Skip to main content

Why the NYT thinks Russia hacked Burisma — and where the evidence is still shaky

Why the NYT thinks Russia hacked Burisma — and where the evidence is still shaky


Like most attributions, the case rests on circumstantial evidence

Share this story

Illustration by Alex Castro / The Verge

The disastrous Democratic National Committee hack in 2016 was a wake-up call for anyone worried about international chaos campaigns, and on Monday night, we got a new reason to be worried about 2020. The New York Times and cybersecurity firm Area1 broke the story of a new hack by Russian intelligence services targeting Burisma, the Ukrainian natural gas company at the center of President Trump’s ongoing impeachment. For months, Republican operatives have been hinting at some horrible corruption inside the company, and if Russian spies really did hack the company, it raises frightening possibilities.

Some in Congress are already predicting a replay of 2016, with Rep. Adam Schiff (D-CA) commenting, “It certainly looks like they are at it again with an eye towards helping this president.” It’s an alarming thought, and given Trump’s refusal to acknowledge Russian hacking the last time around, there’s no indication the White House would do anything to stop it.

“Moderate confidence”

But while the report painted a terrifying picture, the evidence is less definitive than it might seem. There’s strong evidence that Burisma was successfully targeted by a phishing campaign, but it’s much harder to be sure who was behind the campaign. There are real suggestions that Russia’s GRU intelligence service could be involved, but the evidence is mostly circumstantial, as is often the case with hacking campaigns. The result leaves the case against Russia frustratingly incomplete and suggests we may head into the presidential campaign with more questions than answers.

The bulk of Area1’s evidence is laid out in an eight-page report released in conjunction with the Times article. The core evidence is a pattern of attacks that have previously targeted the Hudson Institute and George Soros, typically using the same domain registrars and ISPs. Most damning, all three phishing campaigns used the same SSL provider and versions of the same URL, masquerading as a service called “My Sharepoint.” As Area1 sees it, this is the GRU playbook, and Burisma is just the latest in a long line of targets. (Area1 did not respond to repeated requests for comment.)

A chart from the Area1 report.
A chart from the Area1 report.

But not everyone sees that domain-based attribution as a slam dunk. When Kyle Ehmke examined earlier iterations of the same pattern for ThreatConnect, he came away with a more measured conclusion, assessing with only “moderate confidence” that the domains were involved with APT28, researcher shorthand for Russia’s GRU.

“We see consistencies,” Ehmke told The Verge, “but in some cases those consistencies aren’t consistent to a single actor.” This pattern of registrations and phishing attacks really does seem to be a GRU playbook, but it’s not its only playbook, and it’s not the only one running it.

In practical terms, that means that network operators should raise the alarm any time they see an attack that fits this profile, but making a definitive ruling on a single incident is much harder. The web infrastructure used in the campaign is all publicly available and used by lots of other parties, too, so none of it counts as a smoking gun. The most distinctive characteristic is the term “sharepoint,” which researchers have only seen in URLs closely linked to the GRU. But anyone can register a URL with “sharepoint” in it, so the connection is only circumstantial.

none of this should be reassuring

“It’s a notable set of consistencies to look for and potentially use to identify their infrastructure,” Ehmke said. “But that’s not to say that everything that has those consistencies has been and will be APT28.”

In the absence of specific information about a given outfit’s strategies and goals, it’s hard to make that attribution any stronger. But going the opposite direction — from a weak attribution to a presumption of intent — can be dangerous.

This kind of weak attribution is frustratingly common in the cybersecurity world, and it can cause real problems as countries struggle to figure out the international diplomacy of cyberwarfare. Farzaneh Badii, former executive director of Georgia Tech’s Internet Governance Project, classifies weak attribution as “circumstantial evidence that can be technically questioned.” She sees it as a global problem and has advocated for international attribution groups that could solve the deadlock, so observers wouldn’t have to rely on private companies or government intelligence agencies. Without that, the problem of trust can be difficult to solve.

“States mostly fund cyber attacks through individual contractors and do not carry them out themselves,” Badii says, making state actors and private criminals difficult to distinguish. If you’re worried about governments ginning up a case for war or private companies grasping for headlines, that problem only gets worse. “Attribution companies are not forthcoming and transparent about all of their methods for undertaking attribution so it is not easy to assess their attribution mechanism.”

If you’re concerned about Russian meddling in the 2020 election, none of this should be reassuring. The GRU really did hack the DNC in 2016, and there’s no reason to think it won’t try similar tricks again, whether or not it was behind this particular phishing campaign. There really is reason to think the GRU was involved. The lack of a smoking gun isn’t reassuring — if anything, it means whoever did this got away relatively clean. But if you just want to know whether Russia hacked Burisma, the real answer may be that we still don’t know.