Russia Hacked Ukrainian Company Linked To Trump Impeachment, Security Firm Says

Jan 14, 2020
Originally published on January 14, 2020 9:36 pm

Russian hackers recently targeted the Ukrainian gas company that was at the center of President Trump's impeachment — and they succeeded in gaining access to its email accounts, according to California cybersecurity firm Area 1 Security.

The hackers are said to have infiltrated Burisma Holdings months after Trump urged Ukraine to investigate Joe Biden and his son Hunter, who had served on Burisma's board.

"What we've uncovered is that the same Russian cyber actors who targeted the [Democratic National Committee] in 2016 have been actively launching a phishing campaign against employees of Burisma Holdings and its subsidiaries, to try to steal their email usernames and passwords," Area 1 co-founder Oren Falkowitz tells NPR's Morning Edition.

Trump's push for the Ukrainian probe led to his Dec. 18 impeachment by the House of Representatives on charges of abuse of power and obstruction of Congress. The House had formalized its impeachment inquiry on Oct. 31; hackers linked to Russia's government reportedly sprang into action in early November.

The hacking operation was the work of the GRU, the Russian military spy agency, according to Area 1, which has published its findings online. The company says Russian hackers sent seemingly legitimate emails pointing to malicious websites that looked like authentic Burisma sites to try to dupe employees into sharing private login information.

The phishing ploy worked, says Falkowitz, who formerly worked at the National Security Agency. "What we know is that they're able to access the usernames and passwords for the employees of Burisma. And from there, they're able to see likely what's in those accounts," he says.

The vast majority of cyberattacks begin with a phishing campaign, according to Area 1. In addition to the Russian attack on the DNC's systems, one of the most damaging recent cyberattacks began with a spear-phishing email sent to Hillary Clinton's campaign chair, John Podesta. That email instructed Podesta to click a special link to pick out a new password for his Google email account — a process the hackers then monitored, giving them full access to his account.

"Once you have the usernames and passwords for an employee's email account, there's quite a lot that can be done," Falkowitz says. "You can observe all of the data that's contained within [their] email. You can also launch further phishing campaigns — and you can use that data to do quite a lot to move throughout the company's networks."

In recent years, the GRU's hackers have been very busy and extremely disruptive, attacking a variety of high-profile targets with the goal of revealing embarrassing information.

"The GRU has been linked to cyberattacks at the Democratic National Committee in 2016 and the compromise of the World Anti-Doping Agency," Area 1 says. "The GRU has also been linked to the targeting of European foreign ministries and defense agencies, campaigns for the 2018 U.S. midterm elections, FIFA and Westinghouse."

Area 1 says it also linked the GRU phishing campaign against Burisma to another phishing attack targeting a company founded by Ukrainian President Volodymyr Zelenskiy, whose phone conversation with Trump last summer sparked calls to impeach the U.S. president.

Trump has previously asked Russia to help his political campaign — most famously just months before the 2016 vote.

"Russia, if you're listening, I hope you're able to find the 30,000 emails that are missing" from Clinton's email servers, then-candidate Trump said at a news conference in Miami on July 27, 2016.

According to indictments secured by Justice Department special counsel Robert Mueller, Russian military officers began attacking the Clinton campaign and other Democratic targets that same day.

Copyright 2020 NPR. To see more, visit https://www.npr.org.