When investigating any breach, it’s important to keep an open mind and not reach any conclusions before all the facts are in. This is especially true when investigating the Burisma Holdings breach because of the political ramifications linked to the company. For anyone out there who is still not aware, Burisma is the Ukrainian oil and gas company that employed Hunter Biden, the son of former vice president, Joe Biden.
The optics of Joe Biden working with Ukraine at the same time his son landed a $50,000 a month consulting job never looked good. Nonetheless, companies often employ well-known individuals as consultants to raise their profiles. In Burisma’s case, they needed to clean their image after their CEO, Mykola Zlochevsky, was accused of corruption. Consider the Biden hiring as a marketing ploy.
Others, however, think something else was afoot in Ukraine. The theory is that Joe Biden may have interfered with investigations into Burisma to save his son’s lucrative job. If such tampering were discovered, it could negatively affect Biden’s 2020 election bid. The suggestion is that Russia hacked Burisma because they wanted to discover information that would expose Biden. They would do this because, so it is conjectured, Russia would prefer Donald Trump to remain as president.
So there are a number of questions that need to be asked about this breach. Did the Russian government really hack Burisma? Why? Do they want Trump to continue as president? What, if anything, did they find? How will they use this information? Would any other country or organization want to make it look like Russia was behind this breach?
It has to be kept in mind that most of the information on the Burisma breach comes from one source, Area 1 Security, located in the Silicon Valley area of California. Both of its founders have U.S. government connections. One, Oren Falkowitz, was a former NSA employee while the other, Blake Darche, worked for both the NSA and CrowdStrike, a cybersecurity firm that is often used by the U.S. government and that was instrumental in identifying Russia as the source of the DNC hacking. Area 1 makes its money by stopping phishing attacks.
Area 1 attributes the attack to Russia because it follows patterns that Russian government hackers have used in the past. The attack itself was nothing particularly innovative. The hackers ‘phished’ the login credentials of Burisma employees or employees of affiliates. These credentials were phished through spoofed login sites. Once the hackers got a valid login, they could work their way through the network and collect whatever data they needed. The more information they acquired, the more they could make their attacks appear legitimate.
Area 1 gives the following examples of how the attackers spoofed legitimate domains, making them, at least to the unwary, look like the actual domains.
Remember, they only need to get access at one point. They only need one person to fail to recognize the false URL.
Here is a possible scenario. The attackers research the company they want to attack, in this case, Burisma. They map its operations and learn all they can about affiliates and affiliates of affiliates. They then identify and target individuals who have important network access rights; rights that they can acquire once they phish the individual. The phish is likely in the form of a valid-looking email telling the victim to sign into their network account.
Eventually they get one or more employees to use the spoofed login page. It will look like this and the URL will be one of the spoofed ones shown above.
The unsuspecting employee will then log in and give their login credentials to the attackers, who will then be free to use the victim’s email account as if they were the victim.
Once logged into the victim’s email account, the attackers read the victim’s emails and identify important contacts. Using information they find in the emails, they can then phish these important contacts using believable information. Let’s say that the attackers find an email about a party or conference the victim and a contact attended. They could use this as the subject of an email and may have the contact open a photo or document which will install malware or they could have them visit a website that does much the same. Before long, they will control the important contact’s email, and they will eventually be able to access more and more important areas of the network, gathering information as they go.
At this point, attribution relies solely on the fact that the hackers used the same M.O. as the Russians have used in previous attacks. Since those methods are well-known in the cyber world, any other nation-state that believed it could benefit from hacking Burisma would have a perfect shield to hide behind. No doubt Russia will deny the attack and take this angle. But let’s assume that Russia hacked Burisma. What would they have to gain from this?
The Democrats were quick to accuse President Trump of encouraging the attack on Burisma. Democrat Ron Wyden remarked that, “when the president of the United States openly courts foreign interference in our elections, and pressures foreign leaders to concoct dirt about his political rivals, no one should be surprised if Russia sees that as a green light to target Donald Trump’s enemies”. However, it would be just as easy for Trump to pin the blame on the Democrats, accusing them of encouraging a hack that would appear to tie him to Russia or Ukraine. After all, maybe Russia was disappointed in President Trump and would prefer another candidate after all. What better way to make Trump look bad then to orchestrate an attack which seems to tie him to Russia?
In fact, during the last election, until Bernie Sanders was forced out, Russian TV had only positive things to say about him. Maybe this breach was a way to clear the way for him. This is all to say that it’s difficult to say what Russia’s motives could be except for that of casting doubt on any future election results and fueling inter-party discord in the U.S. In short, their goal could simply be that of destabilizing the U.S. democracy.
But the data they acquired could be put to multiple uses. Russia no doubt sees Burisma as a competitor with their own gas companies. The information or company secrets they acquired could give them some competitive edge. They may also have information that could undermine Burisma’s reputation. In these scenarios, there would be no political motives behind the attack.
As of this writing, no information exists that indicates the Russians got anything from this breach. It would be normal for a company, like Burisma, to hide their losses as long as they could to protect their reputation. They may wait for interest in the breach to die down before they finally admit to what was lost, or they may never admit to anything.
If Russia has some incriminating data that they want to use for political ends, they may release it in a number of ways. They could anonymously release it to a leak site, like they did when they released the DNC information to Wikileaks, or they could release it to a journalist affiliated with a major media outlet. Of course, they could release it through social media, but its validity would then be in question.
It is possible that some information may be released in a four part documentary that is now airing online. Part two of the documentary, Not so “dormant” investigations, suggests that Joe Biden played a more active role in protecting his son’s position than has previously been thought.
Ukraine’s top prosecutor Viktor Shokin interviewed in “UkraineGate: Inconvenient Facts”
It is not clear if Russia had a hand in the production of this documentary but its producer, Olivier Berruyer, has worked with Russian TV in the past and is sympathetic to some Russian positions. The last two parts of the video have yet to appear, but it would certainly be a convenient place for Russia to release information they may have obtained in their breach of Burisma.
That said, I would be surprised if Russia releases any truly incriminating information soon. If they, indeed, have something that could influence the 2020 election, they would wait for the appropriate moment to release it, timing it to cause the most damage. There is also the possibility that they culled enough information to attempt a cyber attack on the Bidens, themselves. If they had enough personal information on Hunter Biden, for example, they may be able to use it to launch a phishing attack on Joe Biden or key individuals associated with him. At least this possibility cannot be ruled out.
Again, this all assumes that Russia was behind the attack. Since attribution is not a science, other nation-state players, such as Iran, China, or even the U.S. government, cannot be ruled out. All have the ability to design an attack that would appear to look as if it were Russian-based. All have possible motives.
If, in fact, the Russians orchestrated this attack, then, to some degree, they have already attained one of their goals. They have managed to cause further divisions between the major political parties in the U.S. and have done so at a time when the impeachment of President Trump is being debated. Whether we like it or not, they have already influenced the outcome of the 2020 election. The Democrats will trace any loss back to the Russians and the Republicans will deny such influence. The rift will continue to deepen.