Did a Ukrainian University Student Create Grizzly Steppe?
by Petri Krohn

These ПолтНТУ students have nothing to do with the DNC hack or the tool used in it.
1) U.S. Department of Homeland Security claims that the DNC was hacked by Russian intelligence services using a Russian malware tool they have named Grizzly Steppe or “PAS tool PHP web kit”. They have published a YARA signature file that allows anyone to identify it.
https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity

The YARA signature file as published by DHS.
2) Security company Wordefence says Grizzly Steppe is actually P.A.S. web shell, a common malware tool on WordPress sites. They have identified its origin to an Ukrainian download site Profexer.name
https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/

The download page at profexer.name as seen by Wordfence before the site was disabled.
3) The profexer site presents a SSL certificate that identifies it as pro-os.ru and gives an email address [email protected].
https://profexer.name

The SSL certificate presented by profexer.name when accessed over the HTTPS protocol.
4) pro-os.ru is offline with the domain registration expired, but Internet Archive has copies from April and May 2015. The photo on the page indicates that they are experts in “deadly” computer viruses.
https://web.archive.org/web/20150405005032/http://pro-os.ru/

Facebook has a cached copy of the pro-os.ru site.
The contacts given on the pro-os.ru site link to the VK account of Roman Alexeev and the email address [email protected]. The VK account has been suspended because of “suspicious activity”. (You need to be logged in to VK to see the “Author” of the application.)
https://vk.com/app4714348

The pro-os.ru site links to a VK aplication which again links to Roman Alexeev’s VK profile.
4b) The site toster.ru links the email address [email protected] to the name Roman Alexeev (Роман Алексеев).
https://toster.ru/user/aazzz (archive)
https://ibazh.com/members/roman.3232/ (archive)
5) “Roman Alexeev” advertises his skills and services as a web developer, linking to his VK account but also giving a skype account (ya.aalexeev) and an email address ([email protected]).
http://verni.com.ua/feedback/
https://freelancehunt.com/project/kopiya-sayta/141070.html
6) One of the sites where “Roman Alexeev” links to his VK account is Freelancehunt.com. His profile contains a photograph and the nick aazzz. He claims he is from Zaporizhia and 25 years old.
https://freelancehunt.com/freelancer/aazzz.html (archive)

The profile photo used by “Roman Alexeev” at the Freelancehunt site.
7) The profile photo on Freelancehunt actually belongs to Jaroslav Volodimirovich Panchenko (ПАНЧЕНКО Ярослав Володимирович), an information technology student and member of the student self-government structure of the Poltava National Technical University.
http://pntu.edu.ua/ru/diyalnist/studentske-zhittya.html

Jaroslav Volodimirovich Panchenko as he apears on the official site of ПолтНТУ.

The main building of the Poltava National Technical University ПолтНТУ
Thanks for reading...
You can help us keep doing what we do. Every little helps and is hugely appreciated.
For other ways to donate, including direct-transfer bank details click HERE.




