Fancy Bear, also known as APT28, orchestrated an attack on Burisma. Hackers linked to Russian intelligence executed a phishing campaign targeting employees of the Ukrainian oil and gas company Burisma Holdings.
Security experts from Area 1 Security revealed that the criminals focused on two subsidiaries of Burisma – KUB-GAZ and ESKO-PIVNICH, along with the related CUB Energy Inc.
Area 1 Security experts link the activities of the Fancy Bear group with the Main Intelligence Directorate of the General Staff of the Russian Army.
Area 1 Security experts state that the Main Intelligence Directorate of the General Staff of the Russian Army (GRU) initiated a phishing campaign targeting Burisma Holdings, a holding company of energy exploration and production companies based in Kyiv, Ukraine, starting in early November of 2019
The attackers utilized similar domains to deceive company employees and coerce them into entering their emails and passwords. Experts note that Burisma and its subsidiaries share a single mail server.
Although the company’s website faced numerous hacking attempts in the past six months, it remains unclear what data the criminals attempted to steal.
Experts confirm the success of the phishing campaign targeting Burisma employees, with the attackers successfully breaching one of the company’s mail servers.
Hacking Burisma’s mail servers could result in the exposure of correspondence by Hunter Biden, a board member from 2014 to 2019 and the son of Joe Biden, a potential rival of the then-U.S. President Donald Trump in the 2020 U.S. presidential election. The criminals allegedly sought compromising information on a political rival.
In July, President Donald Trump urged Ukraine to investigate Burisma’s activities for incriminating information on the Biden family. Now, Russian hackers are attempting to obtain such information.
Area 1 Security has correlated this campaign against Burisma Holdings with specific tactics, techniques, and procedures (TTPs) exclusively used by the Russian GRU in phishing for credentials. The GRU repeatedly employs Ititch, NameSilo, and NameCheap for domain registration; MivoCloud and M247 as Internet Service Providers; Yandex for MX record assignment; and a consistent pattern of lookalike domains
The GRU has been of particular interest to Area 1 due to their history of targeting commercial and state organizations. Consequently, Area 1 has been monitoring GRU TTPs for several years, and the TTPs utilized in this campaign align with those observed in prior GRU campaigns.
This phishing campaign against Burisma Holdings also employs a specific HTTP redirect, attributed to GRU, where non-targeted individuals are directed to the legitimate Roundcube webmail login, while targets who receive the GRU-generated URL are taken to the GRU’s malicious phishing Roundcube website.
Thus, an interesting geopolitical scenario unfolds: the objectives of Russian governmental hackers align with the interests of U.S. President Donald Trump.
However, the KGB of the new era is not the only relevant cyber threat, as recent warnings from US Homeland Security suggest the possibility of cyberattacks by Iran.
