Virtual Event Today: Cyber AI & Automation Summit - Register/Login Now
Connect with us

Hi, what are you looking for?



Phishing Campaign Targeting Ukrainian Firm Burisma Linked to Russian Cyberspies

A phishing campaign apparently aimed at Burisma, the Ukrainian gas company that is at the center of President Donald Trump’s impeachment, has been linked by cybersecurity researchers to a hacker group believed to be working on behalf of the Russian government.

A phishing campaign apparently aimed at Burisma, the Ukrainian gas company that is at the center of President Donald Trump’s impeachment, has been linked by cybersecurity researchers to a hacker group believed to be working on behalf of the Russian government.

Trump was impeached in December over allegations that he pressured Ukraine to launch an investigation into Burisma and its links to Hunter Biden, a former member of the energy company’s board and the son of Trump’s election rival Joe Biden.

Area 1 Security, a California-based cybersecurity firm that specializes in anti-phishing solutions, on Monday published a report describing a phishing campaign apparently aimed at Burisma, its subsidiaries and its partners. The operation, Area 1 says, started in early November 2019.

The attackers have set up fake websites, designed to imitate the sites of Burisma and its subsidiaries, in an effort to trick employees into handing over their email credentials.

They created fake websites for KUB-Gas, Esko-Pivnich and CUB Energy and hosted them on domains with names similar to the legitimate domains. For example, the legitimate domain for KUB-Gas is and the fake domain is kub-gas[.]com. Furthermore, to ensure the delivery of the phishing emails that lured victims to these domains, the attackers configured SPF and DKIM records.

Finally, in an effort to increase their chances of success, the hackers used some of the same services as the legitimate websites, including Roundcube for webmail.

Based on the tactics and techniques used by the attackers, Area 1 has linked the attack to a threat actor tracked as APT28, Pawn Storm, Fancy Bear, Sofacy, Strontium, and Tsar Team. This group has been connected to Russia’s Armed Forces, specifically its Main Directorate of the General Staff, also known as the GRU.

“Area 1 Security has correlated this campaign against Burisma Holdings with specific tactics, techniques, and procedures (TTPs) used exclusively by the GRU in phishing for credentials. Repeatedly, the GRU uses Ititch, NameSilo, and NameCheap for domain registration; MivoCloud and M247 as Internet Service Providers; Yandex for MX record assignment; and a consistent pattern of lookalike domains,” Area 1 said in its report.

Advertisement. Scroll to continue reading.

“This phishing campaign against Burisma Holdings also uses a specific HTTP redirect, attributed to GRU, where non-targeted individuals are sent to the legitimate Roundcube webmail login, while targets who receive the GRU-generated URL are taken to the GRU’s malicious phishing Roundcube website,” it added.

The company has also spotted an APT28-linked phishing campaign aimed at a media organization founded by Ukrainian President Volodymyr Zelensky.

Some of the domains spotted by Area 1 in the Burisma campaign were also seen in December by threat intelligence company ThreatConnect. Kyle Ehmke, a researcher with the company, on Monday provided a brief analysis of the domains on Twitter and explained how they have been linked by ThreatConnect to APT28.

“We assess with moderate confidence that the domains probably are associated with APT28 operations,” Ehmke said. “More information on how and against whom the identified infrastructure was operationalized could ultimately strengthen our assessment and increase our confidence in that attribution.”

Related: Microsoft Says Russian Hackers Targeted Democratic Institutions in Europe

Related: Russian Hackers Leverage IoT Devices to Access Corporate Networks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...