Home / Technology / A Voice Cuts Through, and Adds to, the Intrigue of Russia’s Cyberattacks

A Voice Cuts Through, and Adds to, the Intrigue of Russia’s Cyberattacks

Another is just how much Mr. Fomenko knows. Attribution in cases like these is a notoriously tricky business, especially when governments route their attacks through proxy servers like his or, in many cases, outsource espionage activities to criminal groups to maintain a measure of plausible deniability.

The investigation that led here began after the hacking of the state voting systems from June until August, what cyber analysts say could be a bold bid by a resurgent Russia to undermine Americans’ faith in their electoral process. The F.B.I. published eight internet addresses used in the attack. The bureau did not name the states, but officials in Arizona and Illinois acknowledged that their computers had been hacked.

ThreatConnect then identified six of the eight addresses as originating from servers owned by King Servers, Mr. Fomenko’s company, in Dronten, the Netherlands, and possibly elsewhere. Mr. Fomenko also owns servers in Fremont, Calif.; Garden City, N.Y.; and Moscow.

The hackers, according to ThreatConnect, had used one of the eight internet addresses to send 113 precisely targeted, so-called spear phishing emails intended to dupe election officials and politicians in Turkey, Germany and Ukraine to click on links that downloaded malware. Some emails mimicked Gmail security warnings or notes from LinkedIn, the social networking site.

The emails were sent to members of the governing Justice and Development Party in Turkey, the German Freedom Party and Ukrainian members of Parliament, ThreatConnect said.

This spear phishing activity targeting the three countries was staged from one of the two addresses not originating from King Servers, while a King Servers address used Tor, the anonymity software, in the Illinois and Arizona electoral board hacks.

The security researchers said that the hackers who used Mr. Fomenko’s server as part of this broader campaign were “looking to manipulate multiple countries’ democratic processes” and that their modus operandi was “more suggestive of state-backed rather than criminally motivated activity.”

Russian officials have denied any involvement in the hacking, but in an interview this month, President Vladimir V. Putin asked Bloomberg, “Does it even matter who hacked this data?” implying that the revelations were more important than the source. “The content was given to the public,” he added.

The Democratic presidential nominee, Hillary Clinton, blamed the Russian security services for the hackings, and said that Mr. Putin “could barely muster the energy to deny” Russia’s involvement. Donald J. Trump, the Republican nominee, has played down the prospect that Russia was involved.

Ambiguity has trailed the Russian hacking story all along. Mr. Fomenko, in an interview in a bar here called Rocks, flatly denied having any ties to the hacking. Yet he sports a collarbone-to-jaw tattoo of what he described as a version of the theatrical mask that is the symbol of the hacking group Anonymous.

He denied any connection to the group, saying he simply liked the symbolism of the mask. “A person can be evil, or a person can be good, or a person can hide who they are,” he said.

The equivocation of responses by Mr. Putin and Mr. Fomenko is studied and deliberate, Kenneth Geers, a senior research scientist at Comodo, a cybersecurity firm, and a former cybersecurity officer with NATO, said in a telephone interview.

“You are not saying yes, you are not saying no, so it’s frustrating for the victim, and it’s intimidating,” he said. “You are suggesting there is more to come.”

The tattoo, though, “is something of a giveaway.”

Mr. Fomenko, raised by a single mother, studied computer science at a technical college. He said he founded King Servers in 2008 when he was just 18, buying computer servers and arranging for their installation remotely in Fremont, a city he said he had never visited.

He said he had about a thousand clients, 20 percent to 30 percent of whom are pornographers. Authorities in the Netherlands, he said, have notified him on several occasions that his servers had been used for spreading malware, advertising counterfeit designer handbags and distributing child pornography; in those cases, he said, he immediately revoked the rental agreements and closed the servers.

“If the person looks young, maybe 17 or 18, you cannot tell, we shut them down,” he said. “Every company has their problems. You cannot control everything.”

Mr. Fomenko said prospective renters using the nicknames Robin Good and Dick Robin had contacted him online in May and paid through WebMoney, an online payment system, not an uncommon profile for his clients.

On Sept. 15, Mr. Fomenko issued a statement saying that he had learned belatedly from news reports of the accusation that the hacking of the Arizona and Illinois voting systems were staged from two of his servers, and that he had shut them down. Mr. Fomenko does not deny that hackers used his servers, but does deny knowing that they did until Sept. 15. He says he does not know who they are, but that they are certainly not the Russian security agencies.

“The analysis of the internal data allows King Services to confidently refute any conclusions about the involvement of the Russian special services in this attack,” he said in his statement. But then, apparently striking a sarcastic tone, he said he would send a bill to Mr. Trump and Mr. Putin for server rent left unpaid by the hackers.

He also says he has never been contacted by Russian or foreign law enforcement.

The clients, though, had left a trail through their contact with his billing page, he said. He added that he possessed the next step in the chain to bring investigators in the United States closer to the hackers, about 60 I.P. addresses used by his client — the hacker of the state electoral systems — to contact him. He said the addresses belonged to server companies in Britain, Finland, France, Italy, Norway and Sweden.

It was these addresses, he said, that he would be willing to share with the F.B.I., if “somebody wants to sort this out.”

While ambiguous about the hacking on his servers, Mr. Fomenko minced no words about American presidential politics. “In Russia, we don’t have this type of election,” he said. “It looks like little children fighting.”

Continue reading the main story


NYT > Technology

Leave a Reply

Your email address will not be published. Required fields are marked *

*