There’s Now At Least One Real, Live Witness In FBI’s Election-Hacking Probe

CREDIT: Mike Korostelev/Rex Shutterstock. Only for use in this story. Editorial Use Only. No stock, books, advertising or merchandising without photographer's permissionA brown bear investigates Mike Korostelev's ph... CREDIT: Mike Korostelev/Rex Shutterstock. Only for use in this story. Editorial Use Only. No stock, books, advertising or merchandising without photographer's permissionA brown bear investigates Mike Korostelev's photography cage Brown bears investigate photography cage, Kamchatka, Russia - Aug 2015 FULL COPY: Wildlife photographer Mike Korostelev captured these hair-raising images of brown bears coming to within inches of his lens. The scenes at Kuril Lake in Kamchatka, Russia, were achieved thanks to his self-built protective photography cage. Mike explains: "For pictures of the bears on the Kuril Lake, I specially built a cage of metal sticks. I brought the cage to the lake and put it on the shore, where there were a lot of salmon going to spawn. "Some of the bears passed by, just slightly glancing at me. Some fished in front of my cage, not paying attention to me. And some of the most curious came to the cell and started sniffing me and my camera. "At this point, I tried not to make a sound, and all that could be heard was the bear breathing and the sound of mosquito flies around his nose." (Rex Features via AP Images) MORE LESS

A New York Times report out this morning contains a rare glimpse into the workings of a notorious hacking team that’s been chased by an increasingly panicked collection of researchers, journalists and government investigators in recent months: “Fancy Bear,” the collective associated with Russian military intelligence and that U.S. intelligence officials say breached the Democratic National Committee’s servers during the 2016 campaign.

According to the Times, there now appears to be a material witness cooperating with the FBI investigation into election-related hacking—even though it appears that individual learned of his role in Fancy Bear’s operations after the fact.

The first part of the report is a profile of Profexor, the psuedonym for a Ukrainian coder who developed a malware program, called the P.A.S. web shell, that could be used to administer a hacked server, according to cybersecurity expert Mark Maunder. Profexor, whose real identity remains unknown, became so frightened in December after the Department of Homeland Security identified his software as one of the tools used in the DNC hack that he posted to a closed hacker forum that he was “still alive” and eventually turned himself in to Ukrainian police, who then put him in touch with the FBI, according to the Times.

Profexor took P.A.S. off the market and has not been arrested. He appeared to have had no idea his software had been used in the DNC hack, and told Ukrainian authorities he hadn’t made P.A.S. to be used the way it had been, according to the Times.

The reporters on the Times piece, Andrew E. Kramer and Andrew Higginsdrily observe that a terrified hacker throwing himself on the mercy of the Ukrainian cops suggests the popular image of a crack team of dedicated Russian military cyberspies working to overthrow America may be overblown. That had been indeed been the consensus until recently: The “Fancy Bear”-linked GRU was understood to be the organized, professional unit of the Russian security service, while its sister agency, the FSB, was thought to be the more fly-by-night operation that supposedly coerced or blackmailed hackers into doing work for the Kremlin.

Profexor would be the third hacker associated with Russian election-season espionage to express surprise at their own involvement in the scheme. Alisa Shevchenko, whose company the U.S. had sanctioned in connection with election hacking, said on Twitter that her business had been inoperative that year, and that she hadn’t worked with the Russian government “that I know of.” Shevchenko either created or sold another hacking program, called Malwas, that allowed hackers to evade detection by moving from machine to machine within a network, which is similar to a technique used in the DNC hack; she also may have sold “zero-day” hacking tools.

Then there is Vladimir Fomenko, whose hosting company King Servers was associated with possible attacks on Arizona and Illinois voting systems in a report by cybersecurity firm ThreatConnect. Fomenko has angrily denied that he had done anything beyond provide hosting services to an anonymous third party, just like any other internet business.

Reached for comment, Fomenko was annoyed.

“I don’t want to talk about it anymore,” he wrote in an email to TPM. “I gave many comments about this. If you have another questions about IT and safety, I can comment on them. But not on this topic.”

Asked who had hacked the DNC, in his opinion, Fomenko wrote “Do you think I know? No I dont know. Anyone. Who does not love the Hillary.”

Obviously, denials aren’t proof positive of someone’s innocence. But Profexor’s instinct to cooperate with the Ukrainian police, and now the FBI, suggests Russian intelligence may have relied on black market malware and exploits to run its hacking operations, in addition to its own tools. Even if the other hackers weren’t always on the up-and-up, they may be truthful when they say they didn’t have any idea what they were doing. Some of Fancy Bear’s software choices appear to be off-the-shelf malware programs that led forensic investigators not to the perpetrators themselves, but to popular suppliers instead.

Dear Reader,

When we asked recently what makes TPM different from other outlets, readers cited factors like honesty, curiosity, transparency, and our vibrant community. They also pointed to our ability to report on important stories and trends long before they are picked up by mainstream outlets; our ability to contextualize information within the arc of history; and our focus on the real-world consequences of the news.

Our unique approach to reporting and presenting the news, however, wouldn’t be possible without our readers’ support. That’s not just marketing speak, it’s true: our work would literally not be possible without readers deciding to become members. Not only does member support account for more than 80% of TPM’s revenue, our members have helped us build an engaged and informed community. Many of our best stories were born from reader tips and valuable member feedback.

We do what other news outlets can’t or won’t do because our members’ support gives us real independence.

If you enjoy reading TPM and value what we do, become a member today.

Latest Muckraker
Masthead Masthead
Founder & Editor-in-Chief:
Executive Editor:
Managing Editor:
Associate Editor:
Investigations Desk:
Director of Audience:
Editor at Large:
General Counsel:
Head of Product:
Director of Technology:
Associate Publisher:
Front End Developer:
Senior Designer: