A Voice Cuts Through, and Adds to, the Intrigue of Russia’s Cyberattacks

Asking permission to post the article in its entirety since the linked site is subscription.
Thank you.


http://mobile.nytimes.com/2016/09/28/world/europe/russia-hacker-vladimir-fomenko-king-servers.html?smid=tw-nytimes&smtyp=cur&referer=https://t.co/kyWCQSujoz


The New York Times

A Voice Cuts Through, and Adds to, the Intrigue of Russia’s Cyberattacks



Vladimir M. Fomenko in Biysk, Russia. Mr. Fomenko is the owner of King Servers, which rents server space, including to those implicated in recent hacking attempts on election systems in Arizona and Illinois.

BRENDAN HOFFMAN FOR THE NEW YORK TIMES
By ANDREW E. KRAMER
SEPTEMBER 27, 2016

A Voice Cuts Through, and Adds to, the Intrigue of Russia’s Cyberattackse flurry of Russian hacking of the Democratic National Committee and other political sites was obviously enjoying the moment.

“We have the information, but nobody contacted us,” said Vladimir M. Fomenko, a tattooed 26-year-old who snowboards in his free time and runs a business out of a rented apartment.

“It’s like nobody wants to sort this out,” he added with a sly grin.

Mr. Fomenko was recently identified by an American cybersecurity company, ThreatConnect, as the manager of an “information nexus” that was used by hackers suspected of working for Russian state security in cyberattacks on democratic processes in several countries, including Germany, Turkey and Ukraine, as well as the United States.

Rather than issuing blanket denials, Mr. Fomenko is apparently eager to discuss his case, lending another, if still cryptic, dimension to the intrigue, restricted before now to digital codes and online fingerprints.

Mr. Fomenko is the owner of a server rental company called King Servers used by hackers in an incursion on computerized election systems in Arizona and Illinois this year. Its other principal clients, he said, have been pornographers.

His response has been a blend of sarcasm, vague denials and an invitation to cooperate with the F.B.I., offering potentially critical evidence in the Arizona and Illinois cases, should officials reach out to him here.

“If the F.B.I. asks, we are ready to supply the I.P. addresses, the logs,” he said, referring to internet protocols, which identify a particular web page or device. “But nobody is asking. That is a big question.”

Another is just how much Mr. Fomenko knows. Attribution in cases like these is a notoriously tricky business, especially when governments route their attacks through proxy servers like his or, in many cases, outsource espionage activities to criminal groups to maintain a measure of plausible deniability.

The investigation that led here began after the hacking of the state voting systems from June until August, what cyberanalysts say could be a bold bid by a resurgent Russia to undermine Americans’ faith in their electoral process. The F.B.I. published eight internet addresses used in the attack. The bureau did not name the states, but officials in Arizona and Illinois acknowledged that their computers had been hacked.

ThreatConnect then identified six of the eight addresses as originating from servers owned by King Servers, Mr. Fomenko’s company, in Dronten, the Netherlands, and possibly elsewhere. Mr. Fomenko also owns servers in Fremont, Calif.; Garden City, N.Y.; and Moscow.

The hackers, according to ThreatConnect, had used one of the eight internet addresses to send 113 precisely targeted, so-called spear phishing emails intended to dupe election officials and politicians in Turkey, Germany and Ukraine to click on links that downloaded malware. Some emails mimicked Gmail security warnings or notes from LinkedIn, the social networking site.

The emails were sent to members of the governing Justice and Development Party in Turkey; the German Freedom Party, a fringe group; and Ukrainian members of Parliament, ThreatConnect said.

This spear phishing activity targeting the three countries was staged from one of the two addresses not originating from King Servers, while a King Servers address used Tor, the anonymity software, in the Illinois and Arizona electoral board hacks.

The security researchers said that the hackers who used Mr. Fomenko’s server as part of this broader campaign were “looking to manipulate multiple countries’ democratic processes” and that their modus operandi was “more suggestive of state-backed rather than criminally motivated activity.”

Russian officials have denied any involvement in the hacking, but in an interview this month, President Vladimir V. Putin asked Bloomberg, “Does it even matter who hacked this data?” implying that the revelations were more important than the source. “The content was given to the public,” he added.

The Democratic presidential nominee, Hillary Clinton, blamed the Russian security services for the hackings, and said that Mr. Putin “could barely muster the energy to deny” Russia’s involvement. Donald J. Trump, the Republican nominee, has played down the prospect that Russia was involved.

Ambiguity has trailed the Russian hacking story all along. Mr. Fomenko, in an interview in a bar here called Rocks, flatly denied having any ties to the hacking. Yet he sports a collarbone-to-jaw tattoo of what he described as a version of the theatrical mask that is the symbol of the hacking group Anonymous.

He denied any connection to the group, saying he simply liked the symbolism of the mask. “A person can be evil, or a person can be good, or a person can hide who they are,” he said.

The equivocation of responses by Mr. Putin and Mr. Fomenko is studied and deliberate, Kenneth Geers, a senior research scientist at Comodo, a cybersecurity firm, and a former cybersecurity officer with NATO, said in a telephone interview.

“You are not saying yes, you are not saying no, so it’s frustrating for the victim, and it’s intimidating,” he said. “You are suggesting there is more to come.”

The tattoo, though, “is something of a giveaway.”

Mr. Fomenko, raised by a single mother, studied computer science at a technical college. He said he founded King Servers in 2008 when he was 18, buying computer servers and arranging for their installation remotely in Fremont, a city he said he had never visited.

He said he had about a thousand clients, 20 percent to 30 percent of whom are pornographers. Authorities in the Netherlands, he said, have notified him on several occasions that his servers had been used for spreading malware, advertising counterfeit designer handbags and distributing child pornography; in those cases, he said, he immediately revoked the rental agreements and closed the servers.

“If the person looks young, maybe 17 or 18, you cannot tell, we shut them down,” he said. “Every company has their problems. You cannot control everything.”

Mr. Fomenko said prospective renters using the nicknames Robin Good and Dick Robin had contacted him online in May and paid through WebMoney, an online payment system, not an uncommon profile for his clients.

On Sept. 15, Mr. Fomenko issued a statement saying that he had learned belatedly from news reports of the accusation that the hacking of the Arizona and Illinois voting systems were staged from two of his servers, and that he had shut them down. Mr. Fomenko does not deny that hackers used his servers, but does deny knowing that they did until Sept. 15. He says he does not know who they are, but that they are certainly not the Russian security agencies.

“The analysis of the internal data allows King Services to confidently refute any conclusions about the involvement of the Russian special services in this attack,” he said in his statement. But then, apparently striking a sarcastic tone, he said he would send a bill to Mr. Trump and Mr. Putin for server rent left unpaid by the hackers.

He also says he has never been contacted by Russian or foreign law enforcement.

The clients, though, had left a trail through their contact with his billing page, he said. He added that he possessed the next step in the chain to bring investigators in the United States closer to the hackers, about 60 I.P. addresses used by his client — the hacker of the state electoral systems — to contact him. He said the addresses belonged to server companies in Britain, Finland, France, Italy, Norway and Sweden.

It was these addresses, he said, that he would be willing to share with the F.B.I., if “somebody wants to sort this out.”

While ambiguous about the hacking on his servers, Mr. Fomenko minced no words about American presidential politics. “In Russia, we don’t have this type of election,” he said. “It looks like little children fighting.”