Is This the Accidental Mastermind in the DNC Hack?

The list of characters that the White House is sanctioning for participating in the “Fancy Bear” DNC hacks reads like a casting call for a James Bond movie (the Roger Moore years.) A quick image search on the names turns up a handful of GRU officers in olive military uniforms, complete with red-piped epaulets, among others. But one company on the list stands out, and the founder, a young woman named Alisa Esage Shevchenko, is suddenly caught in the glare of a very unwanted spotlight.

The White House, along with the Treasury Department and the Department of Homeland Security singled out Shevchenko’s company, Zorsecurity (a.k.a. Esage Lab), for providing the GRU with “technical research and development.”

Shevchenko denies the accusations. Speaking to Forbes writer Thomas Fox-Brewster, she called them “sick.” On Twitter, Shevchenko claimed that the company went out of business more than a year ago.

Zorsecurity’s site is now blank, though at post time plenty of live HTML remained on the home page. Among other things, it advertises the company’s mission: “to protect Russian companies from professional computer attacks.” That’s the same mission the site listed on April 3, 2015, when the site was archived.

The page also notes Shevchenko’s first-place finish in a “competition for the breaking of critical infrastructure, held in the framework of an international conference Positive Hack Days 2014.”

A quick search for zorsecurity.ru’s Internet protocol number takes you to 159.253.20.176, a modestly designed page that serves as an anchor for more active social media accounts.

Shevchenko worked at cyber security company Kaspersky from 2003 until 2009 before starting her own company called Esage Labs. At Kaspersky, she specialized in rootkits, according to a 2014 profile in Russian Forbes. A rootkit allows users to gain privileged access to a computer while hiding their presence on the network.

Esage played a role in either creating or selling a program, Malwas, that has not been publicly released. The program allows a hacker to hop from computer to computer (or endpoints) to evade detection.

Similar endpoint hopping was one characteristic of the Russian-backed attack on the Joint Chief’s non-classified email system in 2015. But it’s not unique to the DNC or the Pentagon hack.

“When you typically see these large-scale attacks, where you see these large amounts of lateral movement” — jumping from one computer to another within the network — “and especially when you have relatively tightly wound network controls, a lot of the time you don’t have the command-and-control architecture to be able to go in and see the attack,” said a representative from a company that the Defense Department called in to remediate the attacks. “So the advance threat characteristics change to be more automated, a kind of pervasive deployment using common vulnerabilities and exploiting them widely.”

Importantly, the government’s forensic case for the sanctions, and the accompanying appendix, does not link Shevchenko to any particular smoking guns. It makes references to various remote-access tools (named after integers) as well as a variant of a malware program called OnionDuke. Shevchenko’s material support could have come in the form of that OnionDuke variant, or the remote-access tools, or some other zero-day or bug along the way. Or, as Shevchenko claims, the U.S. government could be making a mistake. In its lack of specificity connecting the individuals named to the actions and tools outlined, the report inadvertently pushes the reasonable reader to the lattermost conclusion.

On a background call with reporters on Thursday, one senior administration official said that the evidence should be strong enough to “stand up in court.” So far, it resembles, to high degree, reports that have already come out publicly and serves as a poor indictment of anyone (at least according to many experts that have played a contributing role in the investigation.) None of that changes the consensus view among private researchers and the intelligence community, that Russian actors were indeed behind the DNC hack.

Did Russia hack the DNC? Yes. Is the DHS/FBI report good? No. Does either have anything to do with the electric utility in Vermont? Nope.

— Robert M. Lee (@RobertMLee) December 31, 2016

As for Shevchenko, Forbes’ Brewster cited unnamed sources in Moscow as saying that she likely has sold zero-days to the government.

Shevchenko has not responded to requests from Defense One or others. But her 2014 Forbes profile hinted at a somewhat nuanced moral character. At one point, she is asked about the possibility of submitting to a polygraph test.

"Hackers know how to get around it,” she said.