Why Russian APT Fancy Bear hacked the Ukrainian energy firm Burisma?

Pierluigi Paganini January 14, 2020

Russia-linked cyber-espionage group hacked the Ukrainian energy company Burisma at the center of the impeachment trial of US President Donald Trump.

The Russian cyberspies, operating under Russia’s GRU military intelligence agency (aka Fancy Bear) carried out a spear-phishing campaign in November aimed at accessing the email of Burisma Holdings employees.

The attack was detailed by California-based cybersecurity firm Area 1 Security in a report.

“This report details an ongoing Russian government phishing campaign targeting the email credentials of employees at Burisma Holdings and its subsidiaries and partners. The campaign against the Ukranian oil & gas company was launched by the Main Intelligence Directorate of the General Staff of the Russian Army or GRU.” reads the report published by Area 1 Security. “Phishing for credentials allows cyber actors to gain control of an organization’s internal systems by utilizing trusted access methods (e.g.: valid usernames and passwords) in order to observe or to take further action. Once credentials are phished, attackers are able to operate covertly within an organization in pursuit of their goal.”

In December President Trump was facing an impeachment trial over his efforts to pressure Ukraine to investigate former Vice President Joseph R. and its relationship with the former board member Hunter Biden, the son of Joe Biden.

Russian military cyberspies were gathering information by hacking the Ukrainian gas company.

“The timing of the GRU’s campaign in relation to the 2020 US elections raises the specter that this is an early warning of what we have anticipated since the successful cyberattacks undertaken during the 2016 US elections,” continues the Area 1 report.

It is not clear which information the hackers have accessed, experts believe Russian spies were searching for potentially embarrassing material on the rival Biden and his son.

In July 2019, a phone call from Trump to Ukrainian President Volodymyr Zelensky was asking him to investigate the Bidens and Burisma.

Burisma hired the Biden’s son while his father was vice president and leading the Obama administration’s Ukraine policy.

“Donald Trump tried to coerce Ukraine into lying about Joe Biden and a major bipartisan, international anti-corruption victory because he recognized that he can’t beat the vice president,” said Andrew Bates, a spokesman for the Biden campaign.” states the NYT.

“Now we know that Vladimir Putin also sees Joe Biden as a threat,” Mr. Bates added. “Any American president who had not repeatedly encouraged foreign interventions of this kind would immediately condemn this attack on the sovereignty of our elections.”

The scheme was similar to the one allegedly adopted by Russian intelligence ahead of the Presidential election in 2016, when the cyberspies hackerd emails from Hillary Clinton’s campaign and used an army of trolls to spread propaganda and misinformation.

According to Area 1’s report, the GRU spies hacked the servers of Burisma Holdings.

In this campaign, the GRU combined several different authenticity techniques to compromise the targeted network, such as Domain-based authenticity, Business process and application authenticity, and Partner and supply chain authenticity.

“Since 2016, the GRU has consistently used an assembly line process to acquire and set up infrastructure for their phishing campaigns. Area 1 Security has correlated this campaign against Burisma Holdings with specific tactics, techniques, and procedures (TTPs) used exclusively by the GRU in phishing for credentials.” continues the report.”Repeatedly, the GRU uses Ititch, NameSilo, and NameCheap for domain registration; MivoCloud and M247 as Internet Service Providers; Yandex for MX record assignment; and a consistent pattern of lookalike domains.”

Trump is expected to stand trial in the Senate as early as this week on two articles of impeachment abuse of power and obstruction of Congress.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Bronze President, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment