2016 DNC Russian Hackers Allegedly Also Behind Recent 2019 Burisma Attack

By Jarren Buendia on March 6, 2020

Executive Statement:

According to multiple open sources, the 2019 cyberattack on the Ukraine-based energy firm, Burisma, is being attributed to the same Russian hacking group responsible for the “2016 DNC email hacks.” This group is known by the organization it falls under, the Main Directorate of Military Intelligence (AKA GRU), and also by the name “Fancy Bear.” This attribution is primarily purported by the California-based cybersecurity firm, Area 1. Many articles are linking this Burisma attack to increased incidents of foreign political espionage, since there is a potential case to be made. However, despite that, the fact of the matter is that if Fancy Bear is behind the attack, it shows another example of foreign governments directly interfering in another country’s national interest(s).

Open Source Intelligence (OSINT) Details:

Firstly, a quick refresher on the 2016 story, and why the GRU group is being attributed. During the Democratic National Convention (DNC) that took place in the 2016 election year, two Russian hacking groups launched email phishing attacks against officials (according to an article by the Guardian). In particular, the methods of the second group involved phishing victims for their gmail login credentials, via a false security alert email; it was later determined that the second group was Fancy Bear.

In terms of the Burisma hack, Area 1 focuses on a few factors; one in particular being the methods used. According to The New York Times, attackers used phishing emails to try and steal login credentials. “In this instance, the hackers set up fake websites that mimicked sign-in pages of Burisma subsidiaries, and have been blasting Burisma employees with emails meant to look like they are coming from inside the company.” Between similar methods, the fact that the former Vice President, Joe Biden’s, son was a board member for Burisma, and the upcoming 2020 election, Area 1’s CEO stated that he is “100%” sure who conducted the attack.

Area 1 is the cybersecurity firm that broke the news, so they are the firm that is cited in pretty much every article about this topic. Area 1’s CEO is Oren Falkowitz. He is the one that is quoted in the articles and is a former National Security Agency (NSA) employee. Since their report, according to Motherboard, “[…] cybersecurity companies FireEye and ThreatConnect have backed up Area 1’s claim about Russian involvement.” However, that article continues by stating both companies have, “[…] have hedged their conclusions about whether Burisma’s email server was breached.”

As mentioned earlier, virtually all stories covering this topic link the Burisma hacks to the 2016 DNC hacks, as well as the potential motive being to interfere with the 2020 election. This is in part due to who is allegedly behind the attack, the timing of the hack, the son of a Democratic nominee holding a high position in Burisma, and that Mr. Falkowitz stated as such. However, at the time of this writing, it is unclear what data was targeted and/or what was taken. Thusly, a political connection, at this time, is circumstantial.

Potential Impacts:

Disregarding the political slant, if Fancy Bear is behind this, then it means a Russian hacking group is attacking a foreign infrastructure firm. Burisma is a gas company, and in other words, an energy firm. While the attacks amounted to stealing login credentials, it is not a simple attack against a small business or neighborhood. According to Wikipedia, “In 2016, Burisma was the second largest privately owned natural gas producer in Ukraine.” If attacks escalate, Ukraine’s infrastructure and economy could be drastically affected if Burisma’s operations are interfered with.

Significance:

According to Motherboard, Mr. Falkowitz was made aware of the news on New Year’s Eve. Within a day, investigations discovered that targets were all Ukrainian subsidiaries under the Burisma company. Within two weeks, articles were written about this topic. According to the same article, some experts were wary of how quickly attribution was made, and how significant the attribution was to a nation state. However, between Area 1’s own confidence, and the credibility backing of two other well-known cybersecurity firms, it seems that attribution is a safe assumption so far. The significance, in terms of how fast attribution was made and assuming allegations are true, is that these kinds of cyberattacks are no longer dystopian possibilities. These kinds of things are happening constantly, and the targets/risks continue to increase in stakes.

Sources:

“Russian hackers targeted Burisma amid impeachment inquiry, cybersecurity firm says.” 14 Jan 2020. Retrieved From: theguardian.com. Retrieved: 04 Mar 2020.

“Russians Hacked Ukrainian Gas Company at Center of Impeachment.” 13 Jan 2020. Retrieved From: nytimes.com. Retrieved: 04 Mar 2020.

“The Russian Group That Hacked the DNC Has Now Breached the Company at the Center of Trump’s Impeachment.” 14 Jan 2020. Retrieved From: vice.com. Retrieved: 04 Mar 2020.

“Top Democrat’s emails hacked by Russia after aide made typo, investigation finds.” 14 Dec 2016. Retrieved From: theguardian.com. Retrieved: 04 Mar 2020.