The security experts behind the top WordPress security plugin Wordfence traced the malware mentioned in the FBI/DHS report claiming Russia hacked our election back to Ukraine.
Wordfence Founder/CEO Mark Maunder reports:
The IP addresses that DHS provided may have been used for an attack by a state actor like Russia. But they don’t appear to provide any association with Russia. They are probably used by a wide range of other malicious actors, especially the 15% of IP addresses that are Tor exit nodes.
The malware sample is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence and it would be an indicator of compromise for any website.
You can see from the screenshots he released the maker of the malware says they’re Ukrainian.
Additionally, Maunder says the malware the USG report cites is quite outdated.
The “PAS” malware the USG cited was version 3.1.7, whereas now the program is now up to version 4.1.1.
Note, “UA” is short for Ukraine.
You can read all the specifics of how they found this data on their website. It totally blows apart the idea this was some sophisticated, next level “leet Russian haxor” operation and shows the hackers actually used not-so-sophisticated malware allegedly of Ukrainian origin.