Employees Targeted With Phishing Campaign, Area 1 Security Researchers Say
Hackers with ties to the Russian government have been targeting Ukrainian natural gas company Burisma with a series of phishing attacks designed to steal employee credentials, according to researchers at Area 1 Security. The company first shared its findings with the New York Times.
Hunter Biden, the son of Democratic presidential candidate Joe Biden, previously served on Burisma’s board. In a July 2019 phone call, President Donald Trump asked Ukraine’s president, Volodymyr Zelensky, to investigate the Bidens and Burisma. That led to the House’s impeachment inquiry. But Trump has said his goal was to fight corruption in Ukraine and he expects to be exonerated in the upcoming Senate impeachment trial.
Russian hackers’ attacks on Burisma appear to have started around November, according to the Times. It’s not clear what data may have been compromised during these phishing attempts, although it is clear that the attackers were targeting employees’ usernames and passwords, according to Area 1 Security, which shared its findings with the Times.
It’s possible that the Russian-backed hackers were attempting to find information related to the Bidens that would damage the former vice president’s current presidential campaign, according to the Times.
The Russian government did not respond to the Times’ requests for comments.
Proven Phishing Techniques
The phishing campaign appears to have been the work of the hacking group known as Fancy Bear, which has ties to the Main Intelligence Directorate of the General Staff of the Russian Army, also known as GRU, and is believed to have been behind the attack against the Democratic National Committee in 2016, according to Area 1 Security.
The Fancy Bear attacks against Burisma appear to have relied on a basic phishing campaign that attempted to trick employees into logging into a fake webpage and then entering their credentials, the researchers determined. This approach apparently was effective in targeting employees at the company as well as some of its subsidiaries, Area 1 Security reports.
“The Burisma hack is a cookie-cutter GRU campaign,” Oren Falkowitz, a co-founder of Area 1 Security, told the Times. “Russian hackers, as sophisticated as they are, also tend to be lazy. They use what works. And in this, they were successful.”
The Area 1 report notes that this campaign is similar to Fancy Bear’s previous attacks; it relied on the same ISPs and domain registrations services.
“Since 2016, the GRU has consistently used an assembly line process to acquire and set up infrastructure for their phishing campaigns,” according to the report. “Area 1 Security has correlated this campaign against Burisma Holdings with specific tactics, techniques, and procedures used exclusively by the GRU in phishing for credentials.”
The Area 1 Security report also notes that the campaign against Burisma used an HTTP redirect that has previously been tied to GRU and Fancy Bear.
While the campaign against Burisma appears to have started in November, Area 1 Security researchers first discovered the attack around Jan. 1. Falkowitz explained to the Times that his company maintains a network of sensors that focus on web servers used by nation-state sponsored hackers.
In addition to Burisma, the Area 1 researchers found that hackers were also attempting to phish employees at a media organization founded by Ukranian President Zelensky.
In a statement provided to the Wall Street Journal, a Biden campaign spokesperson, commenting on the Area 1 Security report, said: “Now we know that Vladimir Putin also sees Joe Biden as a threat. Any American president who had not repeatedly encouraged foreign interventions of this kind would immediately condemn this attack on the sovereignty of our elections.”