The U.S. sanctioned a couple of well-known crooks and handful of Russian government intelligence officers Thursday in retaliation for the Russian government’s interference in America’s elections and diplomacy.
Barely noticed on the sanctions list was the young, relatively-unknown female hacker whose company the U.S. said helped the GRU with “technical research and development” to penetrate the Democratic National Committee and Hillary Clinton’s campaign chairman, John Podesta in 2015 and 2016.
“She’s the only interesting one on the list. The rest of them are well known,” a cybersecurity researcher intimately familiar with the Russian hacking scene told The Daily Beast.
ZOR Security’s founder Alisa Shevchenko denies the allegations and maintains that her company’s inclusion was just a big mistake.
“What really happened: anonymous clerk at U.S. treasury googled the internet for ‘cyber’ while intel analysts were on their Christmas vacation,” Alisa Shevchenko tweeted on Friday. “Another version: a naughty Santa, deep in the Christmas night, hacked into Obama’s computer and put some random Russian names in his papers.”
If that’s the case—and the U.S. government has supplied no evidence to back up the allegation of ZOR’s involvement—it could raise serious questions about the Obama administration’s retaliatory measures for the election-related hacks. The White House, Treasury Department, State Department, and CIA did not respond to requests to provide further detailing why ZOR was selected for sanctioning.
Shevchenko is a self-anointed “self-taught offensive security researcher.” That’s a relative rarity in a field in which most people describe themselves as network defenders. She learned to code at 15 but was more drawn to hacking than programming, according to a 2014 profile of the businesswoman in Forbes Russia. Shevchenko dropped out of school and wound up working for five years as a virus analytics expert for Kaspersky labs instead. In 2009, she founded her own company, then known as Esage labs, and later as ZOR Security. (The acronym, in Russian, stands for “Digital Weapons and Defense.”) A self-described “offensive security researcher,” she focuses on finding vulnerabilities rather than fixing ones exposed by other hackers.
The company initially handled crisis response for companies like Russian banks, according to Forbes Russia. In one of her early jobs, she helped a bank figure out how hundreds of fake debit cards were withdrawing thousands of dollars from accounts. And she also tested an antivirus software for her former employer, Kaspersky Labs—a company which itself has strong ties to Russia’s security services.
But while the business of responding to security breaches paid well, the work wasn’t steady. She instead turned to her specialty: hacking companies to inform them of weaknesses in their own security systems. Shevchenko’s specialty and passion, according to Forbes Russia, is defense against Rootkits, or software that lets a person gain unauthorized control of a computer. Her company stopped taking one-off jobs, instead relying on lucrative contracts for penetration tests. The profile said she was courting an increasingly international clientele.
Along the way, she established a bit of a reputation for herself in cybersecurity circles. The U.S. government even credited her with finding a software vulnerability or two.
The cybersecurity researcher called it “not the most brilliant of the most brilliant, but respectable research. [It] show[s] a knowledge of the concepts of exploit development.”
Sometime along the way, ZOR Security shut down, according to Shevchenko. She told a Forbes reporter on Friday that her company had never been involved in any of the actions it’s accused of by the U.S. Its now-defunct website said, in Russian, that its mission was to “protect Russian companies from the professional computer attacks.”
“Dear journalists, please forgive me my silence. I am really trying to make any sense of it,” Shevchenko tweeted. “how my little simple company (closed long ago at that) could possibly appear on the same list with the FSB and international terrorists.”
The FSB, or Federal Security Service, is Russia’s main security agency.
It’s not clear what Shevchenko is up to these days. Another of her projects, a hacking journal called No Bunkum, appears to not have been updated in years. A now-private Instagram account listed her location as Bangkok.
In recent years, the Kremlin has opened up its cyber warfare and intelligence operations to all sorts outside traditional government circles—independent hackers, criminals, private companies, and quasi-independent research agencies. In a sense, it’s not much different than how Washington operates. Much of the information published by the U.S. government about the DNC hacks on Thursday relied on the work of private cybersecurity companies like Crowdstrike.
"Every agency has them—these nominally private companies or research institutions,” he said. “They can build you connections [with hackers skeptical of the government],” the cybersecurity researcher said.
But that researcher added that it would be a surprise if ZOR security was directly involved in the DNC hacks. “Maybe they sold them an exploit. [But I] doubt they were involved in the operation,” the researcher said.
“What interests me is how this person and this company became chosen for any of [the sanctions],” the researcher told The Daily Beast in an email. “There are better, highly active companies in Russia that do sell vulnerabilities / exploits to the government.”
Of course, there are plenty of unknown hackers who become instantly (in)famous. But the others on the U.S. list are more notorious today. The two hackers named alongside GRU officials had already graced the FBI’s most-wanted list for years. Evgeniy Bogachev and Aleksey Belan are both accused of engaging “malicious cyber-enabled misappropriation of financial information,” though not for the Russian government but for personal financial gain.
The 29-year old Belan allegedly intruded the networks of three American e-commerce companies to steal their user databases. The FBI also says he sold the users’ names and passwords.
Bogachev, 33, made the FBI’s Most Wanted List for spreading a malicious software called Zeus on peoples’ computers, which compromised their bank accounts, passwords, and other personal information. He then allegedly used that information to steal money from his victims. A later version of the malware is believed to have stolen more than $100 million and to have infected more than a million computers.
The GRU officials on the list were less notorious. But the cybersecurity researcher told The Daily Beast that their names came no closer to attributing the attacks to the actual individuals who carried them out.
“Two reasons to make that list [of sanctioned entities]: Either they’re really stupid, since these guys are outed already. Or they don’t want to show who they know and how they know it,” the researcher said. “No one is on the list is an actor that would be responsible for the acts. The GRU chiefs might have been aware. But they were not the ones doing it.”