Did the GRU Hack Burisma Holdings?

Background

In January 2020, a report from the security company Area 1 claimed that the Russian General Staff Main Intelligence Directorate (GRU) had been leading a phishing campaign targeting the Ukranian energy company Burisma Holdings, starting in November 2019. The Ukrainian company first came to U.S. public attention that fall, when news broke of the Trump administration’s efforts to look into the Biden family’s activities in Ukraine. The former Vice President’s son, Hunter Biden, served on the board of Burisma from 2014 to 2019; the Trump administration claimed that during this time Joe Biden used his political position to help the Ukranian company, specifically aiding in the removal of a Ukranian prosecutor looking into possible corruption tied to the owner of the company. There isn’t any evidence to support President Trump’s claims; however, the administration’s actions to withhold military aid to Ukraine in exchange for information on the Bidens became the center of Donald Trump’s impeachment trial. 

Evidence of Attribution

Area 1’s report was very thin, both literally (it was three pages) and figuratively. It argued that the threat actor attempted to look authentic to its targets by:

  • creating websites/domains that looked like the victim’s.
  • using these look-alike domains to capture email login credentials.
  • targeting multiple subsidiaries of Burisma Holdings, which increased the chance of launching multiple business email compromising (BEC) phishing campaigns from those accounts.

Area 1’s attribution relied heavily on comparing the methods used in the Burisma attack to Tactics, Techniques, and Processes (TTPs) it claimed were exclusive to the GRU: look-alike domains and  specific domain registration sites, ISPs and mail exchanger record assignments.

Experts in cybersecurity and attribution have raised concerns with Area 1’s conclusions:

  • A comparison of TTPs alone does not merit high confidence in the attribution. In fact, the report did not state the confidence level, implying that the attribution was airtight. But in this case, that is not true.
  • The report did not explain how, technically, the attack on the network was actually carried out. It’s possible Area 1 did not have access to the victim’s network — but if so, it should have included that fact in its report. 
  • The report did not include any testing of alternative or competing hypotheses to rule out other actors that could be behind the attack. 
  • The report did not include important details: for example, it shows screenshots of the actual Burisma subsidiary company website but does not show the false look-alike website.

Why this Story is Challenging to Report 

This story has all the elements of a blockbuster — an arm of the Russian government hacking into the Ukrainian company with which a potential Democratic presidential candidate’s son was involved, and which played a key role in the current president’s impeachment trial. It’s understandable that journalists would want to report on this, and to report on it quickly. 

The report itself, however, was so thin that journalists did not have much to work with. How could they know if the attribution was solid, or even worth reporting on? 

The lack of a stated confidence level should tip off journalists to consult outside experts on the reliability of the evidence — but once the first publication broke the news of the report, other newsrooms may have felt increased pressure to cover a breaking story.

How the Press Covered Attribution

On the same day the report was made available to the public, the New York Times published an article covering its findings. The article seems to take Area 1’s report attributing the hack to the GRU at face value: the headline assigns a very confident attribution, stating, “Russians Hacked Ukrainian Gas Company at Center of Impeachment.” The co-founder of the firm that identified the attack is quoted in the article as saying the “attacks were successful” because, it identified, some employees did hand over their login credentials to the hackers. The article states that it is not yet clear what the hackers were searching for or what they found. However, it repeats Area 1’s supposition that the timing of the Burisma attack in relation to the 2020 election, when compared to the timing of the hacking of the Clinton campaign during the 2016 election, could be evidence that the GRU is launching another operation in 2020. The rest of the article presents the hacking as fulfilling the prophecy of anticipated Russia meddling in the 2020 elections.

The day following the Times publication, newsrooms from the Guardian to NPR to CNN had headlines that read some form of, “Russians hack Burisma.”  The New York Times article is cited in other articles as a source of information, repeating the words from the Times that the hack was “successful.” Most coverage of the hack followed the New York Times piece and reported that the GRU was behind the attack. The Guardian article, however, did state that Area 1’s report gave “limited indication” of how they determined that some of the evidence was the work of the GRU, but the headline did not reflect this qualification.

Assessing Press Coverage

Articles in the news are more likely to be widely read than an actual attribution report. What can the press do when presented with a thin attribution to report on it accurately and effectively? 

  • State the confidence level. The report does not offer any language about the certainty of its attribution. Journalists should notice this and ask the agency making the attribution for its confidence level or include the lack of certainty in their reporting on the incident. 
  • Look beyond circumstantial evidence. The articles highlight circumstantial evidence, such as that the timing of the hack in relation to the 2020 election matched that of the GRU’s 2016 hack of John Podesta’s emails, as reason to believe Russia hacked Burisma Holdings. But because there is no way to prove this, journalists should be careful not to create an impression that this is fact. 
  • Have an expert review the report and assess the credibility of the entity making the report. Journalists can ask someone, whether within the newsroom or an outside expert, who understands technical digital forensics to go through the report  thoroughly and provide guidance for what language to use in the article. To assess the credibility of the entity, look at their previous reports and experts in the cybersecurity community’s response to them. Read trusted journalists’ work in the space and see who they talk to. 
  • Consider the impact of the coverage. Widespread media coverage can benefit the potential adversary. As we saw in 2016, the GRU’s campaign profited from media coverage of its hack-and-leak operations, which had a tremendous impact on public opinion of the presidential candidates. It’s tempting to report on every possibility of Russian hacking, but by doing so, journalists run the risk of becoming “accomplices of disinformation themselves,” as Alex Stamos, Renee DiResta and Michael McFaul write in a Washington Post Op-Ed.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s