A new cybersecurity report says the Russian Main Intelligence Directorate, or GRU, hacked Burisma, the Hunter Biden-affiliated company at the center of the impeachment scandal. The report claims that Russia is possibly gearing up for a 2016-style hack-and-dump campaign with the fruits of the breach. (The GRU, after all, was at the center of that effort, and saw a dozen of its employees indicted for the campaign by Special Counsel Robert Mueller’s office) But how much do we really know about the reported attempt? Did hackers actually get in and grab some data?
Welcome to Rabbit Hole.
Attribution: The strongest evidence of a possible GRU interest in hacking Burisma didn’t come from the report from the firm Area 1 that ricocheted around the internet on Monday. It came from another cybersecurity firm weeks ago. Kyle Ehmke, a threat intelligence researcher at Threatconnect, keeps a close eye on website registrations that look like they’re going to be used in spear-phishing campaigns run by nation states. In December, Ehmke flagged a handful of domains which Area 1 later included in their report.
ADVERTISEMENT
The domains are meant to look like they’re associated with known Burisma subsidiary companies but they’re not. The sites—with misleading names like cubenergy-my-sharepoint and kub-gas—are likely intended for use in spear phishing—tricking unsuspecting users into coughing up their passwords or clicking on malicious files.
As Ehmkhe pointed out, the domains, registered in November, share a handful of behavioral tics we know the GRU has used before. The sites bought encryption certificates from a legitimate company which Russian hackers have purchased from before and were registered with an email address from a domain that has been used in previous GRU phishing site registrations. At least one of the sites tried to trick users into believing that it was a Sharepoint URL, a Microsoft application used for corporate collaboration, from a Burisma-affiliated company. As The Daily Beast previously reported, it’s a trick the GRU used to try and hack Transparency International and the Soros Foundation.
Ehmke concluded with “moderate confidence that the domains probably are associated with APT28 operations.”
Show your work: The problem is that we don’t know much more about the apparent campaign than we did when Ehmke first tweeted out those links as potentially GRU-related phishing sites. The Area 1 report itself is fairly thin at just eight pages, much of which is taken up by explaining the phishing domains Threatconnect reported in December.
Area 1 researchers described the apparent phishing campaign as “successful” and the New York Times article suggests that the hackers may have gained access. But so far at least there’s no public evidence to support that conclusion.
It’s not clear that Area 1 had any direct access to Burisma networks or those of its subsidiaries. The company sells phishing protection systems and not a broader suite of digital forensic incident response services.
Analytical tradecraft: If, for example, analysts found computers in Burisma’s network communication with a GRU-linked command and control server, the case would be stronger. But so far it’s a big leap from a possibly GRU-related phishing infrastructure to a definitive claim of a breach, and cybersecurity experts say that while they don’t think the conclusion is out of the realm of possible, the evidence to support Area 1’s conclusions so far are lacking.
“The question is one of intelligence and assessments. In this case there’s been some information put forward to state that this is happening and that it may be related to [the GRU hacking group nicknamed] Fancy Bear. There has not been information put forward that they were successfully compromised, that they were an isolated target, or that there was any specific intention of the adversary,” Robert M. Lee, the president of Dragos Inc and a former National Security Agency analyst, told The Daily Beast. “If I was back at the NSA this would qualify for low confidence at best.”
Even if Burisma and its subsidiaries were successfully hacked, the impression given by the Area 1 and Times report is still not enough to support the argument that the hackers breached it as part of an election-related hack-and-dump campaign, says Lee.
“People are isolating the case as if it’s just this gas company, like Fancy Bear was doing nothing else. We don’t know how far-flung their operations are. Without having insight into larger operations, this looks special.”
Robert Johnston, the president of cybersecurity firm Adlumin, says that the phishing domains in the Area 1 report, while interesting, aren’t necessarily unique when it comes to GRU hackers. “They were just picking up on telemetry but the GRU and SVR [Russia’s foreign intelligence service] are constantly gearing up infrastructure. These things are constantly going on.”
Home field advantage: Whether or not the GRU managed to grab Burisma data, the opportunity at least is there given that the Ukraine scandal is central to two of the likely presidential candidates, President Trump and Joe Biden, and that Ukraine is a place where Russian hackers and disinformation peddlers have felt very comfortable.
“This is their backyard. I’m shocked that they haven't broken into Burisma already," said Johnston.
It’s not too hard to believe that Russian hackers would target entities in Ukraine as the country has long been a target for cyber-intrusions. Russian hackers were reportedly responsible for a 2015 attack on Ukraine’s energy grid and the NotPetya attacks which wiped data from computers under the guise of ransomware. The NotPetya attacks alone, widely believed to be the most destructive cyberattack in history, caused $10 billion of damage.
Nor is the country a stranger to Russian propaganda campaigns. When most people think of Russian disinformation campaigns and the GRU, they tend to think of the 2016 presidential campaign. That’s where Russian trolls became famous, but it’s not where they got their start. Long before the 2016 election and before, Ukraine was where the troll factory—the Internet Research Agency—cut its teeth.
In a 2018 indictment of the IRA’s top accountant, federal prosecutors noted that IRA campaigns had targeted not just the U.S. but European Union countries and Ukraine dating back to 2014. Ukraine, in particular, occupied a lot of IRA focus. A 2015 Times profile of the IRA based on interviews with former employees found that “Ukraine was always a major topic”.
The country has been battered so much by trolling—both from abroad and at home—that Oxford University’s Computational Propaganda Research Project called Ukraine “the frontline of experimentation in computational propaganda, with active campaigns of engagement between Russian botnets, Ukraine nationalist botnets, and botnets from civil society groups.”
Methodology: It’s not that experts find the possibility of a GRU repeat play in 2020 with Burisma as its centerpiece unlikely. “Is it interesting?” asks Lee. “Yes. But in this current geopolitical environment with the current level of activity of we’re seeing—which is significant—at this point you can make any number of assessments based on zero evidence whatsoever and get a couple right.”
