“We don’t make malware for the Russian government.” This was the response of Russian hacker Alisa Esage Shevchenko to a blunt question I put to her in April 2015: do you provide any kind of digital weapon to the Russian government? Since then we’ve been in touch over encrypted mail and Twitter. Indeed, she’s been a trusted resource for all things white hat hacker related, including her input for a report on Russian exploits of critical nuclear power plant technology.
There was never any indication she was wrapped up in any shady cyberespionage work. Until yesterday, when the Obama regime banned her company, ZorSecurity (also known as Esage Lab), from doing business or entering America. Her company was accused of providing Russia’s chief intelligence agency, the GRU, with “technical research and development” in the White House’s long list of sanctions outlined yesterday in response to this year’s digital broadside on American democracy. Whilst it’s unclear just how Shevchenko’s company helped the GRU carry out the infamous hack of the Democratic National Committee (DNC) or other bodies involved in this fall’s election, if at all, the implication is there for all to see.
But Shevchenko told me she’s furious. Not only that, she believes she has been made a scapegoat in the digital feud between the U.S. and Russia, and wrongly implicated as a malefactor in one of the biggest cyberattacks in history.
The “technical research” the White House alleged she provided the GRU could include her stash of previously-undisclosed and unpatched vulnerabilities, so-called zero-days. Such software bugs, accompanied by an exploit to hack them and the underlying computer, are worth upwards of $1 million, one reason why Shevchenko plies her vast technical abilities to hunt them. She was even credited by the Department of Homeland Security for helping find flaws in critical energy management software made by Schneider Electric in March 2015. She’s was also rewarded by the Zero Day Initiative (ZDI), then owned by U.S. tech giant HP, for uncovering two vulnerabilities in Microsoft products in 2014, solely so they could be fixed by the software developer. Her work’s been featured in noted security industry publications too, in particular Virus Bulletin.
But Shevchenko, who claimed ZorSecurity is now defunct, is simply baffled at seeing her company’s name on the White House list, refuting any claims she ever did business with the Russian government. She had no clue that she was on the list until the media enquiries started pouring in over the last 24 hours.
— Alisa ☀ (@badd1e) December 30, 2016
“I’m just trying not to freak out,” she told me over email. “My company never worked with the government. It never had the necessary licenses to do so in the first place. And I personally tried to stay as far away as possible from anything remotely suspicious, as I’m naturally a cosmopolitan person, and an introverted single woman. I wouldn’t want any job that would put me in danger or restrictions.”
Talking about the defunct state of the company, she added: “This is fixed in the public registry, and should be well known to any foreign intelligence that bothered to do any research.”
“A nonexistent company of a single downshifter girl connected to hacking the elections? This is ridiculous,” she continued.
“It seems that someone is trying to turn me into a scapegoat in the US-Russia cyber war. It is easy to target small, independent entities that don’t have any power behind them to fight back. As a covert threat to their adversary and a scare for citizens. This is sick. ”
But there are some indications Shevchenko has previously worked with government. One Russian hacker who claimed knowledge of Esage Lab’s business, and who asked to remain anonymous, said the company sold software exploits and hacking tools, and had worked with the Russian government. “Esage do exploits and offensive software,” said the well-connected Moscow source. “Esage worked with government customers … but I’m really not sure if they related to the DNC hack.”
A previous profile on Shevchenko, in which she presented something of a dark mystique, pointed to government contracts. The feature, which appeared in FORBES Russia (a publication that licences the FORBES name and is not associated with the U.S. editorial agency in any other way) and was accompanied by images of the hacker clad in black leather like a Girl In the Dragon Tattoo anti-heroine, claimed her company did business with both Russia’s Ministry of Defense and Federal Security Service. Again, Shevchenko denied any work with Kremlin agencies.
Looks like I’ve accidentally exploited an Arbitrary Legs Injection vulnerability 0day in paperback FORBES.ru. Hi mom pic.twitter.com/kCTncwcVxT
— Alisa ☀ (@badd1e) November 28, 2014
In 2015, she explained to me ZorSecurity helped customers “harden their network infrastructure by exposing them to regular/continuous targeted attacks performed by a controlled team.” “We also work with the Russian defensive military (the ones behind CERTs) to receive the most recent/unpublished intelligence about Russian hacker gangs and the real targeted attacks scenarios, to train the customers against these,” she said. Today, she reiterated that was the company’s business, not offensive espionage on the behalf of the Kremlin.
