Researchers from California-based security firm Area 1 Security have detected an ongoing phishing campaign aimed at stealing the email credentials of employees at Ukrainian oil & gas company Burisma Holdings and its subsidiaries and partners. The campaign, according to the firm, appears to be launched by a state-sponsored hacking group known as Fancy Bear (Pawn Storm, Sofacy, Tsar Team, and Strontium), the same unit that allegedly breached the Democratic National Committee in 2016 as part of an operation to disrupt that year's presidential election.
The finding is significant because Burisma was at the center of attempts by U.S. President Donald Trump last July to pressure Ukrainian authorities to announce an investigation into the Democratic presidential contender Joe Biden and his son Hunter who had a seat on the energy company’s board for purported corruption, an effort that has led to Trump being impeached by the U.S. House of Representatives on charges of abuse of power and obstruction of Congress.
According to a report, the phishing attacks started in early November last year. The researchers found that the hackers had targeted two subsidiaries of Burisma, KUB Gas LLC and Esko Pivnich, as well as CUB Energy Inc, which was affiliated with the firm, using lookalike domains intended to trick employees into giving their credentials (usernames and passwords).
Burisma and its subsidiaries (ALDEA, Esko-Pivnich, Naftogazopromyslova geologiya, Nadragasvydobuvannya, Pari, and Tehnokomservis) share the same email server, meaning that a breach of any of the companies could put them all at risk.
“Targeting multiple subsidiaries of Burisma Holdings, the GRU was able to successfully phish multiple angles of the same target, increasing the likelihood of launching Type 2 and Type 3 BEC phishing campaigns,” researchers said.
The report provided scarce details on how Area 1 determined that the phishing domains were set up by the GRU (the Main Intelligence Directorate of the General Staff of the Russian Army, which the Fancy Bear group is believed to be a part of), mainly pointing to the similarities with the previous campaigns orchestrated by the Russian military intelligence service. Also, it is not clear what data the hackers were aiming to steal.
“The success of phishing relies on authenticity. The GRU has applied verisimilitude in extensive masquerading of common business tools and productivity applications to steal account credentials, gain access to internal systems and data, impersonate employees through the unauthorized use of their accounts, and manipulate outcomes successfully,” cybersecurity firm said.