Ukrainian hacker could help lift fog on Russia’s role in U.S. election
Mystery of cyber attack deepens as malware writer becomes witness for FBI
By Byron Acohido, ThirdCertainty
In all the noise of this week’s events, it would be easy to miss some dramatic news out of Kiev today. So I’ll amplify it here. A Ukrainian hacker who wrote code that might have helped hack the U.S. election—and other political events around the world—has turned FBI witness, The New York Times says.
His pseudonym is Profexer, and plenty of people are wondering about his safety right now.
Below is a brief synopsis, but you should really read the entire report.
As with all things cyber, and all things political, it’s not as clear as one would wish. Profexer is a well-regarded Ukrainian hacker who wrote a hacker tool sometimes called PAS. It’s one of several tools a hacker might use when taking over a network. Essentially, it’s a base of operations installed after a successful break-in. It allows a remote hacker to easily open a “shell”—a prompt for executing commands—on a compromised network.
Related article: A prediction of election chaos prior to 2016 presidential vote
In the days after the election, but before the inauguration, the Obama administration accused Russia of hacking the election and offered a few crumbs of digital forensic evidence. Chief among them: use of the PAS shell program. Profexer made the tool.
Hacker comes forward
Profexer didn’t do the hacking, but the release scared him. Soon after, the Times now reports, Profexer got very cold feet, and turned himself in to Ukrainian authorities for a chat. Because making software generally isn’t a crime, he was not charged with anything. The Times quotes Ukrainian officials as saying he is, instead, a cooperating witness—a very rare human being from the underground appearing in flesh and blood, apparently offering to help the FBI chase down other hackers. Perhaps, helping chase down Russians who did the hacking.
Several things muddy the waters here. An analysis, published by Wordfence, does indeed show that Profexer’s code is implicated by the U.S. analysis. But, oddly enough, it was an old, outdated version of Profexer’s software. It would have been available from any number of places, and was fairly widely used. So by itself, use of PAS means almost nothing. U.S. election hackers could have downloaded it from anywhere.
Coding for cash
Still, the Times points out that Profexer did work for hire, too—he wrote special versions of his tool for money. And in another political hacking incident involving Ukraine, authorities found digital fingerprints of Profexer’s code. Clearly, he must know interesting people. Perhaps Russians.
Once again, we are back to the problem of attribution in cyber attacks. Nation-states often don’t cyber attack each other directly. There’s no need. There are so many other ways to do it. Cyber armies are outsourced to give plausible deniability. Were the Russians looking to hack a U.S. election, they wouldn’t need to assign the task to a cyber army. They could hire freelance hackers to do it. Better yet, lone actors might do some of the work on their own, out of patriotism, with a wink and a nod from authorities. And you can imagine a murky continuum between those two things.
Also quite possible: A freelance hacker could be hired without any idea who was paying him or her. Profexer could have been commissioned to write code for the Russians—or for that matter, any country—and have no idea who was signing the check.
Many question marks remain
It is a very big deal that this hacker is talking to authorities. One imagines his Rolodex is fascinating. But as with all spook stories, it’s important to remember what is known and what is a guess. As Wordfence put it, we know the U.S. government says old code was used to hack the election, and we know government officials say the person who wrote that code is now cooperating with authorities. That’s about it.
It’s also important to note that, with rare exceptions, we rarely ever learn such things unless someone wants us to know for a reason. Why are authorities confirming Profexor’s cooperation now? Perhaps they are turning up the heat on those who paid him. Perhaps they are close to a break in the case. Or perhaps they are throwing a Hail Mary pass.
Let’s hope Profexor has plenty of time to tell his stories.
More stories related to election tampering:
Trying to prove Kremlin role in U.S. election hacking will be difficult, frustrating
To maintain democracy, digital election networks must be improved
Did Macron hack the hackers, foiling Russian influence on French election?