Malware expert could blow whistle on Russian hacking
Ukrainian man known as ‘Profexer’ now is a witness for the FBI
KIEV, Ukraine — The hacker, known only by his online alias “Profexer,” kept a low profile. He wrote computer code alone in an apartment and quietly sold his handiwork on the anonymous portion of the internet known as the dark web. Last winter, he suddenly went dark entirely.
Profexer’s posts blinked out in January — just days after U.S. intelligence agencies publicly identified a program he had written as one tool used in Russian hacking in the United States. U.S. intelligence agencies have determined Russian hackers were behind the electronic break-in of the Democratic National Committee.
But while Profexer’s online persona vanished, a flesh-andblood person has emerged: a fearful man who Ukrainian police said turned himself in early this year and has now become a witness for the FBI.
“I don’t know what will happen,” he wrote in one of his last messages posted on a restrictedaccess website before going to the police. “It won’t be pleasant. But I’m still alive.”
It is the first known instance of a living witness emerging from the arid mass of technical detail that has so far shaped the investigation into the election hacking.
There is no evidence that Profexer worked, at least knowingly, for Russia’s intelligence services, but his malware apparently did.
That a hacking operation that Washington is convinced was orchestrated by Moscow would obtain malware from a source in Ukraine — perhaps the Kremlin’s most bitter enemy — sheds considerable light on the Russian security services’ modus operandi in what Western intelligence agencies say is their clandestine cyberwar against the U.S. and Europe.
Also emerging from Ukraine is a sharper picture of what the U.S. believes is a Russian government hacking group known as Advanced Persistent Threat 28 or Fancy Bear. It is this group, which U.S. intelligence agencies believe is operated by Russian military intelligence, that has been blamed, along with a second Russian outfit known as Cozy Bear, for the DNC intrusion.
Russia’s testing ground
In more than a decade of tracking suspected Russian-directed cyberattacks against a host of targets in the West and in former Soviet territories — NATO, electrical grids, research groups, journalists critical of Russia and political parties, to name a few — security services around the world have identified only a handful of people who are directly involved in either carrying out such attacks or providing the cyberweapons that were used.
This absence of reliable witnesses has left ample room for President Donald Trump and others to raise doubts about whether Russia really was involved in the DNC hack.
“There is not now and never has been a single piece of technical evidence produced that connects the malware used in the DNC attack to the GRU, FSB or any agency of the Russian government,” said Jeffrey Carr, the author of a book on cyberwarfare. The GRU is Russia’s military intelligence agency, and the FSB its federal security service.
U.S. intelligence agencies, however, have been unequivocal in pointing a finger at Russia.
So, not surprisingly, those studying cyberwar in Ukraine are now turning up clues in the investigation of the DNC break-in and related hacking, including the discovery of a rare witness.
Serhiy Demediuk, chief of the Ukrainian Cyber Police, said in an interview that Profexer went to authorities himself. As the cooperation began, Profexer went dark on hacker forums. He last posted online on Jan. 9.
Demediuk said he had made the witness available to the FBI, which has posted a full-time cybersecurity expert in Kiev as one of four bureau agents stationed at the U.S. Embassy there. The FBI declined to comment.
Profexer was not arrested because his activities fell in a legal gray zone, as an author but not a user of malware, the Ukrainian police say.
But he did know the users, at least by their online handles. “He told us he didn’t create it to be used in the way it was,” Demediuk said.
It is not clear whether the specific malware the programmer created was used to hack the DNC servers, but it was identified in other Russian hacking efforts in the United States.
A bear’s lair
While it is not known what Profexer has told Ukrainian investigators and the FBI about Russia’s hacking efforts, evidence emanating from Ukraine has again provided some of the clearest pictures yet about Fancy Bear, or Advanced Persistent Threat 28, which is run by the GRU.
Fancy Bear has been identified mostly by what it does, not by who does it.
One of its recurring features has been the theft of emails and its close collaboration with the Russian state news media.
Tracking the bear to its lair, however, has so far proved impossible, not least because many experts believe that no such single place exists.