Security Experts:

Connect with us

Hi, what are you looking for?



Phishing Campaign Targeting Ukrainian Firm Burisma Linked to Russian Cyberspies

A phishing campaign apparently aimed at Burisma, the Ukrainian gas company that is at the center of President Donald Trump’s impeachment, has been linked by cybersecurity researchers to a hacker group believed to be working on behalf of the Russian government.

A phishing campaign apparently aimed at Burisma, the Ukrainian gas company that is at the center of President Donald Trump’s impeachment, has been linked by cybersecurity researchers to a hacker group believed to be working on behalf of the Russian government.

Trump was impeached in December over allegations that he pressured Ukraine to launch an investigation into Burisma and its links to Hunter Biden, a former member of the energy company’s board and the son of Trump’s election rival Joe Biden.

Area 1 Security, a California-based cybersecurity firm that specializes in anti-phishing solutions, on Monday published a report describing a phishing campaign apparently aimed at Burisma, its subsidiaries and its partners. The operation, Area 1 says, started in early November 2019.

The attackers have set up fake websites, designed to imitate the sites of Burisma and its subsidiaries, in an effort to trick employees into handing over their email credentials.

They created fake websites for KUB-Gas, Esko-Pivnich and CUB Energy and hosted them on domains with names similar to the legitimate domains. For example, the legitimate domain for KUB-Gas is and the fake domain is kub-gas[.]com. Furthermore, to ensure the delivery of the phishing emails that lured victims to these domains, the attackers configured SPF and DKIM records.

Finally, in an effort to increase their chances of success, the hackers used some of the same services as the legitimate websites, including Roundcube for webmail.

Based on the tactics and techniques used by the attackers, Area 1 has linked the attack to a threat actor tracked as APT28, Pawn Storm, Fancy Bear, Sofacy, Strontium, and Tsar Team. This group has been connected to Russia’s Armed Forces, specifically its Main Directorate of the General Staff, also known as the GRU.

“Area 1 Security has correlated this campaign against Burisma Holdings with specific tactics, techniques, and procedures (TTPs) used exclusively by the GRU in phishing for credentials. Repeatedly, the GRU uses Ititch, NameSilo, and NameCheap for domain registration; MivoCloud and M247 as Internet Service Providers; Yandex for MX record assignment; and a consistent pattern of lookalike domains,” Area 1 said in its report.

“This phishing campaign against Burisma Holdings also uses a specific HTTP redirect, attributed to GRU, where non-targeted individuals are sent to the legitimate Roundcube webmail login, while targets who receive the GRU-generated URL are taken to the GRU’s malicious phishing Roundcube website,” it added.

The company has also spotted an APT28-linked phishing campaign aimed at a media organization founded by Ukrainian President Volodymyr Zelensky.

Some of the domains spotted by Area 1 in the Burisma campaign were also seen in December by threat intelligence company ThreatConnect. Kyle Ehmke, a researcher with the company, on Monday provided a brief analysis of the domains on Twitter and explained how they have been linked by ThreatConnect to APT28.

“We assess with moderate confidence that the domains probably are associated with APT28 operations,” Ehmke said. “More information on how and against whom the identified infrastructure was operationalized could ultimately strengthen our assessment and increase our confidence in that attribution.”

Related: Microsoft Says Russian Hackers Targeted Democratic Institutions in Europe

Related: Russian Hackers Leverage IoT Devices to Access Corporate Networks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.