Russians hacked company key to Ukraine scandal: researchers

Jan 15, 2020 | 9:24 PM

BOSTON — A U.S. cybersecurity company says Russian military agents have successfully hacked the Ukrainian gas company at the centre of the scandal that led to President Donald Trump’s impeachment.

Russian agents launched a phishing campaign in early November to steal the login credentials of employees of Burisma Holdings, the gas company, according to Area 1 Security, a Silicon Valley company that specializes in email security.

Hunter Biden, son of former U.S. vice-president and Democratic presidential hopeful Joe Biden, previously served on Burisma’s board.

It was not clear what the hackers were looking for or may have obtained, said Area 1’s CEO, Oren Falkowitz, who called the findings “incontrovertible” and posted an eight-page report. The timing of the operation raises the possibility that Russian agents could be searching for material damaging to the Bidens or scheming to plant forged data and sow misinformation online.

The House of Representatives impeached Trump in December for abusing the power of his office by enlisting the Ukrainian government to investigate Biden, a political rival, ahead of the 2020 election. A second charge accused Trump of obstructing a congressional investigation into the matter.

“Our report doesn’t make any claims as to what the intent of the hackers were, what they might have been looking for, what they are going to do with their success. We just point out that this is a campaign that’s going on,” said Falkowitz, a former National Security Agency offensive hacker whose company’s clients include candidates for U.S. federal elected offices.

In an earlier interview, he told The Associated Press that the campaigns of top candidates for the U.S. presidency and House and Senate races in 2020 have in the past few months each been targeted by about a thousand phishing emails. Falkowitz did not name the candidates. Nor would he name any of his company’s clients.

Burisma did not immediately respond to a request for comment. A spokesman for Biden said in a statement that the incident shows that not just Trump but also Russian President Vladimir Putin “sees Joe Biden as a threat.”

Some cybersecurity experts cautioned against blaming Russian military agents without more evidence, however, saying the report indicates Area 1 investigators didn’t have access to Burisma’s internal logs and compromised email accounts in making the determination.

“That’s problematic,” tweeted Thomas Rid of Johns Hopkins. “Caution advised based on what we currently know.”

And while many experts said it’s a good bet the phishing amounts to a Kremlin attempt to smear the Bidens, there are other possibilities. Michael Connell, a former Army intelligence officer and researcher at the government-funded Center for Naval Analyses, notes that Russian agents have previously attacked energy-related computer systems in other countries, most notably Germany.

“The goal of the hackers was probably information gathering, but it also likely included creating backdoors to allow future access (for intel or destructive cyberattacks),” he wrote in an email.

Russian hackers from the GRU, the same military intelligence unit that Area 1 said was behind the operation targeting Burisma, have been indicted for hacking emails from the Democratic National Committee and the chairman of Hillary Clinton’s campaign during the 2016 presidential race.

Stolen emails were released online at the time by Russian agents and WikiLeaks in an effort to favour Trump, special counsel Robert Mueller determined in his investigation.

Area 1 discovered the phishing campaign by the Russian military intelligence unit on New Year’s Eve, said Falkowitz, who would not discuss whom he notified prior to going public or whether Burisma shared information with his company. He said he followed the industry standard process of responsible disclosure, which would include notifying Burisma.

Joan Donovan, a Harvard University disinformation expert, said one of the most dangerous possibilities would be data theft spiced with forgeries — and subsequently leaked. That reportedly happened in 2017 when emails related to the campaign of President Emanuel Macron of France were stolen and published online — with some fakes included— just ahead of his election.

She called the Burisma incident “testament to the fact that we have not paid enough attention to email security” when the consequences of a leak are so high for businesses, politicians and journalists in particular.

“Email is unfortunately the way that we’ve come to do business but email has become a serious, serious vulnerability,” she said.

In phishing, an attacker uses a targeted email to lure a target to a fake site that resembles a familiar one. There, unwitting victims enter their usernames and passwords, which the hackers then harvest. Phished credentials allow attackers both to rifle through a victim’s stored email and masquerade as that person.

In the report, Falkowitz said the GRU agents used fake, lookalike domains that were designed to mimic the sites of real Burisma subsidiaries.

Falkowitz said the operation targeting Burisma involved tactics, techniques and procedures that GRU agents had used repeatedly in other phishing operations, matching “several patterns that lots of independent researchers agree mimic this particular Russian actor.” Area 1 says it has been tracking the Russian agents for several years.

The discovery’s timing — just weeks before presidential primaries begin in the United States — highlights the need to protect political campaigns from targeted phishing attacks, which are behind 95% of all information breaches, said Falkowitz.

Area 1 said its researchers connected the phishing campaign targeting Burisma to an effort earlier last year that targeted Kvartal 95, a media organization founded by Ukrainian President Volodymyr Zelenskiy.

In this case, the Russian military agents, from a group security researchers call “Fancy Bear,” peppered Burisma employees with emails designed to look like internal messages, the company said.

In order to detect phishing attacks, Area 1 maintains a global network of sensors designed to sniff out and block them before they reach their targets.

In July, the U.S. Federal Elections Commission gave Area 1 permission to offer its services to candidates for federal elected office and political committees at the same low rates it charges non-profits.

___

AP writer Yuras Karmanau in Kyiv, Ukraine, contributed to this story.

Frank Bajak, The Associated Press