ZorSecurity also created a “post-exploitation platform” called Malwas. The tool allowed hackers quicker ways around a network once they’d breached the defenses like anti-virus or firewalls. Online documentation indicated it was only “for penetration testers”, who take on the role of a mock attacker so when the real deal comes along the company network is better prepared. Similar tools abound across the web. Boston-based Rapid7, for instance, produces the hugely successful Metasploit platform, which contains a post-exploitation feature set. Spies can use the tools for offensive missions if they wish, though they’re traditionally used for defensive means.
Outwardly then, Shevchenko does the quotidian work of any information security professional. There’s little to distinguish Shevchenko’s work from that of the everyman white hat hacker. Many researchers in the U.S. sell their exploits to their government, including spy agencies (though it’s work that’s not without controversy, as the software they expose goes unfixed for the wider userbase). Indeed, there’s no evidence so far pointing to ZorSecurity’s involvement in the DNC hack, or the hit on the Democratic Congressional Campaign Committee, both said by U.S. security companies to have been perpetrated by a Russian group called Fancy Bear, or APT28. There’s only the indication the company has supported the GRU in brief, vague White House releases. An enquiry to the Department of Justice seeking clarity went unreturned.
‘An unjustified punishment’
Others are similarly confused by the inclusion of ZorSecurity on the sanction list. The anonymous Moscow source told me the list of organizations named in the sanctions – which also included the St. Petersburg-based Special Technology Center and the Autonomous Noncommercial Organization’s Professional Association of Designers of Data Processing Systems – did “not look professional at all.” “It looks like the U.S. government does not know who is behind this DNC thing,” they added.
Meanwhile, experts have noted other weaknesses in the U.S. response, in particular in the brief technical report released yesterday by the Department of Homeland Security (DHS) and the FBI. The agencies outlined the hacker techniques of “Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election.”
But Rob Lee, a former U.S. cyber intelligence officer, noted “the finer details are confusing.” “Some relate to the APT28 and APT29 campaigns mentioned for the DNC hack but there are lots of other indicators of random Russian based intrusions and campaigns… The data set is not even majorly focused on the election,” he said.
“More troubling is that the report from the FBI-DHS looks rushed and as if too many non-technical people were involved in the review. As an example, in the campaign names for RIS activity they not only list campaign names like APT28 but also malware names like BlackEnergy v3 and HAVEX and classification of capabilities such as Powershell Backdoor. What they’ve in essence done is say that these are the names we know RIS by and then reported out things that aren’t names of groups at all. It’s an odd mixing and ultimately would be a rookie move in the private sector.”
But Lee, who now heads up consulatancy Dragos Security, said the sanctions represented “a very strong response.” The other sanctioned organizations included the GRU, four of its senior staff and the Federal Security Service, whilst 35 Russian government officials from the Russian Embassy in Washington and the Russian Consulate in San Francisco have been asked to leave the country. And Russians will no longer be allowed access to two Kremlin-owned facilities, one in Maryland, the other in New York.
“It felt like an appropriate response that multiple government organizations coordinated to send a loud message. I also think it was not too strong in a way that would encourage unpredictable consequences,” Lee added.
Russia’s reaction to the sanctions were dismissive, bordering on mockery of the Obama government. The Russian Embassy in London sent a tweet decrying the White House’s actions, calling it a “hapless” administration, accompanying the message with the image of a duck carrying the word “lame.”
Earlier in the week, Russian Foreign Ministry spokesperson Maria Zakharova took a similarly aggressive tone. “We are tired of lies about Russian hackers that continue to be spread in the United States from the very top… We can only add that if Washington takes new hostile steps, it will receive an answer,” she said. “This applies to any actions against Russian diplomatic missions in the United States, which will immediately backfire at US diplomats in Russia.” Though the Kremlin considered plans to expel 35 diplomats in a tit-for-tat response, Putin said today that would not happen.
Donald Trump sought to downplay the rising tension yesterday, telling media: “It’s time for our country to move on to bigger and better things. Nevertheless, in the interest of our country and its great people, I will meet with leaders of the intelligence community next week in order to be updated on the facts of this situation.”
Thanks to Omaba’s moves this week, the president-elect remains in a tight corner, one he’ll find it hard to emerge from in his attempts to thaw relations with Putin.