A phishing campaign apparently aimed at Burisma, the Ukrainian gas company that is at the center of President Donald Trump’s impeachment, has been linked by cybersecurity researchers to a hacker group believed to be working on behalf of the Russian government.
Trump was impeached in December over allegations that he pressured Ukraine to launch an investigation into Burisma and its links to Hunter Biden, a former member of the energy company’s board and the son of Trump's election rival Joe Biden.
Area 1 Security, a California-based cybersecurity firm that specializes in anti-phishing solutions, on Monday published a report describing a phishing campaign apparently aimed at Burisma, its subsidiaries and its partners. The operation, Area 1 says, started in early November 2019.
The attackers have set up fake websites, designed to imitate the sites of Burisma and its subsidiaries, in an effort to trick employees into handing over their email credentials.
They created fake websites for KUB-Gas, Esko-Pivnich and CUB Energy and hosted them on domains with names similar to the legitimate domains. For example, the legitimate domain for KUB-Gas is kub-gas.com.ua and the fake domain is kub-gas[.]com. Furthermore, to ensure the delivery of the phishing emails that lured victims to these domains, the attackers configured SPF and DKIM records.
Finally, in an effort to increase their chances of success, the hackers used some of the same services as the legitimate websites, including Roundcube for webmail.
Based on the tactics and techniques used by the attackers, Area 1 has linked the attack to a threat actor tracked as APT28, Pawn Storm, Fancy Bear, Sofacy, Strontium, and Tsar Team. This group has been connected to Russia’s Armed Forces, specifically its Main Directorate of the General Staff, also known as the GRU.
“Area 1 Security has correlated this campaign against Burisma Holdings with specific tactics, techniques, and procedures (TTPs) used exclusively by the GRU in phishing for credentials. Repeatedly, the GRU uses Ititch, NameSilo, and NameCheap for domain registration; MivoCloud and M247 as Internet Service Providers; Yandex for MX record assignment; and a consistent pattern of lookalike domains,” Area 1 said in its report.
“This phishing campaign against Burisma Holdings also uses a specific HTTP redirect, attributed to GRU, where non-targeted individuals are sent to the legitimate Roundcube webmail login, while targets who receive the GRU-generated URL are taken to the GRU’s malicious phishing Roundcube website,” it added.
The company has also spotted an APT28-linked phishing campaign aimed at a media organization founded by Ukrainian President Volodymyr Zelensky.
Some of the domains spotted by Area 1 in the Burisma campaign were also seen in December by threat intelligence company ThreatConnect. Kyle Ehmke, a researcher with the company, on Monday provided a brief analysis of the domains on Twitter and explained how they have been linked by ThreatConnect to APT28.
“We assess with moderate confidence that the domains probably are associated with APT28 operations,” Ehmke said. “More information on how and against whom the identified infrastructure was operationalized could ultimately strengthen our assessment and increase our confidence in that attribution.”