Ukrainian President Volodymyr Zelensky may not have listened when President Donald Trump asked him to dig up some dirt on his political rival Joe Biden in exchange for hundreds of millions of dollars in military aid — but the Kremlin was apparently all ears.
The same Russian government hackers who broke into the Democratic National Committee in 2016 successfully breached the network of Ukrainian gas company Burisma at the end of 2019, according to a bombshell new report from California cybersecurity company Area 1.
Burisma, which has yet to comment on the report, is the gas company where Hunter Biden, son of Democratic presidential nominee Joe Biden, sat on the board of directors for five years. Trump has repeatedly made allegations that the former vice president used his power to bury corruption investigations against his son in Ukraine. But all claims have been shown to be baseless.
The hacks took place in November and December, at the height of the impeachment scandal in Washington, and targeted subsidiaries of Burisma. The method and timing immediately drew comparisons with the breach of the DNC in the lead-up to the 2016 election, which led to the leak of sensitive emails by Wikileaks.
While some have questioned the quick attribution of the attack to Russia, Area 1 CEO Oren Falkowitz told VICE News he’s “100% sure” where the attack came from.
“If you think that some random schmo just magically put their finger on the internet to pick this company out of all companies, you’re not really using your brain,” Falkowitz said
Russian hackers used phishing campaigns to trick employees of Burisma and its subsidies into giving up their account credentials, according to Area 1’s report. And because all companies shared a central email server, gaining access to one meant a hacker would have had access to them all.
Area 1 doesn’t know what the hackers were looking for or if they accessed any data, but the breach raises the possibility that the Kremlin obtained personal communications related to Hunter Biden.
What happened?
On New Year’s Eve, Falkowitz, a former NSA hacker, got a call from one of his colleagues who had found a new Russian email phishing campaign.
A day later, Falkowitz realized that all the companies being targeted by the campaign were Ukrainian energy companies, and further investigations found they were all linked to Burisma.
Over the next couple of weeks, Falkowitz and his colleagues tracked a campaign that built fake websites designed to look almost identical to the real websites of the companies.
One site belonged to KUB-Gas LLC, whose website URL is kub-gas.com.ua. The hackers built an identical site using the URL kub-gas.com, a sleight of hand designed to trick victims into handing over their credentials. Such a small alteration to the URL would be spotted by very few people according to Falkowitz.
“If you’re an employee at a company, let’s be realistic, would you know that your company doesn’t own the dot com?” Falkowitz said. “That’s absurd.”
The hackers also mimicked the business tools their victims used, such as SharePoint, to trick them into sharing usernames and passwords and then leveraged those stolen details to conduct even more attacks.
These attacks are designed to circumvent any cyber security training companies like Burisma might get their employees to conduct.
“They went after all of the subsidiaries and partners simultaneously,” Falkowitz said. “So once you get someone’s username and password you can then use those accounts to launch even further phishing attacks and those become even more authentic, and so training is absolutely the opposite of what stops these types of campaigns.”
