Fancy Bear attacked Ukrainian oil and gas company Burisma

Fancy Bear attacked Burisma

The cybercriminal group Fancy Bear (also known as APT28) attacked Burisma. Hackers that are associated with Russian intelligence organized a phishing campaign aimed at employees of the Ukrainian oil and gas company Burisma Holdings.

According to experts from the security company Area 1 Security, the criminals aimed at two subsidiaries of Burisma – KUB-GAZ and ESKO-PIVNICH, and the related CUB Energy Inc.

Area 1 Security experts link the activities of the Fancy Bear group with the Main Intelligence Directorate of the General Staff of the Russian Army.

“Beginning in early November of 2019, the Main Intelligence Directorate of the General Staff of the Russian Army (GRU)1 launched a phishing campaign targeting Burisma Holdings, a holding company of energy exploration and production companies based in Kyiv, Ukraine”, — says Area 1 Security experts.

Attackers used similar domains to trick company employees and force into entering their emails and passwords. According to experts, Burisma and its subsidiaries use one mail server.

The company’s website has been subjected to numerous hacking attempts over the past six months, but it remains unknown what data the criminals tried to steal.

According to experts, the phishing campaign aimed at Burisma employees was successful, and the attackers managed to break into one of the company’s mail servers.

Hacking Burisma mail servers could lead to the disclosure of correspondence by Hunter Biden, who served on the company’s board of directors from 2014 to 2019. Hunter is the son of Joe Biden, a likely rival of the current U.S. President Donald Trump in the U.S. presidential election in 2020. The criminals allegedly sought compromising information on a political rival.

Back in July, current US President Donald Trump asked Ukraine to study Burisma’s activities to find incriminating information on the Biden family. Now Russian hackers are trying to get such information.

“Area 1 Security has correlated this campaign against Burisma Holdings with specific tactics, techniques, and procedures (TTPs) used exclusively by the Russian GRU in phishing for credentials. Repeatedly, the GRU uses Ititch, NameSilo, and NameCheap for domain registration; MivoCloud and M247 as Internet Service Providers; Yandex for MX record assignment; and a consistent pattern of lookalike domains”, — write IS experts.

The GRU has been a specific actor of interest to Area 1 due to their history of targeting commercial and state organizations. Consequently, Area 1 has been tracking GRU TTPs for several years, and the TTPs utilized in this campaign have been tied to those observed by Area 1 in prior GRU campaigns.

This phishing campaign against Burisma Holdings also uses a specific HTTP redirect, attributed to GRU, where non-targeted individuals are sent to the legitimate Roundcube webmail login, while targets who receive the GRU-generated URL are taken to the GRU’s malicious phishing Roundcube website.

Therefore, can be seen interesting geopolitical picture: the goals of Russian governmental hackers fully coincide with the desires of US President Donald Trump.

However, the KGB of the new era is not the only relevant cyber threat, as recently US Homeland Security warned of possible cyberattacks by Iran.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published. Required fields are marked *