In all the noise of this week’s events, it would be easy to miss some dramatic news out of Kiev today. So I’ll amplify it here. A Ukrainian hacker who wrote code that might have helped hack the U.S. election — and other political events around the world — has turned FBI witness, the New York Times says.
His pseudonym is Profexer, and plenty of people are wondering about his safety right now.
Below is a brief synopsis, but you should really read the entire report.
As with all things cyber, and all things politics, it’s not as clear as one would wish. Profexer is a well-regarded Ukrainian hacker who wrote a hacker tool sometimes called PAS. It’s one of several tools a hacker might use when taking over a network; it’s essentially a base of operations installed after a successful break in. It lets a remote hacker easily open a “shell” — a prompt for executing commands — on a compromised network.
In the days after the election but before the inauguration, the Obama administration accused Russia of hacking the election and offered a few crumbs of digital forensic evidence. Chief among them: use of the PAS shell program. Profexer made the tool.
Profexer didn’t do the hacking, but the release scared him. Soon after, the Times now reports, Profexer got very cold feet, and turned himself in to Ukrainian authorities for a chat. Because making software generally isn’t a crime, he was not charged with anything. The Times quotes Ukrainian officials as saying he is instead a cooperating witness — a very rare human being from the underground appearing in flesh and blood, apparently offering to help the FBI chase down other hackers. Perhaps, helping chase down Russians who did the hacking.
Several things muddy the waters here. This analysis, published by Wordfence, does indeed show that Profexer’s code is implicated by the U.S. analysis . But, oddly enough, it was an old, outdated version of Profexer’s software. It would have been available from any number of places, and was fairly widely used. So by itself, use of PAS means almost nothing. U.S. election hackers could have downloaded it from anywhere.
Still, the Times points out that Profexer did work for hire too — he wrote special versions of his tool for money. And in another political hacking incident involving Ukraine, authorities found digital fingerprints of Profexer’s code. Clearly, he must know interesting people. Perhaps Russians.
Once again, we are back to the problem of attribution in cyber-attacks. As I pointed out before the election, with the help of election hacking expert Harri Hursti, nation states often don’t cyber-attack each other directly. There’s no need. There are so many other ways to do it. Cyber-armies are outsourced to give plausible deniability. Were the Russians looking to hack a U.S. election, they wouldn’t need to assign the task to a cyber army. They could hire freelance hackers to do it. Better yet, lone actors might do some of the work on their own, out of patriotism, with a wink and a nod from authorities. And you can imagine a murky continuum between those two things.
Also quite possible: a freelance hacker could be hired without any idea who was paying him or her. Profexer could have been commissioned to write code for the Russians — or for that matter, any country — and have no idea who was signing the check.
It is a very big deal that this hacker is talking to authorities. One imagines his Rolodex is fascinating. But as with all spook stories, it’s important to remember what is known and what is a guess. As Wordfence put it, we know the U.S. government says old code was used to hack the election, and we know government officials say the person who wrote that code is now cooperating with authorities. That’s about it.
It’s also important to note that, with rare exceptions, we rarely ever learn such things unless someone wants us to know for a reason. Why are authorities confirming Prefexor’s cooperation now? Perhaps they are turning up the heat on those who paid him. Perhaps they are close to a break in the case. Or perhaps they are throwing a Hail Mary pass.
Let’s hope Prefexor has plenty of time to tell his stories.