Is This the Accidental Mastermind in the DNC Hack?

Алиса Шевченко / AKA Alisa Shevchenko, poses for Russian Forbes in 2014.

Фото Владимира Васильчикова для Forbes

AA Font size + Print

Алиса Шевченко / AKA Alisa Shevchenko, poses for Russian Forbes in 2014.

The White House’s new list of sanctioned Russians includes a young Moscow-based hacker, much to her professed surprise.

The list of characters that the White House is sanctioning for participating in the “Fancy Bear” DNC hacks reads like a casting call for a James Bond movie (the Roger Moore years.) A quick image search on the names turns up a handful of GRU officers in olive military uniforms, complete with red-piped epaulets, among others. But one company on the list stands out, and the founder, a young woman named Alisa Esage Shevchenko, is suddenly caught in the glare of a very unwanted spotlight.

The White House, along with the Treasury Department and the Department of Homeland Security singled out Shevchenko’s company, Zorsecurity (a.k.a. Esage Lab), for providing the GRU with “technical research and development.”

Shevchenko denies the accusations. Speaking to Forbes writer Thomas Fox-Brewster, she called them “sick.” On Twitter, Shevchenko claimed that the company went out of business more than a year ago.

Zorsecurity’s site is now blank, though at post time plenty of live HTML remained on the home page. Among other things, it advertises the company’s mission: “to protect Russian companies from professional computer attacks.” That’s the same mission the site listed on April 3, 2015, when the site was archived.

The page also notes Shevchenko’s first-place finish in a “competition for the breaking of critical infrastructure, held in the framework of an international conference Positive Hack Days 2014.”

A quick search for zorsecurity.ru’s Internet protocol number takes you to 159.253.20.176, a modestly designed page that serves as an anchor for more active social media accounts.

Shevchenko worked at cyber security company Kaspersky from 2003 until 2009 before starting her own company called Esage Labs. At Kaspersky, she specialized in rootkits, according to a 2014 profile in Russian Forbes. A rootkit allows users to gain privileged access to a computer while hiding their presence on the network.

Esage played a role in either creating or selling a program, Malwas, that has not been publicly released. The program allows a hacker to hop from computer to computer (or endpoints) to evade detection.

Similar endpoint hopping was one characteristic of the Russian-backed attack on the Joint Chief’s non-classified email system in 2015. But it’s not unique to the DNC or the Pentagon hack.

“When you typically see these large-scale attacks, where you see these large amounts of lateral movement” — jumping from one computer to another within the network — “and especially when you have relatively tightly wound network controls, a lot of the time you don’t have the command-and-control architecture to be able to go in and see the attack,” said a representative from a company that the Defense Department called in to remediate the attacks. “So the advance threat characteristics change to be more automated, a kind of pervasive deployment using common vulnerabilities and exploiting them widely.”

Importantly, the government’s forensic case for the sanctions, and the accompanying appendix, does not link Shevchenko to any particular smoking guns. It makes references to various remote-access tools (named after integers) as well as a variant of a malware program called OnionDuke. Shevchenko’s material support could have come in the form of that OnionDuke variant, or the remote-access tools, or some other zero-day or bug along the way. Or, as Shevchenko claims, the U.S. government could be making a mistake. In its lack of specificity connecting the individuals named to the actions and tools outlined, the report inadvertently pushes the reasonable reader to the lattermost conclusion.

On a background call with reporters on Thursday, one senior administration official said that the evidence should be strong enough to “stand up in court.” So far, it resembles, to high degree, reports that have already come out publicly and serves as a poor indictment of anyone (at least according to many experts that have played a contributing role in the investigation.) None of that changes the consensus view among private researchers and the intelligence community, that Russian actors were indeed behind the DNC hack.

As for Shevchenko, Forbes’ Brewster cited unnamed sources in Moscow as saying that she likely has sold zero-days to the government.

Shevchenko has not responded to requests from Defense One or others. But her 2014 Forbes profile hinted at a somewhat nuanced moral character. At one point, she is asked about the possibility of submitting to a polygraph test.

Hackers know how to get around it,” she said.

Close [ x ] More from DefenseOne
 
 

Thank you for subscribing to newsletters from DefenseOne.com.
We think these reports might interest you:

  • Ongoing Efforts in Veterans Health Care Modernization

    This report discusses the current state of veterans health care

    Download
  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Top 5 Findings: Security of Internet of Things To Be Mission-Critical

    As federal agencies increasingly leverage these capabilities, government security stakeholders now must manage and secure a growing number of devices, including those being used remotely at the “edge” of networks in a variety of locations. With such security concerns in mind, Government Business Council undertook an indepth research study of federal government leaders in January 2017. Here are five of the key takeaways below which, taken together, paint a portrait of a government that is increasingly cognizant and concerned for the future security of IoT.

    Download
  • Coordinating Incident Response on Posts, Camps and Stations

    Effective incident response on posts, camps, and stations is an increasingly complex challenge. An effective response calls for seamless conversations between multiple stakeholders on the base and beyond its borders with civilian law enforcement and emergency services personnel. This whitepaper discusses what a modern dispatch solution looks like -- one that brings together diverse channels and media, simplifies the dispatch environment and addresses technical integration challenges to ensure next generation safety and response on Department of Defense posts, camps and stations.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download

When you download a report, your information may be shared with the underwriters of that document.