empire watch, latest, Russia, Ukraine

Did a Ukrainian University Student Create Grizzly Steppe?

by Petri Krohn

These ПолтНТУ students have nothing to do with the DNC hack or the tool used in it.

These ПолтНТУ students have nothing to do with the DNC hack or the tool used in it.

1) U.S. Department of Homeland Security claims that the DNC was hacked by Russian intelligence services using a Russian malware tool they have named Grizzly Steppe or “PAS tool PHP web kit”. They have published a YARA signature file that allows anyone to identify it.


The YARA signature file as published by DHS.

The YARA signature file as published by DHS.

2) Security company Wordefence says Grizzly Steppe is actually P.A.S. web shell, a common malware tool on WordPress sites. They have identified its origin to an Ukrainian download site Profexer.name


The download page at profexer.name as seen by Wordfence before the site was disabled.

The download page at profexer.name as seen by Wordfence before the site was disabled.

3) The profexer site presents a SSL certificate that identifies it as pro-os.ru and gives an email address aazzz@ro.ru.


The SSL certificate presented by profexer.name when accessed over the HTTPS protocol.

The SSL certificate presented by profexer.name when accessed over the HTTPS protocol.

4) pro-os.ru is offline with the domain registration expired, but Internet Archive has copies from April and May 2015. The photo on the page indicates that they are experts in “deadly” computer viruses.


Facebook has a cached copy of the pro-os.ru site.

Facebook has a cached copy of the pro-os.ru site.

The contacts given on the pro-os.ru site link to the VK account of Roman Alexeev and the email address roman@pro-os.ru. The VK account has been suspended because of “suspicious activity”. (You need to be logged in to VK to see the “Author” of the application.)


The pro-os.ru site links to a VK aplication which again links to Roman Alexeev's VK profile.

The pro-os.ru site links to a VK aplication which again links to Roman Alexeev’s VK profile.

4b) The site toster.ru links the email address aazzz@ro.ru to the name Roman Alexeev (Роман Алексеев).

https://toster.ru/user/aazzz (archive)

https://ibazh.com/members/roman.3232/ (archive)

5) “Roman Alexeev” advertises his skills and services as a web developer, linking to his VK account but also giving a skype account (ya.aalexeev) and an email address (mcmugok@yandex.ru).


6) One of the sites where “Roman Alexeev” links to his VK account is Freelancehunt.com. His profile contains a photograph and the nick aazzz. He claims he is from Zaporizhia and 25 years old.

https://freelancehunt.com/freelancer/aazzz.html (archive)

The profile photo used by "Roman Alexeev" at the Freelancehunt site.

The profile photo used by “Roman Alexeev” at the Freelancehunt site.

7) The profile photo on Freelancehunt actually belongs to Jaroslav Volodimirovich Panchenko (ПАНЧЕНКО Ярослав Володимирович), an information technology student and member of the student self-government structure of the Poltava National Technical University.


Jaroslav Volodimirovich Panchenko as he apears on the official site of ПолтНТУ.

Jaroslav Volodimirovich Panchenko as he apears on the official site of ПолтНТУ.

The main building of the Poltava National Technical University ПолтНТУ

The main building of the Poltava National Technical University ПолтНТУ


  1. The New York Times reported and this story in August 2017, confirming the identity of Profexer, without actually naming him.

    In Ukraine, a Malware Expert Who Could Blow the Whistle on Russian Hacking

    But while Profexer’s online persona vanished, a flesh-and-blood person has emerged: a fearful man who the Ukrainian police said turned himself in early this year, and has now become a witness for the F.B.I.

    Mr. Gerashchenko described the author only in broad strokes, to protect his safety, as a young man from a provincial Ukrainian city. He confirmed that the author turned himself in to the police and was cooperating as a witness in the D.N.C. investigation. “He was a freelancer and now he is a valuable witness,” Mr. Gerashchenko said.

    Once again confirmation that “Fancy Bear” is not the Russian military intelligence agency GRU or any other Russian government agency. It is simply a collection of hacking tools available online on Runet, the Russian language part of the Internet and the Russian language darknet.

