Exit, pursued by a bear —

Ukraine malware author turns witness in Russian DNC hacking investigation

“Profexor” turns self in to Ukrainian authorities, assists FBI in DNC hack investigation.

A bear.
Enlarge / A bear.

A Ukrainian malware author who built the PAS Web shell—a PHP-based implant used to execute commands remotely on hacked systems—has turned himself in to Ukrainian authorities. He has been cooperating with the Federal Bureau of Investigation's probe into the apparent Russian hacking of the Democratic National Committee. The information provided by "Profexor" to Ukrainian investigators and the FBI reveals, in part, how hackers (who were apparently coordinated by a Russian intelligence agency) used a combination of purpose-built and community tools as part of what researchers have labeled as the threat group "APT 28," also known as "Fancy Bear."

According to a report by The New York Times' Andrew Kramer and Andrew Higgins, "Profexor" has not been charged in Ukraine, as he didn't use his remote access tool himself for malicious purposes. He did offer a version of the remote access tool for free on his member-only website, but he also built custom versions and provided training for pay. One of his customers was someone who used the tool in connection with malware connected to Fancy Bear to establish a backdoor into the DNC's network.

Ukrainian Member of Parliament Anton Gerashchenko, a former advisor to Ukraine's interior minister, told the Times that Profexor's contact with the Russians behind the DNC hack was entirely via online conversations and voice calls. Gerashchenko said that "Profexor" was paid to write a custom version of his tool without knowing what it would be used for.

The PAS Web shell was identified by the Department of Homeland Security and FBI in the Joint Analysis Report (JAR) issued in December. After his tool was identified in the report, Profexor panicked and shut down his website. Soon afterward, he contacted Ukrainian law enforcement authorities. "He told us he didn't create it to be used in the way it was," chief of the Ukrainian Cyber Police Serhiy Demediuk told the Times.

A description of the PAS backdoor in the December JAR from the FBI and DHS.
Enlarge / A description of the PAS backdoor in the December JAR from the FBI and DHS.

The use of outsourced tools and malware developed by cybercriminals and other hackers is consistent with other hacking campaigns attributed to Russia's GRU and FSB intelligence organizations. Some of the exploits used by "Fancy Bear" were apparently developed by Zorsecurity, a Russian cybersecurity firm under contract to the GRU and FSB. (Zorsecurity was sanctioned under President Barack Obama's December executive order.) Previous campaigns have used a mixture of infrastructure and tools connected to both Russian companies and cybercriminals.

Channel Ars Technica