Russians Hacked Ukrainian Gas Company at Center of Impeachment

From The New York Times, I’m Michael Barbaro. This is “The Daily.”

Today: At the heart of the impeachment is a request made by President Trump that Ukraine investigate ties between the Bidens and an energy company called Burisma. Now, new reporting from The Times suggests that Russian hackers may be trying to fulfill that request. It’s Wednesday, January 15.

Nicole Perlroth, tell me what happened the other day.

So, I’ve been covering cyber security at The Times for about eight years, and I had been working on a story for a couple months about threats to the 2020 election. And as part of that story, I’d been speaking to a source of mine. His name is Oren Falkowitz. He is a former analyst at the National Security Agency, and now he runs a Silicon Valley company that blocks phishing attacks.

Mm-hmm.

And he’s been working with a lot of the Democratic candidates for 2020, and he’d given me an interesting number in the course of that reporting, which was that already the Democratic frontrunners for 2020 have been getting an average of something like 1,000 phishing attempts in the last couple months.

Wow.

Right. It’s a huge number. And so I gave him a call to just do some basic fact checking as we were going to print, and I happened to catch him at an interesting time. And he said, you know what? I actually think I might have something bigger for you. Can I call you back later?

[LAUGHS] That’s a very juicy little tease for a source to give a reporter.

Right.

So what do you do?

I call him back.

And he starts to tell me the full story.

So, starting about New Year’s Eve, he was actually at Disney World with his kids, and he was in line for the teacups ride, as he tells it.

Naturally.

And someone on his team sends him a Slack message.

There is an active Russian phishing campaign against some companies in Ukraine.

Couple days later, a different person on their team was giving a presentation about threats to the oil and gas industry, and took a little bit of a closer look at what these attacks against Ukraine were all about.

They were all subsidiaries of Burisma.

Hmm, the company at the center of the Trump impeachment inquiry and the company on which Hunter Biden sat on the board.

Right. So, Oren’s team takes a close look at these attacks, and they find out that these are pretty sophisticated phishing attacks, for one.

They’ve taken something like, KUBgas.com.ua and just disposed of the “.ua,” so these employees are looking at the website address, and why should they even assume that their company doesn’t own the .com domain?

So, what they saw was that people were indeed accessing these fake login pages.

And giving away their usernames and passwords.

We don’t know what happens after that. Oren’s team can’t say whether they got any emails at all, whether they got any material that would be embarrassing to Joe Biden or his son. But what’s clear is they successfully got in.

So on its face, this would not actually be that weird. Ukraine is known as sort of Russia’s test kitchen for hacking and cyberattacks. It’s basically been under constant attack since before 2014. But when they started unwinding some of these campaigns back, there were two things that stood out. One, this isn’t some random Russian cyber criminal group. This is Fancy Bear, the name of the group that private security researchers give to the G.R.U., Russia’s main intelligence directorate — the same group that hit John Podesta, Hillary Clinton’s campaign chairman, back in 2016.

Wow. So the same group is doing the attack on Burisma?

Exactly.

The other thing that was interesting was the timing. When Oren’s team went back and looked at the timestamps, this was early November. And you have to remember where we were in early November. The private testimony of the impeachment witnesses before the House Intelligence Committee had just wrapped up and we were about to start the public hearings.

So, this division of the G.R.U. is targeting Burisma at the very same moment when Burisma is suddenly at the center of the national conversation in the impeachment process.

Exactly. Here we are again.

With an election year coming up.

With a Russian hack of a sensitive Democratic target.

So Nicole, as he is telling you this, what are you thinking?

I’m thinking this is 2016 all over again. So, I had been told that we were going to see a lot of foreign interference in this election. Not just from Russia, but because Russia had offered a playbook for interference for every other country that had any other incentive to influence the 2020 election, we were told we were going to be getting hit from all sides. But, I had fully expected that perhaps because Russian tactics and techniques had been spilled over the Mueller report and in private security intelligence assessments, that we would see something more sophisticated. But, when Oren was describing this, it was a cookie cutter repeat of what happened to John Podesta back in 2016.

Right. Who would use the exact same technique twice?

Apparently, the G.R.U. does.

We’ll be right back.

Nicole, you said you were talking to Oren as part of your reporting on what to expect from Russia in 2020. But, as you’ve observed, this story that he told you, it sounds like they’re up to the exact same thing as they were in 2016. Why would that be, given that they were caught in the sense that the U.S. understands what they did in 2016 — why would they just use the same tactics in 2020?

Because it still works. People will still click on these links. People will still turn over their passwords. We know people won’t turn on this thing called two-factor authentication to make sure people can’t just hack into their computers from a strange location. And, we also know that the outcome can be the same. We know that in 2016 —

When Russian hackers and trolls dumped John Podesta’s emails and emails at the D.N.C., people devoured them.

People wanted to believe that the race was fixed for Hillary Clinton from the beginning.

And, what they did was, they looked in those emails for any evidence of that, and we got to a place where the Russians successfully sowed American discord.

They basically poured fuel on the fire.

And when you think about where we are in 2020, there’s no evidence to suggest that the outcome wouldn’t be the exact same. When you think about what President Trump was saying last summer into the fall —

— that Burisma was corrupt.

That there was widespread corruption in Ukraine that he wanted investigated.

And you think about what Russian hackers could potentially get from getting inside Burisma’s systems. They might not necessarily find anything that is an exhibit A of corruption. But if you selectively leaked emails out of context, it’d be very easy in the current media climate and the current partisan climate for people to once again devour those emails and find whatever it is they want to find.

There doesn’t have to be all that much there there for it to effectively sow discord?

Exactly.

Nicole, does the fact that the Russians are doing this in pretty much the exact same way as they did in 2016 suggest something about how the United States responded last time, if Russia feels empowered to pretty much do the same thing again?

