14 January 2020

Fancy Bear hackers successfully penetrated Ukrainian gas firm Burisma


Fancy Bear hackers successfully penetrated Ukrainian gas firm Burisma

Researchers from California-based security firm Area 1 Security have detected an ongoing phishing campaign aimed at stealing the email credentials of employees at Ukrainian oil & gas company Burisma Holdings and its subsidiaries and partners. The campaign, according to the firm, appears to be launched by a state-sponsored hacking group known as Fancy Bear (Pawn Storm, Sofacy, Tsar Team, and Strontium), the same unit that allegedly breached the Democratic National Committee in 2016 as part of an operation to disrupt that year's presidential election.

The finding is significant because Burisma was at the center of attempts by U.S. President Donald Trump last July to pressure Ukrainian authorities to announce an investigation into the Democratic presidential contender Joe Biden and his son Hunter who had a seat on the energy company’s board for purported corruption, an effort that has led to Trump being impeached by the U.S. House of Representatives on charges of abuse of power and obstruction of Congress.

According to a report, the phishing attacks started in early November last year. The researchers found that the hackers had targeted two subsidiaries of Burisma, KUB Gas LLC and Esko Pivnich, as well as CUB Energy Inc, which was affiliated with the firm, using lookalike domains intended to trick employees into giving their credentials (usernames and passwords).

Burisma and its subsidiaries (ALDEA, Esko-Pivnich, Naftogazopromyslova geologiya, Nadragasvydobuvannya, Pari, and Tehnokomservis) share the same email server, meaning that a breach of any of the companies could put them all at risk.

“Targeting multiple subsidiaries of Burisma Holdings, the GRU was able to successfully phish multiple angles of the same target, increasing the likelihood of launching Type 2 and Type 3 BEC phishing campaigns,” researchers said.

The report provided scarce details on how Area 1 determined that the phishing domains were set up by the GRU (the Main Intelligence Directorate of the General Staff of the Russian Army, which the Fancy Bear group is believed to be a part of), mainly pointing to the similarities with the previous campaigns orchestrated by the Russian military intelligence service. Also, it is not clear what data the hackers were aiming to steal.

“The success of phishing relies on authenticity. The GRU has applied verisimilitude in extensive masquerading of common business tools and productivity applications to steal account credentials, gain access to internal systems and data, impersonate employees through the unauthorized use of their accounts, and manipulate outcomes successfully,” cybersecurity firm said.

Back to the list

Latest Posts

Windows encryption can be (ab)used by ransomware

Windows encryption can be (ab)used by ransomware

Ironically, concept ransomware takes advantage of a function in Windows designed to protect confidential data from an unauthorized access.
22 January 2020
New JhoneRat malware targets Middle Eastern countries using multiple cloud services

New JhoneRat malware targets Middle Eastern countries using multiple cloud services

The RAT implements anti-VM and anti-analysis tricks to conceal the malicious activities.
22 January 2020
A massive list of Telnet credentials for over half a million servers and smart devices published online

A massive list of Telnet credentials for over half a million servers and smart devices published online

This marks the biggest leak of Telnet passwords up to now.
20 January 2020