Skip to main content
The Globe and Mail
Support Quality Journalism
The Globe and Mail
First Access to Latest
Investment News
Collection of curated
e-books and guides
Inform your decisions via
Globe Investor Tools
Just$1.99
per week
for first 24 weeks

Enjoy unlimited digital access
Enjoy Unlimited Digital Access
Get full access to globeandmail.com
Just $1.99 per week for the first 24 weeks
Just $1.99 per week for the first 24 weeks
var select={root:".js-sub-pencil",control:".js-sub-pencil-control",open:"o-sub-pencil--open",closed:"o-sub-pencil--closed"},dom={},allowExpand=!0;function pencilInit(o){var e=arguments.length>1&&void 0!==arguments[1]&&arguments[1];select.root=o,dom.root=document.querySelector(select.root),dom.root&&(dom.control=document.querySelector(select.control),dom.control.addEventListener("click",onToggleClicked),setPanelState(e),window.addEventListener("scroll",onWindowScroll),dom.root.removeAttribute("hidden"))}function isPanelOpen(){return dom.root.classList.contains(select.open)}function setPanelState(o){dom.root.classList[o?"add":"remove"](select.open),dom.root.classList[o?"remove":"add"](select.closed),dom.control.setAttribute("aria-expanded",o)}function onToggleClicked(){var l=!isPanelOpen();setPanelState(l)}function onWindowScroll(){window.requestAnimationFrame(function() {var l=isPanelOpen(),n=0===(document.body.scrollTop||document.documentElement.scrollTop);n||l||!allowExpand?n&&l&&(allowExpand=!0,setPanelState(!1)):(allowExpand=!1,setPanelState(!0))});}pencilInit(".js-sub-pencil",!1); // via darwin-bg var slideIndex = 0; carousel(); function carousel() { var i; var x = document.getElementsByClassName("subs_valueprop"); for (i = 0; i < x.length; i++) { x[i].style.display = "none"; } slideIndex++; if (slideIndex> x.length) { slideIndex = 1; } x[slideIndex - 1].style.display = "block"; setTimeout(carousel, 2500); }

(FILES) In this file photo taken on December 30, 2016, cars drive past the headquarters of the Russian General Staff's Main Intelligence Department (GRU) in Moscow. An American cybersecurity firm said on Wednesday GRU hackers attempted to steal e-mails from Burisma, the Ukrainian energy firm where Democratic presidential candidate Joe Biden's son sat on the board.

NATALIA KOLESNIKOVA/AFP/Getty Images

Russian military hackers tried to steal emails from the Ukrainian energy firm where Hunter Biden, the son of Democratic U.S. presidential contender Joe Biden, had a seat on the board, an American cybersecurity firm said on Monday.

Energy company Burisma Holdings Ltd was at the centre of attempts by President Donald Trump last July to pressure Ukrainian authorities into announcing an investigation into the Bidens for purported corruption, an effort that has led to the Republican being impeached by the U.S. House of Representatives on charges of abuse of power and obstruction of Congress.

Trump denies he did anything wrong by asking Ukrainian officials to investigate Hunter Biden’s relationship with Burisma. There has been no evidence of wrongdoing by the Bidens, who reject Trump’s allegations of graft.

Story continues below advertisement

California-based Area 1 Security identified the hacking of Burisma and linked it to Russia’s Main Directorate of Military Intelligence, or GRU. The same hacking group, known as “Fancy Bear” or “APT28” by cybersecurity researchers, breached the Democratic National Committee in 2016 in what U.S. investigators described as part of an operation to disrupt that year’s election.

“You can see this attack really is starting to parallel with what we saw in 2016,” Oren Falkowitz, Area 1’s chief executive, said in an interview.

The Russian Defense Ministry did not immediately respond to a request for comment. Officials at the U.S. National Security Agency and the Department of Homeland Security declined to comment.

Burisma did not immediately respond to a request for comment.

A source close to Burisma told Reuters the company’s website had been subject to multiple break-in attempts over the past six months but did not provide further details.

What data the hackers were looking to steal is not clear, Area 1 said. Breaching Burisma could yield communications from, to, or about Hunter Biden, who served as a director between 2014 and 2019. A leak of stolen data could potentially affect the impeachment process and the 2020 U.S. presidential election.

Area 1 said it became aware of the Russian targeting of Burisma after its e-mail security scanning product found suspicious evidence online, including “decoy domains”: websites designed to imitate legitimate e-mail services used by Burisma’s subsidiaries.

Story continues below advertisement

Publicly available domain registration records examined by Reuters show that the hackers created the decoy domains between Nov. 11, the day before U.S. Democrats began their first public impeachment hearings, and Dec. 3, the day before the House Judiciary Committee took up the matter.

The records show that the same people also registered fake domains for a Ukrainian media company, named Kvartal 95, in March and April 2019. Kvartal 95 was founded by Ukrainian President Volodymyr Zelenskiy and multiple employees of the company have since joined his administration.

Kvartal 95 and representatives for Zelenskiy did not immediately respond to requests for comment.

Area 1’s report said it discovered the GRU had targeted two subsidiaries of Burisma - KUB Gas LLC and Esko Pivnich - as well as CUB Energy Inc, which previously did business with the company, using look-alike domains intended to trick employees into providing their e-mail passwords.

Burisma and its subsidiaries share the same e-mail server, Area 1 said, meaning a breach at any of the companies could expose them all.

The report gave a limited indication of how Area 1 determined that the look-alike domains were the work of the GRU, pointing mainly to similarities in how the hackers had previously set their digital traps. Area 1 co-founder Blake Darche said unpublished data gathered by his firm linked the operation to a specific officer in Moscow, whose identity he was unable to establish.

Story continues below advertisement

But Darche said “we are 100 per cent certain” that the GRU was behind the hacking.

An outside researcher, Kyle Ehmke of Virginia-based cybersecurity firm ThreatConnect, who reviewed the malicious domains flagged by Area 1, said based on the information he had seen, he believed “with moderate confidence” that the websites were devised by the GRU.

Ehmke said that the hacking operation against Burisma used methods consistent with Russian hackers associated with the GRU, but that a complete picture was lacking.

John Hultquist, director of intelligence analysis with U.S. cybersecurity firm FireEye, told Reuters the domains discovered by Area 1 are “consistent” with other known APT28 activities.

Russian spies have routinely targeted Ukrainian energy firms with cyberattacks since Russia threw its weight behind a separatist takeover in eastern Ukraine in 2014.

U.S. intelligence officials have issued warnings that Russia is working to intervene in the November 2020 election. Trump is seeking re-election and Biden is a leading opponent out of a dozen Democrats seeking their party’s nomination.

Story continues below advertisement

Andrew Bates, a spokesman for Joe Biden, did not comment directly on the hack but said in an e-mail: “Any American president who had not repeatedly encouraged foreign interventions of this kind would immediately condemn this attack on the sovereignty of our elections.”

Report an error
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies