Hackers linked to the Russian government have been targeting Burisma, a Ukrainian company tied to the impeachment trial against President Donald Trump, with a wide-ranging phishing campaign, according to California-based anti-phishing firm Area 1 Security.
The campaign, which started in November, came as Congress was holding hearings tied to efforts by Trump to have Ukrainian President Volodymyr Zelenskiy investigate Vice President Joe Biden and his son, Hunter Biden, who served on the board of Burisma.
The hackers, which Area 1 says work on behalf of Russia’s Main Intelligence Directorate, created fake websites designed to look like legitimate Burisma subsidiary websites and login pages. They then sent Burisma employees emails that looked to be authentic internal company emails with links to illegitimate login pages designed to steal login credentials.
The subsidiaries that were mimicked include KUB-Gas LLC, Esko-Pivnich, and CUB Energy Inc., according to the Area 1 report.
It wasn’t immediately clear what the hackers’ ultimate goals were — espionage or planting false information.
Area 1 said that in some instances, Burisma employees entered their credentials on the illegitimate login pages. The company declined to share with CyberScoop the number of employees that mistakenly entered in their login credentials to the malicious login pages.
Area 1 also told CyberScoop it is not aware of any data being stolen from Burisma. The Ukrainian company did not immediately return a request for comment.
The hackers, Area 1 says, are tied to APT28 or Fancy Bear, the same group responsible for breaching the Democratic National Committee in the months leading up to the 2016 presidential election. That group has been linked to Russia’s intelligence directorate, which is more commonly known as the GRU. Area 1 declined to provide CyberScoop any further evidence beyond the report that directly attributes this campaign to APT28.
In December, Kyle Ehmke, a researcher for Arlington, Virginia-based ThreatConnect, discovered a number of phishing links that looked to be spoofing Ukraine-based organizations. After Area 1’s report was released, Ehmke said the links, along with some other tactics, pointed to behavior that could be linked with APT28.
“Ultimately, none of these characteristics are definitively indicative of APT28 activity and we don’t have any specific information on how the domains have been operationalized,” Ehmke said in a tweet. “However, considering the possible targets that the domains spoof and given the aforementioned non-definitive consistencies, we assess with moderate confidence that the domains probably are associated with APT28 operations.”
The hackers behind the phishing campaign took great effort to mask their malicious intent from the victims; they used Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM), according to Area 1. SPF and DKIM are email security tools that are used to validate an email message’s sender.
“Everything about their approach is technically unremarkable, yet highly effective,” says the report, authored by Area 1 Co-Founders, CEO Oren Falkowitz and CSO Blake Darche. “The GRU focused on masquerading [as] the same business applications used by Burisma Holdings, such as the Roundcube webmail login and SharePoint.”