hacker, known only by the nickname “Profexer” always remained in the shadows. He only wrote computer code in his apartment and quietly sold their work in an anonymous part of the Internet known as the darknet.


But last winter he suddenly disappeared. Posts Profexer, and only available to a small group of hackers and cybercriminals, who was looking for clues in the software, disappeared in January — just days after U.S. intelligence agencies publicly called the program, he wrote, one of the tools used in the burglary of the Democratic National Committee of the party.


But although online persona Profexer’and disappeared, there was a very real man of flesh and blood: frightened man who, according to Ukrainian police, came to confess at the beginning of this year and has now become a witness for the FBI. “I don’t know what will happen,” he wrote in one of his last messages, on the website with restricted access, before going to the police.


“It won’t be pleasant. But I’m still alive.” This is the first known example of a living witness, amid the mass of technical detail which still formed the investigation into the burglary of the democratic Committee and caused an active debate. Ukrainian police refused to disclose the person’s name or other details, except that he lives in Ukraine and has not been arrested. There is no evidence that Profexer worked, at least consciously, on intelligence services of Russia, unlike its malware.


The fact that the operation to hacking, which convinced Washington that was organized by Moscow, have deployed malware from a source in Ukraine — perhaps the most fierce enemy of the Kremlin sheds light on the methods of Russian security services, in the process what Western intelligence agencies believe the secret cybervalley against the United States and Europe.


It’s not a small team of civil servants who write their codes and carry out attacks during working hours in Moscow or Saint Petersburg, it is rather much more free enterprise which is looking for talents and tools for hacking, where possible. In addition, from Ukraine, appears a clearer idea of what, in the opinion of the United States, is a government group of hackers, known as Advanced Persistent Threat 28 or Fancy Bear. It is this group, according to U.S. intelligence agencies, operates the Russian military intelligence, which was accused along with a second formation, known as the Cozy Bear, breaking the Democrats. Instead of having to train, equip and enable hackers to execute a specific mission as another unit, Fancy Bear and her twin Cozy Bear rather act as centers of organization and financing; most of the heavy work, such as writing code, is transferred to private, often criminal performers.


Russian field tests


For more than a decade tracking down suspicious cyber attacks, organized by Russia, to a set of objects in the West and in former Soviet territories — for example, NATO, electrical networks, research groups, journalists, criticizing Russia and political parties, the security services around the world has identified only a handful of people who were directly involved in committing such attacks or providing used cyber weapons. The lack of reliable witnesses gave Trump and others ample opportunity to question the actual involvement of Russia to cracking of the Committee of the Democratic party.

“And now, and never had any technical evidence which would have tied the malware used in the attack on the Democrats with the GRU, FSB, or any other Agency of the Russian government,” said Jeffrey Carr, author of on cyber warfare. GRU — Russian military intelligence Agency, the FSB — the Federal security service of the Russian Federation. However, the intelligence services of the United States made clear to Russia. Trying to find a way out of this situation, researchers in the field of cybersecurity and Western law enforcement officials appealed to Ukraine, a country which Russia have for many years used as a laboratory for a number of politicized operations, which were later carried out in other countries, including the hacker attack on the elections in the United States.


First and foremost, certain types of computer intrusions occurred in Ukraine. For example, the use of malware to incapacitate critical infrastructure or theft of e-mail messages, which were later published to change public opinion. Later the same methods were used in Western Europe and the United States. Thus, it is not surprising that those who study cyber war in Ukraine, now find clues in the investigation of the burglary Democrats, including the rare appearance of a witness. Experts on security issues was initially perplexed when the Department of homeland security December 29 published technical evidence of Russian hacking, which, as it seemed, pointed not at Russia, but rather to Ukraine.


The initial report of the Department only one malware sample, according to, was an indicator of hacking, financed by Russia, but, according to experts, in the process of hacking has been used by various malware. The sample pointed to a malicious program called P. A. S. web shell, a hacking tool advertised on Russian Dark Web forums and used by cybercriminals in the former Soviet Union. Its author, Profexer, is a respected technical expert among hackers, which is spoken with reverence and respect in Kiev. He made it available for free download from the web site, which was requested only a donation of 3 to $ 250. The real money is made by selling individual versions and hacker by advising clients in their effective use.


It remains unclear how actively he worked with the Russian hack team. After the Department of homeland security has defined his work, he quickly shut down his site and wrote on a closed forum for hackers to Exploit: “I’m not interested in excessive attention to my person”. Soon appeared a hint of panic, and he sent a note which stated that six days later he’s still alive. Another hacker under the name bad Santa suggested that Americans will surely find them and arrest them, perhaps during a flight at the airport. “It’s possible, or not, it all depends on policy,” said Profexer. “If U.S. law enforcement wants to grab me, they will not wait for me at the airport of a country. Relations between our countries are so close that I would be arrested in my kitchen on demand”. In fact, the head of postal and telecommunications Sergey Demediuk said in an interview that Profexer reported himself to the authorities. When cooperation began, Profexer disappeared from hacker forums.


