An infamous Kremlin-backed hacking group has launched a coordinated phishing campaign aimed at Ukrainian firm Burisma Holdings, in what looks like an attempt to find internal information which could benefit Donald Trump.
Security vendor Area 1 claimed the attacks were carried out by the GRU-linked Fancy Bear (APT28) group responsible for stealing and releasing emails from the Democratic National Committee (DNC) which many believe gave Trump an advantage ahead of the 2016 Presidential election.
It’s no coincidence that the son of current Democratic Presidential hopeful Joe Biden sat on the board of Burisma Holdings. It was Trump’s decision to improperly pressure the Ukrainian President to investigate dealings at the firm that led to his impeachment by the House on charges of abuse of power and obstruction of Congress.
“Our report is not noteworthy because we identify the GRU launching a phishing campaign, nor is the targeting of a Ukrainian company particularly novel. It is significant because Burisma Holdings is publically entangled in US foreign and domestic politics,” noted the report.
“The timing of the GRU’s campaign in relation to the 2020 US elections raises the specter that this is an early warning of what we have anticipated since the successful cyber-attacks undertaken during the 2016 US elections.”
Specifically, the group used a lookalike domain to spoof the legitimate Burisma Holdings webmail login portal to access employee accounts. With this access they could read sensitive corporate emails and use accounts to launch further attacks.
To increase the chances of success, the attackers focused on subsidiaries of the company such as KUB-Gas and CUB Energy, and set up email sender authentication records using SPF and DKIM, Area 1 said.
The attacks are thought to have been successful in tricking some Burisma employees to part with their logins.
Rosa Smothers, senior VP of cyber operations at KnowBe4, explained that phishing is the “go-to methodology” for Russian intelligence services seeking to infiltrate target networks.
“Like any fairly sophisticated and organised hacking campaign, they also ran multiple domains that were just similar enough to legitimate Burisma domains that they went unnoticed by users,” she added.
“At the end of the day, the story here is one of ongoing and escalating social engineering efforts by the Russians against their targets of interest — which is why we should expect and plan for such activities during our upcoming election cycle."