Is This the Accidental Mastermind in the DNC Hack?

Алиса Шевченко / AKA Alisa Shevchenko, poses for Russian Forbes in 2014.

Фото Владимира Васильчикова для Forbes

AA Font size + Print

Алиса Шевченко / AKA Alisa Shevchenko, poses for Russian Forbes in 2014.

The White House’s new list of sanctioned Russians includes a young Moscow-based hacker, much to her professed surprise.

The list of characters that the White House is sanctioning for participating in the “Fancy Bear” DNC hacks reads like a casting call for a James Bond movie (the Roger Moore years.) A quick image search on the names turns up a handful of GRU officers in olive military uniforms, complete with red-piped epaulets, among others. But one company on the list stands out, and the founder, a young woman named Alisa Esage Shevchenko, is suddenly caught in the glare of a very unwanted spotlight.

The White House, along with the Treasury Department and the Department of Homeland Security singled out Shevchenko’s company, Zorsecurity (a.k.a. Esage Lab), for providing the GRU with “technical research and development.”

Shevchenko denies the accusations. Speaking to Forbes writer Thomas Fox-Brewster, she called them “sick.” On Twitter, Shevchenko claimed that the company went out of business more than a year ago.

Zorsecurity’s site is now blank, though at post time plenty of live HTML remained on the home page. Among other things, it advertises the company’s mission: “to protect Russian companies from professional computer attacks.” That’s the same mission the site listed on April 3, 2015, when the site was archived.

The page also notes Shevchenko’s first-place finish in a “competition for the breaking of critical infrastructure, held in the framework of an international conference Positive Hack Days 2014.”

A quick search for zorsecurity.ru’s Internet protocol number takes you to 159.253.20.176, a modestly designed page that serves as an anchor for more active social media accounts.

Shevchenko worked at cyber security company Kaspersky from 2003 until 2009 before starting her own company called Esage Labs. At Kaspersky, she specialized in rootkits, according to a 2014 profile in Russian Forbes. A rootkit allows users to gain privileged access to a computer while hiding their presence on the network.

Esage played a role in either creating or selling a program, Malwas, that has not been publicly released. The program allows a hacker to hop from computer to computer (or endpoints) to evade detection.

Similar endpoint hopping was one characteristic of the Russian-backed attack on the Joint Chief’s non-classified email system in 2015. But it’s not unique to the DNC or the Pentagon hack.

“When you typically see these large-scale attacks, where you see these large amounts of lateral movement” — jumping from one computer to another within the network — “and especially when you have relatively tightly wound network controls, a lot of the time you don’t have the command-and-control architecture to be able to go in and see the attack,” said a representative from a company that the Defense Department called in to remediate the attacks. “So the advance threat characteristics change to be more automated, a kind of pervasive deployment using common vulnerabilities and exploiting them widely.”

Importantly, the government’s forensic case for the sanctions, and the accompanying appendix, does not link Shevchenko to any particular smoking guns. It makes references to various remote-access tools (named after integers) as well as a variant of a malware program called OnionDuke. Shevchenko’s material support could have come in the form of that OnionDuke variant, or the remote-access tools, or some other zero-day or bug along the way. Or, as Shevchenko claims, the U.S. government could be making a mistake. In its lack of specificity connecting the individuals named to the actions and tools outlined, the report inadvertently pushes the reasonable reader to the lattermost conclusion.

On a background call with reporters on Thursday, one senior administration official said that the evidence should be strong enough to “stand up in court.” So far, it resembles, to high degree, reports that have already come out publicly and serves as a poor indictment of anyone (at least according to many experts that have played a contributing role in the investigation.) None of that changes the consensus view among private researchers and the intelligence community, that Russian actors were indeed behind the DNC hack.

As for Shevchenko, Forbes’ Brewster cited unnamed sources in Moscow as saying that she likely has sold zero-days to the government.

Shevchenko has not responded to requests from Defense One or others. But her 2014 Forbes profile hinted at a somewhat nuanced moral character. At one point, she is asked about the possibility of submitting to a polygraph test.

Hackers know how to get around it,” she said.

Close [ x ] More from DefenseOne
 
 

Thank you for subscribing to newsletters from DefenseOne.com.
We think these reports might interest you:

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • Military Readiness: Ensuring Readiness with Analytic Insight

    To determine military readiness, decision makers in defense organizations must develop an understanding of complex inter-relationships among readiness variables. For example, how will an anticipated change in a readiness input really impact readiness at the unit level and, equally important, how will it impact readiness outside of the unit? Learn how to form a more sophisticated and accurate understanding of readiness and make decisions in a timely and cost-effective manner.

    Download
  • Cyber Risk Report: Cybercrime Trends from 2016

    In our first half 2016 cyber trends report, SurfWatch Labs threat intelligence analysts noted one key theme – the interconnected nature of cybercrime – and the second half of the year saw organizations continuing to struggle with that reality. The number of potential cyber threats, the pool of already compromised information, and the ease of finding increasingly sophisticated cybercriminal tools continued to snowball throughout the year.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Information Operations: Retaking the High Ground

    Today's threats are fluent in rapidly evolving areas of the Internet, especially social media. Learn how military organizations can secure an advantage in this developing arena.

    Download

When you download a report, your information may be shared with the underwriters of that document.