Well, I think it tells us that they didn’t feel much pain from the Mueller report and sanctions, and from the indictments against Russian hackers and trolls. I mean, you have to remember that even after the American intelligence community concluded that Russian hackers and trolls had interfered in the 2016 election.

The president was still blaming a 400-pound guy sitting on his bed.

In Helsinki, the president said—

I don’t know why it would have been Russia. And more recently—

When a reporter asked Trump at a press conference.

Will you tell Vladimir Putin not to interfere in 2020?

Trump wagged his finger jovially and said, don’t interfere in 2020. There has been no repercussions for Russian interference in 2016, at least not enough to keep them from doing the same thing all over again in 2020.

And of course, the president is now also advancing the theory that it was Ukraine and not Russia that interfered in 2016.

Right, which further absolves Russia from its interference in 2016, and is at the heart of the conspiracy theory that’s gotten Trump impeached in the first place.

Right.

So that’s the bad news, but it actually gets worse. If you remember back in 2016, the D.N.C. was actually hacked by two groups of Russian hackers. The first was Fancy Bear, which we have now talked about. The other was another Russian intelligence group called Cozy Bear.

Right.

And what we now know from our reporting over the last six months is that, well, Fancy Bear’s continued on with these very obvious phishing campaigns and is really up to its old tricks. Cozy Bear, the other group that hacked the D.N.C. back in 2016, has actually dropped off the radar. So about six months ago, researchers I talked to had been following them, and all of a sudden they sort of up and abandoned their hacking infrastructure. They switched out email accounts that were being monitored by the private sector and intelligence officials. They’re now using things like secure, anonymous email accounts that make it much harder for intelligence agencies and private researchers to track their communications.

Hmm. So they’ve kind of gone dark.

Exactly. And it gets a little scarier.

So, one of the things that’s just been happening separately from any of these Russian campaigns over the last year is that American cities and towns have been getting hit with a record number of ransomware attacks. So, these are attacks when cyber criminals — usually looking for a profit — infect their computer systems, hold their data hostage until they pay a ransom.

Right. This happened in Baltimore, for example.

Baltimore.

Atlanta.

New Orleans.

And what I learned in the course of my reporting over the last couple months is that there is a question at the Homeland Security Department and among the intelligence community about whether these were just run-of-the-mill ransomware attacks, or whether there was a G.R.U. component. And the fear is that the attacks might actually just be decoys for some more nefarious sleuthing of these local elections systems.

Wow.

Now, they have not concluded that this is the case, but this is something that the Department of Homeland Security is investigating. And, I think whether or not they conclude that there was some G.R.U. component here, what those ransomware attacks showed us is that American towns and cities are still so vulnerable to the type of attack that could really influence the vote on election day.

Can you help us understand what that might look like?

So, one scenario is, they change the votes. They hack into the actual ballot machines themselves and change people’s votes without anyone’s knowledge. The other thing is that they could actually keep people from voting. They could hack into the software companies that make the software that’s used to check people in at the polls. Someone shows up on election day and they’re told, you’re not registered to vote, or it looks like you’ve already voted. That would essentially be something like digital disenfranchisement. And here’s the thing. Back in 2016, Russia actually hacked into a software company that provided the poll check-in systems. When people showed up in Durham, North Carolina on election day, which is a reliably blue county in an otherwise swing state to vote, there were a lot of people who were kept from voting that day. And they were told, it looks like you’re not registered to vote, even though they were standing there with their registration cards. They were told they had to go to a different location. Some were told that they had already voted. And the county actually had to go to print paper. And it cast a lot of doubt that perhaps Russia actually had succeeded in hacking it in a way to keep people from voting in this blue county. And it took three years. It was only last week — O.K., we’re less than a year away from the next election — it’s only last week that investigators at the Department of Homeland Security concluded that, actually, Russia had not hacked into the system that Durham used, that it looks like technical misconfiguration errors were to blame. And a lot of people we’ve talked to have said, maybe that’s just the point. Russia doesn’t necessarily have to hack the election to throw the outcome into doubt. Maybe making Americans question the final outcome of a presidential election is all it needs to do to undermine faith in our democracy.

So you’re saying that, yes, Russia is doing the same thing that it did in 2016 now. It’s also doing more, possibly. We don’t know what Cozy Bear is up to, and we suspect that Russia may be pursuing this new attack on the election systems themselves.

That’s right, Michael. So let me paint a picture. This would be the worst case scenario that American officials are worried about. One, Russia repeats the 2016 playbook, which it looks like they’re beginning to do. They hacked into Burisma. Let’s say they end up dumping emails that are embarrassing to Joe Biden or his son, and we see a repeat of what we saw with John Podesta and Hillary Clinton in 2016. And then, let’s say they add this new prong, O.K.? Which is the possibility that Russia may hack into the election itself. We’re now in a moment where our faith in institutions is at an all-time low, and that is where you get to the true nightmare scenario for 2020.

Nicole, thank you.

Thank you so much.

We’ll be right back.

Here’s what else you need to know today.

In the seventh Democratic debate, held on the eve of an impeachment trial in the Senate, the three senators in the race, Amy Klobuchar, Elizabeth Warren, and Bernie Sanders said they would temporarily return to Washington to act as jurors in the case.

Much of the debate focused on foreign policy, with many of the candidates calling for restraint in the U.S. approach to Iran, and expressing a reluctance to enter into a new military conflict in the Middle East. But in perhaps the debate’s most tense moment —

Moderators pressed Senator Sanders about the claim made by Senator Warren that Sanders had told her a woman could not be elected president.

A claim that Sanders has denied.

Warren, however, stood by the claim.

That’s it for “The Daily.” I’m Michael Barbaro. See you tomorrow.