Code identified by the Department of Homeland Security and Federal Bureau of Investigation as being used by Russian intelligence services is an outdated malware developed by Ukrainians that can be downloaded online, according to a blog post by the founder of WordFence.
WordFence is a plug-in designed to protect users of WordPress that has been downloaded over 1 million times. The report released last Thursday by the DHS and FBI, titled “Grizzly Steppe,” contains a PHP malware sample which WordFence employees analyzed.
“Our security analysts spend a lot of time analyzing PHP malware, because WordPress is powered by PHP,” the blog post written by WordFence founder and CEO Mark Maunder said in a post Friday. “We used the PHP malware indicator of compromise (IOC) that DHS provided to analyze the attack data that we aggregate to try to find the full malware sample.”
WordFence was able to find the name of the malware and the version. Maunder said it is a malware called “P.A.S. 3.1.0.,” which was available for download on a site that is currently down. (RELATED: The US Has Yet To Provide Evidence Russia Directed A Hacking Operation To Undermine Election)
The tech CEO wrote: “The PHP malware sample they have provided appears to be P.A.S. version 3.1.0 which is commonly available and the website that claims to have authored it says they are Ukrainian. It is also several versions behind the most current version of P.A.S which is 4.1.1b. One might reasonably expect Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources.”
In a series of FAQs published Monday, Maunder continued to criticize the DHS/FBI report. He said TechFence reviewed IP addresses that the DHS said were behind hacking efforts and found that they “belong to over 380 organizations and many of those organizations are well known website hosting providers from where many attacks originate. There is nothing in the IP data that points to Russia specifically.”
Much of the evidence tying Russia to hacking efforts has been criticized by cyber security experts. One link tying Russia to the leaking of Democratic National Committee emails is that documents leaked by hacker Guccifer 2.0’s were modified by a user named Felix Dzerzhinsky, the man who founded the Soviet secret police.
Cybersecurity expert Jeffrey Carr wrote in a blog post, “OK. Raise your hand if you think that a GRU or FSB officer would add Iron Felix’s name to the metadata of a stolen document before he released it to the world while pretending to be a Romanian hacker.”