Ukraine malware author turns witness in Russian DNC hacking investigation
A Ukrainian malware author who built the PAS Web shell—a PHP-based implant used to execute commands remotely on hacked systems—has turned himself in to Ukrainian authorities. He has been cooperating with the Federal Bureau of Investigation’s probe into the apparent Russian hacking of the Democratic National Committee. The information provided by “Profexor” to Ukrainian investigators and the FBI reveals, in part, how hackers (who were apparently coordinated by a Russian intelligence agency) used a combination of purpose-built and community tools as part of what researchers have labeled as the threat group “APT 28,” also known as “Fancy Bear.”
According to a report by The New York Times‘ Andrew Kramer and Andrew Higgins, “Profexor” has not been charged in Ukraine, as he didn’t use his remote access tool himself for malicious purposes. He did offer a version of the remote access tool for free on his member-only website, but he also built custom versions and provided training for pay. One of his customers was someone who used the tool in connection with malware connected to Fancy Bear to establish a backdoor into the DNC’s network.
Ukrainian Member of Parliament Anton Gerashchenko, a former advisor to Ukraine’s interior minister, told the Times that Profexor’s contact with the Russians behind the DNC hack was entirely via online conversations and voice calls. Gerashchenko said that “Profexor” was paid to write a custom version of his tool without knowing what it would be used for.