Cyber Incident Victim: Burisma
Date:
Nov 2020
Location:
Ukraine
Summary
A Ukrainian energy company was targeted in a cyber campaign involving phishing emails directing victims to fraudulent domains mimicking its subsidiaries' legitimate websites, aiming to harvest email credentials. Cybersecurity researchers attributed the activity to Russian military intelligence (GRU), specifically APT28/Fancy Bear, based on infrastructure similarities to prior operations, though some experts questioned the evidence due to a lack of confirmed data breaches. The attacks were noted for their potential connection to broader geopolitical tensions and election interference concerns.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In November 2019, cybersecurity firm Area 1 identified a phishing campaign targeting Ukrainian energy company Burisma Holdings and its subsidiaries, including KUB-Gas LLC. Attackers created fraudulent domains designed to mimic legitimate Burisma-associated websites, such as kub-gas[.]com (vs. the authentic kub-gas.com.ua) and cubenergy-my-sharepoint[.]com. These domains were deployed in phishing emails aimed at harvesting email login credentials from Burisma employees. Area 1, co-founded by former NSA analysts, attributed the activity to Russian military intelligence (GRU), specifically linking the tactics to APT28 (Fancy Bear), the group responsible for the 2016 Democratic National Committee breach. The campaign coincided with heightened geopolitical scrutiny of Burisma due to Hunter Biden’s former board role and then-President Trump’s public calls for Ukraine to investigate the company, which precipitated his impeachment proceedings. Researchers noted the timing raised concerns about potential interference in the 2020 U.S. elections but found no conclusive evidence of successful data exfiltration from Burisma.
The phishing infrastructure showed technical overlaps with prior GRU operations, including domains linked to a separate April 2019 attack on Studio Kvartal-95, a media company founded by Ukrainian President Volodymyr Zelensky. ThreatConnect analyst Kyle Ehmke corroborated partial attribution, identifying infrastructure similarities between the fake Burisma domains and historical APT28 activity, though he characterized the assessment as "moderate confidence." Skeptics like Johns Hopkins professor Thomas Rid emphasized the absence of proof that attackers breached Burisma’s systems, noting the findings only demonstrated reconnaissance efforts via fake domains. Area 1’s report highlighted the attackers’ focus on credential theft but did not specify whether logins were compromised or what data might have been targeted. The incident underscored ongoing concerns about Russian cyber operations against entities entangled in U.S. political controversies, though definitive impacts on Burisma’s operations or data security remained unconfirmed by available evidence.