Cybersecurity · cyberwar · Information operations · Information Warfare · Russia

FBI has its first ‘living witness’ in Russian hacking investigation

Kiev’s main thoroughfare. Ukraine has been used for years by Russia as a testing ground for politicised cyber operations that later cropped up in other countries. Photograph: Brendan Hoffman/New York Times

Most of this is highly contentious, the conclusions are all highly fluid.

Apparently, Russia hired a Ukrainian hacker, witting or unwitting, to write a program enabling Russian intelligence services to hack into certain systems. 

Apparently is the key word. It will depend on the testimony of ‘Profexer’, the Ukrainian hacker. 

Apparently, Russia chooses to hire Ukrainians, to form a cover story where Ukraine becomes the patsy, blamed for what Russia is doing. This same methodology has been repeated, often.  

The entire case is dependent on human testimony. Until now no hacker has been willing to become a target of a Russian intelligence operation, being assassinated, and reveal the inner workings of the Russian official, semi-official, and other hacking operation, criminal, state-sponsored, and otherwise. Russia has worked this advantage at every opportunity, so any article, any case, any investigation gets the same results.  ‘No evidence’ or ‘not enough evidence’. 

There are a ton of circumstantial cases that can be built against Russia. This may be the first to have tangible results. We have a witness.  

Now let’s watch to see if he ‘accidentally’ ingests some Polonium.

</end editorial>

Ukrainian malware expert turned himself in early this year and is ‘co-operating with authorities’

The hacker, known only by his online alias “Profexer”, kept a low profile. He wrote computer code alone in an apartment and quietly sold his handiwork on the anonymous portion of the internet known as the dark web. Last winter, he suddenly went dark entirely.

Profexer’s posts, already accessible only to a small band of fellow hackers and cybercriminals looking for software tips, blinked out in January – just days after US intelligence agencies publicly identified a program he had written as one tool used in Russian hacking in the United States. US intelligence agencies have determined Russian hackers were behind the electronic break-in of the Democratic National Committee.

But while Profexer’s online persona vanished, a flesh-and-blood person has emerged: a fearful man who Ukrainian police said turned himself in early this year and has now become a witness for the FBI. “I don’t know what will happen,” he wrote in one of his last messages posted on a restricted-access website before going to the police. “It won’t be pleasant. But I’m still alive.”

It is the first known instance of a living witness emerging from the arid mass of technical detail that has so far shaped the investigation into the hacking of the US presidential election and the heated debate it has stirred. Ukrainian police declined to divulge the man’s name or other details, other than that he is living in Ukraine and has not been arrested.

There is no evidence that Profexer worked, at least knowingly, for Russia’s intelligence services, but his malware apparently did. That a hacking operation that Washington is convinced was orchestrated by Moscow would obtain malware from a source in Ukraine – perhaps the Kremlin’s most bitter enemy – sheds considerable light on the Russian security services’ modus operandi in what Western intelligence agencies say is their clandestine cyberwar against the US and Europe.

It does not suggest a compact team of government employees who write all their own code and carry out attacks during office hours in Moscow or St Petersburg, but rather a far looser enterprise that draws on talent and hacking tools wherever they can be found.


Also emerging from Ukraine is a sharper picture of what the US believes is a Russian government hacking group known as Advanced Persistent Threat 28 or Fancy Bear. It is this group, which US intelligence agencies believe is operated by Russian military intelligence, that has been blamed, along with a second Russian outfit known as Cozy Bear, for the DNC intrusion.

Rather than training, arming and deploying hackers to carry out a specific mission like just another military unit, Fancy Bear and its twin Cozy Bear have operated more as centres for organisation and financing; much of the hard work like coding is outsourced to private and often crime-tainted vendors.

In more than a decade of tracking suspected Russian-directed cyberattacks against a host of targets in the West and in former Soviet territories – Nato, electrical grids, research groups, journalists critical of Russia and political parties, to name a few – security services around the world have identified only a handful of people who are directly involved in either carrying out such attacks or providing the cyberweapons that were used.

This absence of reliable witnesses has left ample room for US president Donald Trump and others to raise doubts about whether Russia really was involved in the DNC hack. “There is not now and never has been a single piece of technical evidence produced that connects the malware used in the DNC attack to the GRU, FSB or any agency of the Russian government,” said Jeffrey Carr, the author of a book on cyberwarfare. The GRU is Russia’s military intelligence agency, and the FSB its federal security service.

US intelligence agencies, however, have been unequivocal in pointing a finger at Russia. Seeking a path out of this fog, cybersecurity researchers and Western law enforcement officers have turned to Ukraine, a country that Russia has used for years as a laboratory for a range of politicised operations that later cropped up elsewhere, including electoral hacking in the US

In several instances, certain types of computer intrusions, like the use of malware to knock out crucial infrastructure or to pilfer email messages later released to tilt public opinion, occurred in Ukraine first. Only later were the same techniques used in Western Europe and the US

So, not surprisingly, those studying cyberwar in Ukraine are now turning up clues in the investigation of the DNC break-in and related hacking, including the discovery of a rare witness.