  2. efficent says

    Contact: efficenthacker209@gmail.com
    Are you in search of a reliable Hacking Services?
    Then We offer the best of hacking service with our dedicated hackers
    with track records.
    We offer various Services

    1.School Grades Change
    2.Drivers License
    3.Provide solutions on professional exams
    4.Hack email, Database hack & Facebook, Whatsapp
    5.Retrieve, deleted data and recovery of messages on cell phone
    6.Crediting , Money Transfer.
    7. Clearing of criminal records and many others .
    We Provide high grades techs and hacking chips and gadgets if you are
    interested in Spying on anyone.
    Contact us Via: efficenthacker209@gmail.com

  3. mekus lasgidy says

    Do you want to get your job done urgently? Are you face with delay and unnecessary excuses and error on your job. Worry no more for we are the best in any hacking job. What do you want from hacking service. We can render it with swift response and no delay on your job 100% guarantee.
    Our service list is outline as follows
    1. University grades changing
    2. WhatsApp Hack
    3. Bank accounts hack
    4. Twitters hack
    5. Email accounts hack
    6. Website crashed hack
    7. Server crashed hack
    8. Sales of Spyware and Keylogger software
    9. Retrieval of lost file/documents
    10. Erase criminal records hack
    11. Databases hack
    12. Sales of Dumps cards of all kinds
    13. Untraceable IP
    14. Individual Computers Hack
    15. Money Transfer
    16. Crediting
    our service is the best online.

    CONTACT US ON> globalexperthacker@gmail.com

    for free tutorial on how to hack a facebook account visit my youtube page https://youtu.be/tMnaJp99VyQ

  4. the best news i can ever share on social media,is about this awesome hacker who made me happy and brought joy into my heart, i failed a lot in school.that i almost lost my scholarship, i had to hire DAMIONHACK at GMAIL dot COM who helped me hack my school grades, i am now on B+ , in case you need a hacker,contact him,.asap

    • pavlovscat7 says

      You HAD!.. to hire a hacker? B plus does not rate you high enough you idiot.

  5. John says

    The Ross Dell comment looks to me like spam.
    I think it should be removed.

    • Frank says

      i thought as much when I saw it and mailed him, he seems very real and passed a personal mail hack text i required of him.

  6. contact HOMICIDEHACK AT G MAIL DOT COM for your creditscore upgrade, mail hack, criminal records change, facebook hack, whatsapp and viber hack, grades change, bank account hack, credit card hack.

  7. “The exposure (I use the term advisedly) of John Podesta as a very unethical political operative with very strong possibilities of also being a pedophile, resulted from a single phishing expedition by a single hacker who social engineered Podesta into changing his Google email password through an intermediate site that then was able to steal all of Podesta’s email. This hacker is in jail in the US and it is almost certain that he is collaborating with a US intelligence service, not the Russians.” Firstly, This comes from Axis Of Logic, which is included in Off Guardian’s list of links.

    In regard to the Podesta and Clinton email ‘leaks’, there was NO HACK BY RUSSIANS!!! Someone here wrote ‘some’ of those emails were hacks, without qualification. That leaves the impression that Russia did do ‘some’ hacking here. That would be a wrong impression.

    The one hacker who phished John Podesta and now sits in a US jail almost certainly had nothing to do with Russia. If someone wants to suggest that that’s not so, he (or…) should provide evidence. Please see “The Russians Did Not “Hack” the US Election – A Few Facts from a Former CIA Spy” by Robert David Steele (http://bit.ly/2j2qqlN)

  8. Meanwhile, over at DNC HQ:

    ” … so, Marcie’s like, really? And John’s like, well, okay, but … ”
    “Yeah, DNC.”
    “This is the FBI. Your server’s been compromised.”
    “Oh, okay, thanks.”
    “So, yeah, and then Hillary’s like, well, John, it doesn’t matter about … ”
    “Yeah, DNC.”
    “This is the FBI again. You really need to look at your security.”
    “Yeah, right, we’re all over it, bye.”
    “Yeah, so … where was I?”

    So it goes in the smaller, more spiderwebbed corridors of power.

  9. If email is not encrypted there are many ways in which it could fall into unintended hands. This question “who did the hack?” is the wrong question. Firstly some of the so called “hacks” were actually “leaks”. Secondly, if there is unencrypted data around, then the situation is more like a rabble of predators grouping round a dead carcass. There will be no orderly queue, no single “guilty” one, and little in the way of an audit trail. Amongst that rabble, you may well find stereotype teenage hackers, alongside GCHQ, NSA and other alphabets, domestic and foreign – acting for fun, for the civic good, for money, and/or for more nefarious motivations. I’m no expert – but common sense tells me that much.

  10. Hillary Clinton is caught selling access to her top secret State Department emails to foreigners for a donation to the Clinton Global Initiative slush fund, and all the MSM can blab about is some phony Russian hack story?

    The REAL story is Clinton’s treasonous activity, but let’s not talk about that, it’s too awful to consider. The MSM could also do a story on the CGI slush fund, in that it uses 90% of the donations for ‘expenses,’ travel, bonuses, etc, meaning it’s breaking the law, but again, let’s not look into that.

