What We Know About Russia Hacking Burisma, the Ukrainian Company at the Center of Trump's Impeachment
Want the best of VICE News straight to your inbox? Sign up here.
Ukrainian President Volodymyr Zelensky may not have listened when President Donald Trump asked him to dig up some dirt on his political rival Joe Biden in exchange for hundreds of millions of dollars in military aid — but the Kremlin was apparently all ears.
The same Russian government hackers who broke into the Democratic National Committee in 2016 successfully breached the network of Ukrainian gas company Burisma at the end of 2019, according to a bombshell new report from California cybersecurity company Area1.
Burisma, which has yet to comment on the report, is the gas company where Hunter Biden, son of Democratic presidential nominee Joe Biden, sat on the board of directors for five years. Trump has repeatedly made allegations that the former vice president used his power to bury corruption investigations against his son in Ukraine. But all claims have been shown to be baseless.
The hacks took place in November and December, at the height of the impeachment scandal in Washington, and targeted subsidiaries of Burisma. The method and timing immediately drew comparisons with the breach of the DNC in the lead-up to the 2016 election, which led to the leak of sensitive emails by Wikileaks.
While some have questioned the quick attribution of the attack to Russia, Area1 CEO Oren Falkowitz told VICE News he's "100% sure" where the attack came from.
“If you think that some random schmo just magically put their finger on the internet to pick this company out of all companies, you're not really using your brain,” Falkowitz said
Russian hackers used phishing campaigns to trick employees of Burisma and its subsidies into giving up their account credentials, according to Area1’s report. And because all companies shared a central email server, gaining access to one meant a hacker would have had access to them all.
Area1 doesn’t know what the hackers were looking for or if they accessed any data, but the breach raises the possibility that the Kremlin obtained personal communications related to Hunter Biden.
On New Year’s Eve, Falkowitz, a former NSA hacker, got a call from one of his colleagues who had found a new Russian email phishing campaign.
A day later, Falkowitz realized that all the companies being targeted by the campaign were Ukrainian energy companies, and further investigations found they were all linked to Burisma.
Over the next couple of weeks, Falkowitz and his colleagues tracked a campaign that built fake websites designed to look almost identical to the real websites of the companies.
One site belonged to KUB-Gas LLC, whose website URL is kub-gas.com.ua. The hackers built an identical site using the URL kub-gas.com, a sleight of hand designed to trick victims into handing over their credentials. Such a small alteration to the URL would be spotted by very few people according to Falkowitz.
“If you're an employee at a company, let's be realistic, would you know that your company doesn't own the dot com?” Falkowitz said. “That's absurd.”
The hackers also mimicked the business tools their victims used, such as SharePoint, to trick them into sharing usernames and passwords and then leveraged those stolen details to conduct even more attacks.
These attacks are designed to circumvent any cyber security training companies like Burisma might get their employees to conduct.
"They went after all of the subsidiaries and partners simultaneously,” Falkowitz said. “So once you get someone's username and password you can then use those accounts to launch even further phishing attacks and those become even more authentic, and so training is absolutely the opposite of what stops these types of campaigns.”
Who are the hackers?
Hackers linked to Russia’s Main Directorate of Military Intelligence, or GRU, conducted the attack, according to Area1. The group, also known as Fancy Bear, is the same one that attacked the DNC andHilary Clinton’s campaign in 2016.
Along with the hackers, a number of factors link the 2016 attack with last year’s breach.
“It is fair to compare them in the sense that both were perpetrated by the same cyber actor, in this case, the Russian government,” Falkowitz said. “It is fair to compare them in the sense that both of them started with phishing campaigns. It's fair to compare them in the sense that their timing, as related to U.S. elections, is certainly more than circumstantial.”
The attacks began in November when the House impeachment inquiry was underway, and the news of the breach comes as the House prepares about to send the articles to the Senate, where President Trump’s trial will start.
While some experts have urged caution about attributing the attack so quickly, others at cybersecurity companies FireEye and ThreatConnect have backed up Area1’s claim about Russian involvement. But both have hedged their conclusions about whether Burisma’s email server was breached.
Area1 co-founder Black Darch told Reuters that the company has unpublished information that links the attacks to a specific GRU officer in Moscow.
What data were compromised?
Area1’s report claims only that the hackers breached the email server belonging to Burisma. It does not speculate on what information the hackers may have done once inside the system.
But if Russian hackers did successfully breached Burisma’s network, they could have obtained communications from, to, or about Hunter Biden, who served on Burisma’s board of directors between 2014 and 2019, sparking fears that they could use the information to disrupt the 2020 presidential election.
In 2016, the stolen DNC and Clinton emails were leaked to Wikileaks and the media via the online persona of Guccifer 2.0, who turned out to be a cutout of the GRU. But if the Burisma hackers are hoping to stage a repeat of what happened in 2016, it may be months before any information is leaked.
“There's usually a big gap between when you see the attack initially become successful to then maybe what's revealed as the damage” Falkowitz said.
What has the reaction been?
Burisma has yet to comment on the attack, though one source told Reuters that the company’s website had been subject to multiple break-in attempts over the past six months. The source did not provide further details.
Joe Biden’s campaign has not reacted to the hack on Burisma directly but used the opportunity to criticize the president for failing to stop Russian influence in U.S. elections.
“Any American president who had not repeatedly encouraged foreign interventions of this kind would immediately condemn this attack on the sovereignty of our elections," a spokesman for his campaign told Reuters.
The Chairman of the House Intelligence Committee, Rep. Adam Schiff, who has led the impeachment inquiry into Trump, said on Monday night that he only learned of the breach of Burisma when he read it in the New York Times, adding that “it does not at all surprise me.”
“This is indeed what Bob Mueller warned of in his testimony that the Russians would be at this again,” Schiff told MSNBC. “FBI Director Wray said the same thing, and they appear, if this reporting is correct, to be in the middle of another hacking and potentially dumping operation.
Cover image: Fancy Bears website releases data on the USA and Canada's plot against the International Olympic Committee (IOC). Alexey Malgavko/Sputnik via AP