Cyber and Geopolitics:
Ukrainian factor
Victor Zhora
UISG, Member of Board

Agenda
• Election’s Hack
– Cyberberkut
– First messages
– Versions
• DNC Hack
– Circumstances
– Results
• Press and follow-up

Election hack, 22-25/05/2014
Phases
• “Elections” System destruction/disruption
• Displaying of fake election results
• DDoS attack on CEC website

Cyberberkut, 23/05/2014

Nalyvaichenko, 23/05/2014
• "Yesterday, an
infected program
was destroyed. On
May 25, the virus
had to destroy the
election results.
The virus has been
eliminated, the
software has been
replaced.”

CERT-UA

Versions
• Malware (Uroboros, Sofacy ???)
• Insider
• Cisco 0-day
• Web shell
• SOESoftware

Version #1: Sofacy

Version #1: Sofacy
• Nikolay Koval: “The technical aspects of this
hack also tell us something very important:
the hackers were professionals. Beyond
disabling the site and successfully displaying
incorrect election results, CERT-UA discovered
advanced cyber espionage malware on the
CEC network (Sofacy/APT28/Sednit).”
• My question: which one? Sofacy, X-agent…?

Version #2: Cisco 0-day
• Cyberberkut: “We
hacked CEC
network via 0-day
vulnerability in
Cisco ASA”

Version #3: Web shell, SOESoftware
• Web shell had been probably used for placing
of a Yarosh picture and changing of a content
according to circumstances
• Web server logs show only several
connections, shell wasn’t widely used
• Persistent access had been arranged long
before elections

Yarosh picture

Yarosh picture
• Nikolay Koval: “On 25 May – election day – 12
minutes before the polls closed (19:48 EET),
the attackers posted on the CEC website a
picture of Ukrainian Right Sector leader
Dmitry Yarosh, incorrectly claiming that he
had won the election. This image was
immediately shown on Russian TV channels.”

WSJ, 09/11/2015
• Margaret Coker, Paul Sonne

US Media

2016 Democratic National
Committee email leak, 22/07/2016
• 19,252 emails and 8,034 attachments leaked to
and subsequently published by WikiLeaks
• Idea of leaked emails: sabotage Bernie Sanders’
election campaign
• 08/11/2016 – Election Day
• 09/12/2016 - the CIA told that the US Intelligence
Community concluded Russia conducted
operations during the 2016 U.S. election to
prevent Hillary Clinton from winning the
presidency

DNC Hack
• “Guccifier 2.0” (Romanian???) claimed to be
the source of the leaks
• CrowdStrike, Fidelis Cybersecurity, Mandiant,
SecureWorks, and ThreatConnect, and the
editor for Ars Technica, stated the leak was
part of a series of cyberattacks on the DNC
committed by two Russian intelligence groups

DNC Hack
• 06/10/2016, Joint Statement from the
Department Of Homeland Security and Office of
the Director of National Intelligence on Election
Security
– “The U.S. Intelligence Community (USIC) is confident
that the Russian Government directed the recent
compromises of e-mails from US persons and
institutions, including from US political organizations.
The recent disclosures of alleged hacked e-mails on
sites like DCLeaks.com and WikiLeaks and by the
Guccifer 2.0 online persona are consistent with the
methods and motivations of Russian-directed efforts”

DNC Hack
• 06/10/2016, Joint Statement from the
Department Of Homeland Security and Office of
the Director of National Intelligence on Election
Security
– “These thefts and disclosures are intended to
interfere with the US election process. Such activity is
not new to Moscow—the Russians have used similar
tactics and techniques across Europe and Eurasia, for
example, to influence public opinion there. We
believe, based on the scope and sensitivity of these
efforts, that only Russia's senior-most officials could
have authorized these activities”

DNC Hack
• 06/10/2016, Joint Statement from the Department Of
Homeland Security and Office of the Director of
National Intelligence on Election Security
– “The USIC and the Department of Homeland Security
(DHS) assess that it would be extremely difficult for
someone, including a nation-state actor, to alter actual
ballot counts or election results by cyber attack or
intrusion. This assessment is based on the decentralized
nature of our election system in this country and the
number of protections state and local election officials
have in place. States ensure that voting machines are not
connected to the Internet, and there are numerous checks
and balances as well as extensive oversight at multiple
levels built into our election process”

DNC Hack
• 14/10/2016, Joe
Biden, NBC News
– “…the U.S. would
respond to these
attacks at the time of
our choosing, and
under the
circumstances that
have the greatest
impact.”

Time, 07/11/2016
• Simon Shuster

Time, 07/11/2016
• Idea #1: UCA appears as
an independent player
• Idea #2: binding UCA
activity to foreign
intelligence, presumably
US one

New York Times, 16/08/2017
• Andrew A. Kramer, Andrew Higgins

New York Times, 16/08/2017
• Idea #1: “Profexer”, the Ukrainian hacker,
developed malware (P.A.S. web shell) used in the
DNC Hack
• Idea #2: binding Ukrainian hackers to Fancy Bear/
Cosy Bear
• “The mirror of the hard drive (from CVK – VZ)
went to the F.B.I., which had this forensic sample
when the cybersecurity company CrowdStrike
identified the same malware two years later, on
the D.N.C. servers”

The Washington Times, 21/08/2017
• Dan Boylan, DNC hack theories considered
extreme and fringe now entering mainstream
– Idea: not a hack, but a leak by the insider
– Ray McGovern, CIA veteran “There is clear
evidence that some of the DNC emails given to
WikiLeaks contained superimposed Russian
language formatting. Essentially, they were
synthetically tainted with Russian fingerprints”

Crowdstrike, 22/12/2016
• “In late June and August 2016,
CrowdStrike Intelligence
provided initial reporting and
technical analysis of a variant
of the FANCY BEAR implant X-
Agent that targeted the
Android mobile platform2.
CrowdStrike identified this X-
Agent variant within a
legitimate Android application
named Попр-Д30.apk”

Goal #1: We’re under attack!!!

Goal #2: You’re in danger too!

Goal #3: Invest in Ukraine!

To be continued…
• Wired, Andy Greenberg, 06/09/2017