Russians likely hacked Ukrainian company to 'create chaos' in U.S. election, says tech expert
Report says Russian intelligence targeted company at centre of Trump impeachment
Russian intelligence agents likely hacked the company at the centre of U.S. impeachment trial in a bid to sow confusion and chaos ahead of the 2020 presidential election, says a cybersecurity expert from the firm that exposed the attack.
According to a report by U.S. company Area 1 Security, members of the Russian GRU intelligence directorate launched a phishing campaign against Ukrainian gas company Burisma Holdings in November, just as impeachment proceedings against U.S. President Donald Trump were heating up.
The U.S. House of Representatives impeached Trump in December for abusing the power of his office by enlisting the Ukrainian government to investigate Joe Biden, a political rival, ahead of the 2020 election. A second charge accused Trump of obstructing a congressional investigation into the matter.
Biden's son, Hunter, served on the board of directors for Burisma Holdings for more than two years, including while his father was vice-president.
Blake Darché, chief strategy officer for Area 1, spoke to As It Happens host Carol Off about the hack. Here is part of their conversation.
How did you determine that agents of the Russian military and intelligence hacked into the computers of Burisma Holdings?
We collected various pieces of information that allowed us to correlate that an attack had occurred by the Russian GRU against Burisma Holdings through a variety of telemetry that we collect as a company.
Can you tell us ... what [the GRU] were up to?
The Russian GRU registered various look-alike domain names, used those fake ... domain names to send malicious links to email addresses associated with Burisma Holdings in order to facilitate a user to click on that link and enter their username and password and have their credentials stolen so they could gain access to those accounts.
And this is what's known as phishing?
This is what is known as phishing.
Donald Trump's impeachment was based on allegations that he was pressuring Ukraine ... to look into Joe Biden's son Hunter and his work with this company, Burisma Holdings. Do you think these Russian hackers were after the same thing?
It remains to be seen. The Russians have been seen doing this before, in the 2016 [election] cycle.
It looks like they were trying to collect e-mails regarding — possibly — Hunter Biden, but we're uncertain at this point if that's exactly correct or not.
What about the timing of this? When was this attack taking place?
So we noticed it on December 31st.
The first attack by the Russians took place in early to mid-November, and then again throughout the summer. So the Russians started attacking this entity and its subsidiaries right around the kick-off of the impeachment hearings.
What do you make of that?
I'm of the opinion, you know, there's no such thing as a coincidence typically with timeframes like that. So it looks significant.
Given how they've operated in the past, what might they do with any information, anything they have on Hunter Biden, if that's what they were seeking?
They could try to give it to the media in the United States. They could try to post it online directly. They could try to create some sort of cutout and post it online. They could give it to WikiLeaks. They could give it to another foreign government. They could try to give it to a member of the U.S. government, an elected official, to try to sow additional chaos.
The Russian goal in this operation is likely to create chaos. That seems to be their MO at this point.
Can you just tell us how this investigation compares with what we know about Russian hacking in 2016 against the Democratic National Committee and ... Hillary Clinton's campaign chair, John Podesta?
From a timeline perspective, it compares directly. When [former Clinton campaign chair] John Podesta clicked the first link that granted the GRU access to his email account, that's basically what we've just highlighted here. This is the very beginning of that cycle. And that's why we highlighted it to the New York Times.
Why did your agency turn this over to the New York Times? Who did you want to alert and what did you want to alert them about?
We think it's in the public's interest to understand these attacks in their earliest stage of the attack cycle so people are aware of what might happen and are better prepared from last time.
We want people to be aware that the Russians are trying to possibly cause chaos in the 2020 election cycle.
But it's not necessarily going to stop that chaos, right?
It may not stop that chaos, but it may encourage certain companies, certain organizations to better protect their information moving forward and try to prevent additional damage from being done.
What do you think we might see next, if anything, from this?
I don't know what will be next. It could be a kind of silent period. We could also see attacks further pivot against, you know, more U.S. political candidates.
Is it getting more sophisticated, this hacking?
We haven't noticed any significant increase in GRU's sophistication level, but you don't have to be sophisticated to be effective.
Because what's worked in the past can work again.
Correct.
Should we expect to see more of these kinds of reports like the one you just issued?
I do. I think we will see more of this in the future, and probably not just by Russia. We'll see other countries try to begin kind of moving down the same road.
Written by Sheena Goodyear with files from The Associated Press. Interview produced by Chloe Shantz-Hilkes. Q&A has been edited for length and clarity.