A New York Times report out this morning contains a rare glimpse into the workings of a notorious hacking team that’s been chased by an increasingly panicked collection of researchers, journalists and government investigators in recent months: “Fancy Bear,” the collective associated with Russian military intelligence and that U.S. intelligence officials say breached the Democratic National Committee’s servers during the 2016 campaign.
According to the Times, there now appears to be a material witness cooperating with the FBI investigation into election-related hacking—even though it appears that individual learned of his role in Fancy Bear’s operations after the fact.
The first part of the report is a profile of Profexor, the psuedonym for a Ukrainian coder who developed a malware program, called the P.A.S. web shell, that could be used to administer a hacked server, according to cybersecurity expert Mark Maunder. Profexor, whose real identity remains unknown, became so frightened in December after the Department of Homeland Security identified his software as one of the tools used in the DNC hack that he posted to a closed hacker forum that he was “still alive” and eventually turned himself in to Ukrainian police, who then put him in touch with the FBI, according to the Times.
Profexor took P.A.S. off the market and has not been arrested. He appeared to have had no idea his software had been used in the DNC hack, and told Ukrainian authorities he hadn’t made P.A.S. to be used the way it had been, according to the Times.
The reporters on the Times piece, Andrew E. Kramer and Andrew Higgins, drily observe that a terrified hacker throwing himself on the mercy of the Ukrainian cops suggests the popular image of a crack team of dedicated Russian military cyberspies working to overthrow America may be overblown. That had been indeed been the consensus until recently: The “Fancy Bear”-linked GRU was understood to be the organized, professional unit of the Russian security service, while its sister agency, the FSB, was thought to be the more fly-by-night operation that supposedly coerced or blackmailed hackers into doing work for the Kremlin.
Profexor would be the third hacker associated with Russian election-season espionage to express surprise at their own involvement in the scheme. Alisa Shevchenko, whose company the U.S. had sanctioned in connection with election hacking, said on Twitter that her business had been inoperative that year, and that she hadn’t worked with the Russian government “that I know of.” Shevchenko either created or sold another hacking program, called Malwas, that allowed hackers to evade detection by moving from machine to machine within a network, which is similar to a technique used in the DNC hack; she also may have sold “zero-day” hacking tools.
Then there is Vladimir Fomenko, whose hosting company King Servers was associated with possible attacks on Arizona and Illinois voting systems in a report by cybersecurity firm ThreatConnect. Fomenko has angrily denied that he had done anything beyond provide hosting services to an anonymous third party, just like any other internet business.
Reached for comment, Fomenko was annoyed.
“I don’t want to talk about it anymore,” he wrote in an email to TPM. “I gave many comments about this. If you have another questions about IT and safety, I can comment on them. But not on this topic.”
Asked who had hacked the DNC, in his opinion, Fomenko wrote “Do you think I know? No I dont know. Anyone. Who does not love the Hillary.”
Obviously, denials aren’t proof positive of someone’s innocence. But Profexor’s instinct to cooperate with the Ukrainian police, and now the FBI, suggests Russian intelligence may have relied on black market malware and exploits to run its hacking operations, in addition to its own tools. Even if the other hackers weren’t always on the up-and-up, they may be truthful when they say they didn’t have any idea what they were doing. Some of Fancy Bear’s software choices appear to be off-the-shelf malware programs that led forensic investigators not to the perpetrators themselves, but to popular suppliers instead.