With President Trump facing a political trial for his efforts to pressure Ukraine to investigate former Vice President Joseph R. Biden Jr. and his son Hunter Biden, Russian hackers have been boring the Ukrainian gas company in the center of the issue, according to security experts
Piracy attempts against Burisma, the Ukrainian gas company whose board of directors served Hunter Biden, began in early November, as news about the Bidens, Ukraine and the prosecution dominated the news in the United States.
It is still unclear what hackers found, or precisely what they were looking for. But experts say the timing and scale of the attacks suggest that the Russians may be looking for potentially shameful material about the Bidens, the same kind of information Trump wanted from Ukraine when he pressed for an investigation of the Bidens and Burisma, triggering a chain of events that led to his political trial.
Russian tactics are strikingly similar to what US intelligence agencies say was the hacking of emails from Russia by Hillary Clinton's campaign president and the National Democratic Committee during the 2016 presidential campaign. In that case, a Once they had the emails, the Russians used trolls to extend and rotate the material, and built an echo chamber to expand its effect.
Then, as now, Russian hackers from a military intelligence unit formerly known as GRU, and for private investigators by the alias "Fancy Bear", used the so-called phishing emails that seem designed to steal usernames and passwords, according to Area 1, the Silicon Valley security company that detected the hacking. In this case, hackers created fake websites that mimicked the login pages of Burisma subsidiaries, and have been sending emails to Burisma employees with the intention of appearing to come from inside the company .
Hackers tricked some of them into handing in their login credentials and managed to get into one of Burisma's servers, Area 1 said.
"The attacks were successful," said Oren Falkowitz, co-founder of Area 1, who previously worked at the National Security Agency. Mr. Falkowitz's company maintains a network of sensors on web servers around the world, many known to be used by state-sponsored hackers, which gives the company a front-row seat for phishing attacks and It allows you to block attacks on your customers.
"The timing of the Russian campaign reflects the G.R.U. hacks we saw in 2016 against the D.N.C. and John Podesta," said Clinton campaign president Falkowitz. "Once again, they are stealing email credentials, in what we can only assume is a repetition of Russian interference in the last elections."
Justice department He accused seven officers of the same military intelligence unit in 2018.
Russian attacks against Burisma appear to be parallel to an effort by Russian spies in Ukraine to dig up information in the analog world that could embarrass the Bidens, according to a US security official, who spoke on condition of anonymity to discuss confidential information. . The spies, the official said, are trying to penetrate Burisma and sources of work in the Ukrainian government in search of emails, financial records and legal documents.
Neither the Russian government nor Burisma responded to requests for comment.
US officials warn that the Russians have become stealthier since 2016, and again they are trying to steal and spread harmful information and attack vulnerable electoral systems before the 2020 elections.
[Read: even when American electoral defenses have improved, Russian hackers and trolls have become more sophisticated.]
Similarly, Russia has been working since the early days of Trump's presidency to divert the focus of his own electoral interference in 2016 by sowing conspiracy theories about Ukrainian intrusion and democratic complicity.
The result has been a murky mix of conspiracy theories that mix facts, such as the handful of Ukrainians who openly criticized Trump's candidacy, with discredited claims that the DNC email server is in Ukraine and that Biden, as vice president, He had corrupt deals with Ukrainian officials to protect his son. Disseminated by bots and trolls on social networks, and by Russian intelligence officers, the claims resonated with Trump, who believes that Russian interference is an attack on his legitimacy.
With Mr. Biden's appearance as the main candidate for the Democratic nomination last spring, the president held on to corruption allegations and requested that Ukraine investigate the Bidens in his July 25 call with President Volodymyr Zelensky of Ukraine. The call became the center of Trump's accusation last month.
The Biden campaign sought to launch the Russian effort to hack Burisma as an indication of Biden's political strength and highlight Trump's apparent willingness to allow foreign powers to increase his political fortune.
"Donald Trump tried to force Ukraine to lie about Joe Biden and an important bipartisan international anti-corruption victory because he acknowledged he can't beat the vice president," said Andrew Bates, spokesman for the Biden campaign.
"Now we know that Vladimir Putin also sees Joe Biden as a threat," Bates added. "Any American president who has not repeatedly encouraged foreign interventions of this kind would immediately condemn this attack on the sovereignty of our elections."
Accusations of corruption depend on Hunter Biden's work on the Burisma board. The company hired Mr. Biden while his father was vice president and led the Obama administration's Ukrainian policy, including a successful push for Ukraine's chief prosecutor to be fired for corruption. The effort was backed by European allies.
Since then, Trump and some of his strongest advocates have rewritten the story, who say Biden expelled the prosecutor because Burisma was under investigation and his son could be involved. Rudolph W. Giuliani, acting on what he says was his ability as a personal lawyer for Mr. Trump, has personally taken charge of investigating the Bidens and the Burisma, and now regularly claims to have discovered clear evidence of irregularities.
However, the evidence has not yet emerged, and now the Russians seem to have joined the hunt.
The researchers in Area 1 discovered a G.R.U. Phishing campaign in Ukrainian companies on New Year's Eve. A week later, Area 1 determined what the Ukrainian objectives had in common: they were all subsidiaries of Burisma Holdings, the company at the center of Trump's impeachment. Among the subsidiaries of Burisma phishing were KUB-Gas, Village, Esko-Pivnich, Nadragas, Tehnocom-Service and Pari. The goals also included Kvartal 95, a Ukrainian television producer founded by Mr. Zelensky. The phishing attack in Kvartal 95 seems to have been aimed at digging up email correspondence for the head of the company, Ivan Bakanov, whom Zelensky appointed as head of the Ukrainian Security Service last June.
To steal employee credentials, G.R.U. Hackers directed Burisma to their fake login pages. Area 1 was able to track similar sites through a combination of Internet service providers frequently used by GRU hackers, rare web traffic patterns and techniques that have been used in previous attacks against a large number of other victims , including the 2016 hacking of the DNC and a more recent Russian hack from the World Anti-Doping Agency.
"The Burisma trick is a cookie cutter G.R.U. campaign," said Falkowitz. “Russian hackers, as sophisticated as they are, also tend to be lazy. They use what works. And in this, they succeeded. "