<  All articles

Notes To Take From The Attack On Burisma Gas Company

Notes To Take From The Attack On Burisma Gas Company

We’re in the twenties now! Those years promise to be full of political scandals, hacks, and cyberattacks of various magnitudes, judging by the past still fresh in collective memory.

As usual, the new year starts with something popping of the background into the first pages, something that lingered and brewed long before it got the mass coverage. 

Lately, the spotlight has been laser-focused on Donald Trump’s impeachment trial, and while updates about this matter dominated the media for a while now, the new twists to this new-yet-old story got unveiled last week.

Answers To Eternal Questions To Clear Up The Details

The situation is heating up around Ukrainian gas company Burisma, the same company that takes center stage in Trump’s impeachment storyline. It became the target of cyberattacks, reportedly carried out by APT28, or FancyBear, a Russian cyber espionage group. 

The suggested motive of the onslaught seems to be the following: the 45th president of the United States is looking for leverage, or rather a compromising evidence on Joe Biden – who appears to be among the favorite contenders for presidential position in 2020. 

To derail the chances of the democratic party representative, Donald Trump pressed on with an anti-corruption investigation concerning Biden’s son, Hunter Biden, who served on Burisma’s board until the April of 2019. The goal of getting the dirt got Trump in this hot water in the first place, when he pressured the Ukrainian president to get involved in the process of Burisma inspection.

The attacks are being tied to the FancyBear group because of the context of the whole conflict, style, methods and intrusion maneuvers which are similar to those used to interfere in the 2016 US election. Hackers once again used proven methods of unauthorized entry – mass phishing and watering hole attacks.

Phishing attacks are malicious email deliveries purposed to steal the target’s user credentials and pass them over to the attacker. Watering hole attacks are based on fake, mimicked websites victims trust and use to update software or download information, or in the context of the attack, toolkit carrying documents that give malicious actors covert access into targeted systems. 

While those attacks are not exclusive to Russian hackers, Area1 security firm claims to have enough evidence to fault the FancyBear. Area1 solution supposedly identifies targeted attacks on the infrastructure and delivery mechanisms used by attackers. This firm uses a network of sensors across the web, spiderbot that crawls up to 6 billion URLs monthly and gathers network events daily to provide enough data for analysis, which helps discover ongoing and emerging attacks.

The company’s report about the Burisma hack identifies the following:

  • The campaign is launched by the Main Intelligence Directorate of the General Staff of the Russian Army or GRU.
  • Hacking attempts started in early November 2019. 
  • Burisma Holdings’ email server is also used by its six subsidiaries. By compromising multiple subsidiaries, the GRU succeeded in gaining access to the same target from multiple angles.
  • GRU uses Ititch, NameSilo, and NameCheap for domain registration; MivoCloud and M247 as Internet Service Providers; Yandex for MX record assignment. 
  • Consistent patterns of lookalike domains and specific HTTP redirection hint Russian interference.
  • The phishing campaign on Burisma can be tied down to another phishing attack directed at Kvartal 95, a Ukrainian television production company connected to the current President of Ukraine, Volodymyr Zelensky.
  • Reliable phishing delivery was helped by setting up proper SPF and DKIM email sender authentication records.

Full report can be found on the front page of the Area1 website.

While various media sources point out that Area1 is a startup co-owned by a democratic donor Oren Falkowitz, and the agenda to credit this attack to russian agents is a calculated move, people that smartly distance themselves from politics can extract valuable insights.

One Thing People Won’t Try To Argue 

Hackers, as sophisticated as they are, also tend to be lazy. They use what works. And in this, they were successful.” – Oren Falkowiz

While the investigation carried out relies on largely circumstantial evidence, this quote is something not a lot of security researchers and experts will dispute. Phishing is a proven technique malicious actors use to kick off their operations, or something they get to when everything else fails.

Social engineering, which phishing is closely tied to, is a type of beast you won’t eradicate with machine learning or the fanciest of software. People, as they always tend to, are on the forefront, and mostly brushing off the very real threat for the lack of examples surrounding them in their daily life. 

While this attack on Ukrainian companies seems to be politically motivated, the supply chain attack example puts even the most politically isolated companies under the threat. You don’t have to be the actual target to find yourself on the receiving end of a hacking campaign.

More so, the mechanisms used by nation-state actors are not so dissimilar to hacking practices of less influential malpracticing entities. DKIM and SPF records can be worked around. Lookalike domains can be acquired for little sums and registered by anyone. The playbook used by the most feared hacking groups is mostly the same for any outsider seeking to get confidential emails, financial records and legal documents of the company or person standing in their way. 

What makes it even worse, a compromised email account can be used for planting falsificated evidence. Companies don’t have to be involved in wrongdoing to be accused of committing crimes.

Phishing or watering hole attacks are not exclusive to politically-motivated cybercrimes and are used rather heavily for their efficiency. What makes Advanced Persistent Threat groups so dangerous, is their ability to modify malware, avoid detection, change command and control channels, obfuscate code, reset timestamps on files and clear event logs to stall or sabotage the forensic investigation. While the weapon stays the same, the behavior after committed crime is what differentiates the attackers of different levels. 

Unfortunately, the lack of competent investigation, lax or even fraudulent examination is wide-spread in the context of cybercrimes, so users and companies have to take care of themselves, no matter who opposes them.

There’s one more thing to carry out from this story. 

Nothing can be stated with utmost confidence, whether we talk about politics, or cybersecurity. Even though the whole situation feels like “If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck”, there’s no sure way to prove the wrongdoing. Was Fancy Bear involved? Quite possibly, but…

The most important bit to remember about this occurrence is simple – while no solution can fully protect you from all cyber threats, some of the solutions can be useful by making the attack more costly for the adversary, which is a realistic and achievable goal. 

In the context of email, time is the primary subject for investment, and the return on even the most basic phishing attack is certainly “worth the candle”. 

Do you have all your bases covered when it comes to email protection? That is the only question worth your time and energy.


We use cookies to improve your experience