    • BigB says

      You’re absolutely right, the real story is in the content – “there’s a map and it seems p-zza related” – but again, let’s not look into that either!

  11. profecto says

    It was a LEAK, NOT a hack. BIG difference.

  12. The information in this article doesn’t really help in identifying the hacker. Anybody using a remote device can hack into a networked system even on a protected server and many “hackers” for want of a snooper’s alternative description can intercept and redirect downloads to another remote device. Since Killary was using a private server it would have been easy peasy to infiltrate puny malware detectors without anyone – including cum laude IT geniuses, ever being able to prove where the hack came from – only the device which could just as easily have been hijacked for a short while.
    This whole pathetic excuse from the DNC hack to Russian hacking to influence the US presidency is just a circus and a sorry assed joke on the American people and the ones trying to pull the wool over their eyes are the very ones who know the truth. Specifically because they spend $billions of dollars (which are then “unaccounted for” or lost, misplaced) poking their noses into every state -national or International, doing exactly what they are so hypocritically accusing others of doing. The UK is no different, our government has introduced their very own state sponsored hacking programme , we call it the snoopers charter. It’s just as illegal as hacking but there is no accountability because it is the government that is doing the hacking and intercepting of data. Nice one.

  13. I personally think it was the stuxworm, you know, the cyber warfare device invented and used by the US with the help of Israel against Iran years ago. This was actually the first shot fired in what then became cyberwars. The US started the whole thing!

    • Emanuel Goldstein says

      Citizen, it appears your news retention circuits are defective and have created unnews. Please report immediately to your nearest reprogramming ceter to have this dengerous defect terminated.

  14. John says

    It should equally be noted that the East India Company was wound-up effectively after the events of the 1857-1859 Indian Mutiny and replaced by direct rule by The Crown.
    Eventually – after 1947 – India gained independence.
    No “empire” or colonial regime lasts for ever.
    Israelis should note that.

    • John says

      This comment was meant for another page. Please ignore.

      • John says

        The British and French Empires had nukes – their empires are gone.
        The Soviet Union had nukes – their empire is gone.
        The US has nukes – their empire is declining.
        What makes you think Israel is so special?

    • Or it may be a case of geopolitical “blame domino:” America blames the Russians; the Russians blame the Ukrops. Next up, the Ukrops will blame the Moskals, and obviously, the blame will at that point redound back up the line, only to come back down again.

      Yup. We never quite outgrow our childhood, do we . . .

  15. It’s obvious that the U.S. government should just contract out its intelligence service functions to Russian student, amateur and freelance programmers. They do a hell of a lot better work than the C.I.A., the F.B.I. and the rest of the American alphabet soup security agencies. Someone should forward this piece of work to the Donald. If the security agencies thought they might be in for a little reorganization, this would pretty well clinch it, in my opinion.

    Disclaimer: this comment is for entertainment purposes only, or rather, in the time it took me to write it, I had nothing better to do, and I know absolutely nothing about viruses or programming, so that the details of this article are for the time being a bit beyond my ken. I look forward to, then, having it clarified in terms of its significance by a cognoscente of viral coding and its dissemination. if such a person decides to comment in this thread.

  16. John says

    Is this where some of the US $ 5 billion spent by Victoria Kagan (nee Nuland) went to?

  17. So what are we looking at here then? This is the chap that hacked the dnc and passed info to wiki?

    • Admin says

      Not exactly no. The malware tool which the DHS claims was used to allegedly hack the DNC can apparently be traced to someone who uses this Ukrainian student’s avatar.

      Let’s remember there’s as yet no hard evidence the malware had anything to do with the alleged hacking, or indeed to show there even was such a hack. It’s currently just unsubstantiated and vague claims of the kind we usually see when security serviced are being pressured to say things they can’t prove or know to be untrue. The malware in question is ubiquitous, and for the US media to claim it’s proof of the nationality of the alleged hackers makes as much sense as saying we know a person is Italian because he wears Armani suits.

      • “The malware in question is ubiquitous . . .

        Exactly. Therefore it has long ago been neutralized by anti-viral countermeasures.

        • John says

          Unless devices being used are not protected, which may explain why the US intelligence agencies were annoyed by Hilary using a private server network?
          If she had personal and public data on her devices, this would presumably simplify hacking of the DNC central IT system?
          If US agencies want to take up the matter of rendering vulnerable their IT systems, perhaps they should consider prosecuting Mrs Clinton.
          What’s that?
          They already did – and decided not to prosecute her after Bill spent half an hour in a private jet with a senior Justice official?
          Well – who’d a’ thought it?

Comments are closed.