The last time he published anything on the Internet on January 9. Demeduk, said he provided witness by the FBI, which sent to Kiev expert on cyber security full time as one of four agents of the Bureau, housed in the Embassy of the United States. The FBI declined to comment. Profexer was not arrested, because his activity is in a gray area of the law, he is the author, but not the user of malware, says Ukrainian police. But he did know a user, at least by their online names. “He told us that he had not created him for such use”, — said Demidyuk. Member of Parliament of Ukraine, which has close ties with the security services, Anton Gerashchenko, said that the interaction took place online or by phone, and that Ukrainian programmer was paid to write customized malware without knowing their goal, only later he learned about using to crack the Democratic party. Gerashchenko very abstractly described by the author to protect the young man from a provincial Ukrainian city. He confirmed that the author came to the police and cooperated as a witness in the investigation of the hacking of the Democrats.


“He was a freelancer, and now he’s a valuable witness,” said Gerashchenko.


The bear den


It is unknown what Profexer told Ukrainian investigators and the FBI about the hacking attempts of Russia; the indications coming from the Ukraine, has again provided some important data about Fancy Bear or Advanced Persistent Threat 28, which controls the GRU. Fancy Bear have been identified, mainly in its activities. One of the recurring features of the group was the theft of emails and close cooperation with Russian state media. However, to track a bear to its den until it proved impossible, not least because, according to many experts, a single no such thing.

Even for such an advanced tech company, like Microsoft, to find people in the digital space proved almost impossible. To limit the damage to the operating systems of the clients, the company filed a complaint against Fancy Bear last year in the district court of the United States in East Virginia. But, as a result, it was shadow Boxing. As reported in court, the lawyers of Microsoft, “because the defendants used fake contact information, anonymous, Bitcoin, prepaid credit cards and false IDs, and sophisticated technical means to hide their identities when setting up and using appropriate Internet domain, the true identity of the accused is unknown”.


However, the Ukrainian officials, though fearing to upset the administration trump, cooperated with U.S. investigators to try to figure out who is hiding behind all the masks.


This exchange of information was included copies of hard disks of the Central election Commission of Ukraine, which became the object of attack during the presidential elections in may 2014. The FBI has already received evidence of this, but the breaking associated with Russia, has not previously been reported.


Traces of the same malicious code, this time a program called Sofacy, was seen in attack of 2014 in Ukraine, and then in the breaking of the Democrats in the United States. Interestingly, in the cyber attack during the elections in Ukraine, which, apparently, was the failure of the government of the Russian First channel, was inadvertently involved state bodies in Moscow. Hackers have uploaded to the server of the Ukrainian election Commission schedule, simulating a page displaying the results.


This fake page showed a shocking result: victory in the election fiercely anti-Russian far-right candidate, Dmitry Yarosh. In fact, Yarosh received less than 1% of the vote. A false result would be in the hands of the Russian propaganda that Ukraine is run today by the extreme right, even fascist personality. A false picture has been programmed to display when closing the polls at 8 PM, but the Ukrainian company on cyber security “INFOSAT” found her just a few a few minutes before and turned off the server.


However, state television in Russia reported that Yarosh won and showed a fake graph, referring to the website of the election Commission, although this graph and has not appeared on the website. The hacker clearly has provided the First channel of the same image in advance, but the journalists didn’t check, triggered the attack. “For me this is an obvious connection between the hackers and the Russian officials”, — said Victor George, Director of “INFOSAT” on cyber security, which first discovered the fake schedule. The Ukrainian government researcher who has studied the attack, Nicholas Smith, published his findings in the book of 2015 “cyber warfare in the future” and identified the Sofacy malware on the server. Mirror hard drive sent to the FBI who had this forensic sample, when the cyber security company CrowdStrike identified the same malware two years later, on the servers of the Democratic party. “It was the first blow,” said Victor Zhora about the hacking of the electoral Commission of Ukraine. The postal and telecommunications of Ukraine also provided the FBI copies of the hard drives on the server, indicating the possible origin of some phishing emails, aimed at the Democratic party during the elections.


In 2016, two years after the break elections in Ukraine, hackers using the same techniques, sacked the e-mail system world anti-doping Agency (WADA), which accused the Russian athletes in systematic doping. This RAID, too, apparently, was closely coordinated with Russian state television, which began to broadcast well-prepared stories about the stolen letters of VAD after just a few minutes after they are posted. Letters appeared on the web site, which announced that WADA was hacked by a group calling itself “hacking team Fancy Bears”.


It was the first time Fancy Bear made themselves felt. However, Fancy Bear remains extremely elusive. To throw investigators off the trail, the group performed different transformations, adding to your Arsenal of malware and sometimes hiding under different masks. One of their alter ego, in the opinion of cyberexperts, it Cyberberkut, a group allegedly created in Ukraine by Pro-Russian supporters of President Viktor Yanukovych, who was ousted in 2014. After idle for many months, Cyberberkut again swung into action this summer when the multiple investigations in Washington about a possible conspiracy campaign trump with Moscow have moved to a new level. Cyberberkut has published stolen emails, which he said himself and the Russian state media has exposed the truth: Hillary Clinton colluded with Ukraine.