Russian spies hacked Ukrainian energy company at center of Trump's impeachment

A private security firm says Burisma Holdings was the victim of a phishing campaign beginning in November.
A building which reportedly houses an office of a subsidiary of the Ukrainian energy company Burisma Holdings Ltd, in Kiev, Ukraine.
A building that reportedly houses an office of a subsidiary of the Ukrainian energy company Burisma Holdings, in Kyiv, Ukraine.Valentyn Ogirenko / Reuters

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
SUBSCRIBE
By Phil Helsel and Mike Memoli

Burisma Holdings, the Ukrainian natural gas company at the center of the Trump impeachment case, was hacked by Russian spies, security experts said in a report released Monday.

The Main Intelligence Directorate of the General Staff of the Russian Army, or GRU, "launched a phishing campaign targeting Burisma Holdings" as early as November, according to the cybersecurity firm Area 1 Security.

"The Russians were trying to steal user names," and "from that perspective they were successful," Area 1 co-founder Oren Falkowitz, a former employee of the National Security Agency and U.S. Cyber Command, said Monday night. "What they intend to do from there is unknown," he said.

The New York Times first reported Area 1's conclusions.

Burisma employed Hunter Biden, the former vice president's son, as a board member in May 2014. He stopped working with the company in 2019.

Hunter Biden's job with the gas company has prompted criticism, particularly from defenders of Trump. Biden admitted in October that his last name was most likely the reason he was offered a seat on the board.

Trump was impeached in part because he asked Ukrainian President Volodymyr Zelenskiy in a phone call in July to investigate Joe and Hunter Biden and appeared to raise unfounded allegations that the former vice president had stymied prosecution of the company.

Area 1 said in its report that the GRU phishing campaign was designed to steal email credentials and passwords of employees at Burisma Holdings, as well as its subsidiaries and partners.

Get breaking news and insider analysis on the rapidly changing world of media and technology right to your inbox.

John Podesta, who was chairman of Hillary Clinton's 2016 presidential campaign, had his emails hacked during the 2016 campaign through phishing. Falkowitz said of the attack on Burisma: "It's almost entirely the exact same thing."

Phishing campaigns depend on the human perception of authenticity and can be stopped, he said in a statement. Around 95 percent of all cyberattacks involve phishing, he said.

U.S. prosecutors in 2018 indicted 12 people said to be members of the GRU in connection with the hacking of Democratic organizations and Clinton's 2016 campaign.

Rep. Adam Schiff, D-Calif., chairman of the Intelligence Committee, who has been a key figure in Trump's impeachment, said the development shows that Russia was still interested in interfering with U.S. elections.

"It would not at all surprise me. This is indeed exactly what Bob Mueller warned about in his testimony: that the Russians would be at this again," Schiff said Monday night on MSNBC, referring to the special counsel who investigated Russia's attempts to interfere in the 2016 election and examined whether there was any coordination with the Trump campaign.

"They appear, if this reporting is correct, to be in the midst of another hacking and potentially another dumping operation designed to influence another election," Schiff said of the Russian government.

The White House did not immediately respond to a request for comment Monday night.

Area 1 said in its report that the GRU's targeting of Burisma is not particularly novel but that "it is significant because Burisma Holdings is publicly entangled in U.S. foreign and domestic politics."

"The timing of the GRU's campaign in relation to the 2020 U.S. elections raises the specter that this is an early warning of what we have anticipated since the successful cyberattacks undertaken during the 2016 U.S. elections," the report said.

Download the NBC News app for breaking news and politics

The GRU campaign against Burisma Holdings began as early as November, Area 1 said, about two months after a whistleblower complaint accused Trump of having pressured the Ukrainian president to investigate the Bidens. The complaint was unsealed in September.

Falkowitz said Area 1 had been through a rigorous and standard process to notify U.S. authorities about the cyberattack within the last week, but he declined to comment further.

He said the report was significant in that it showed a phishing attack in progress, rather than after the fact.

The phishing technique used, described as credential harvesting, involves stealing account information like usernames and passwords. That can allow groups to get inside systems and impersonate employees.

A spokesman for Joe Biden's 2020 presidential campaign said the Area 1 report "proves that both Donald Trump and Vladimir Putin understand the true stakes of this election."

"Donald Trump tried to coerce Ukraine into lying about Joe Biden and a major bipartisan, international anti-corruption victory because he recognized that he can't beat the vice president," campaign spokesman Andrew Bates said. "Now we know that Vladimir Putin also sees Joe Biden as a threat. Any American president who had not repeatedly encouraged foreign interventions of this kind would immediately condemn this attack on the sovereignty of our elections."

Sarah Kaufman contributed.