by Petri Krohn
1) U.S. Department of Homeland Security claims that the DNC was hacked by Russian intelligence services using a Russian malware tool they have named Grizzly Steppe or “PAS tool PHP web kit”. They have published a YARA signature file that allows anyone to identify it.
2) Security company Wordefence says Grizzly Steppe is actually P.A.S. web shell, a common malware tool on WordPress sites. They have identified its origin to an Ukrainian download site Profexer.name
3) The profexer site presents a SSL certificate that identifies it as pro-os.ru and gives an email address [email protected]
4) pro-os.ru is offline with the domain registration expired, but Internet Archive has copies from April and May 2015. The photo on the page indicates that they are experts in “deadly” computer viruses.
The contacts given on the pro-os.ru site link to the VK account of Roman Alexeev and the email address roma[email protected] The VK account has been suspended because of “suspicious activity”. (You need to be logged in to VK to see the “Author” of the application.)
4b) The site toster.ru links the email address [email protected] to the name Roman Alexeev (Роман Алексеев).
5) “Roman Alexeev” advertises his skills and services as a web developer, linking to his VK account but also giving a skype account (ya.aalexeev) and an email address ([email protected]).
6) One of the sites where “Roman Alexeev” links to his VK account is Freelancehunt.com. His profile contains a photograph and the nick aazzz. He claims he is from Zaporizhia and 25 years old.
7) The profile photo on Freelancehunt actually belongs to Jaroslav Volodimirovich Panchenko (ПАНЧЕНКО Ярослав Володимирович), an information technology student and member of the student self-government structure of the Poltava National Technical University.