The oil firm Burisma sits at the center of the Venn diagram of two of the Kremlin's hacking obsessions: It's in Ukraine, Russia's favorite playground for all manner of cyberattacks. And it's at the core of a political controversy that might further divide the US and aid Donald Trump's reelection campaign. All of that makes Burisma an almost inevitable target for another hack-and-leak operation of the sort that Russia carried out against the Democratic National Committee and the Clinton campaign in 2016—once again with the goal of influencing a US election.
Now the first evidence has surfaced, in a report from security firm Area 1, that the very same team of Russian hackers who hit those targets may in fact have hacked Burisma. If so, the next step in the Kremlin playbook is very likely another round of selectively leaked documents aimed at swaying the 2020 election result. The possibility raises a tough question: Did the US learn anything from the last round? Or are voters—and the media—as susceptible as ever to a well-executed Russian influence operation?
On Monday evening, The New York Times reported, citing Area 1, that the hacking group known as Fancy Bear or APT28 targeted Burisma with a phishing campaign that began in November, just as the company found itself at the center of a political maelstrom. Democratic presidential hopeful Joe Biden's son Hunter served on its board until last year, and Trump's impeachment has centered around allegations that he pressured the Ukrainian government to open a corruption investigation into Burisma to harm the senior Biden's campaign.
For now, it's still not entirely proven that Russia did hack Burisma. Some cybersecurity analysts see Area 1's evidence tying the phishing campaign to Fancy Bear—and determining that those phishing emails worked—as less than definitive. (Security firm ThreatConnect, for instance, looked at some of the same phishing domains used in the campaign late last year and concluded with only "moderate confidence" that Fancy Bear was behind them. Area 1, meanwhile, tells WIRED that its findings are "incontrovertible" and that it has more evidence that it declined to share publicly.)
But given the potential for even the slightest speck of Biden dirt found on Burisma's server to carry political weight, a hacking campaign targeting the firm or other Biden-linked organizations was almost inevitable, says Clint Watts, a research fellow at the Foreign Policy Research Institute and author of the book Messing with the Enemy. As are subsequent leaks.
"Anyone who's worked with Hunter Biden should be having a panic attack right now," Watts says. In some respects, he argues, a Russian influence operation based on stolen files is even easier in 2020 than it was in 2016, when Russian intelligence used an invented "hacktivist" named Guccifer 2.0 to distribute Clinton's stolen files to news outlets.
"Last time they did broad hacking to find as much information as possible to dig through and find derogatory narratives," Watts says. "This time they’ve got the president advancing a very specific narrative already. So rather than finding the dirt, this time they can pursue a narrative that's already out there and make it come true."
Lessons Learned—and Not
Still, Watts argues, most Americans are by now at least aware of Russia's influence operation tricks. If politically charged documents leak publicly following reports of Russian hacking, many voters and reporters would likely look at them far more skeptically than they did last time, when many prominent news outlets published stories from Russia-leaked documents.
But that doesn't mean media outlets won't still pick up leaks, or that Fancy Bear won't selectively release emails or documents that some voters will interpret as confirmation of anti-Biden suspicions. "If media runs with it this time, they do so willingly. Some people will be complicit," Watts says. "A Fox News audience will say, 'We need to know, and the Russians helped us find out.'"