EXETER — State Sen. Jon Morgan has unique insight into the Ukrainian energy company at the center of the ongoing impeachment trial against President Donald Trump.
In his professional life, Morgan, a Brentwood Democrat, is a senior director of security operations for Area 1, a California-based cyber security company. Area 1 recently released a report detailing a hacking operation of Burisma Holdings, a Ukrainian natural gas company, by Russian military intelligence better known by the acronym, GRU.
Morgan said his original responsibilities include developing relations with internet service providers (ISPs) and hosting providers for small- to medium-sized companies. He said his company has the ability to catalog the entire internet every 10 days by using a high-speed web crawler.
Morgan said Area 1 monitors 150 to 190 known organized hacking groups, some of which are state-sponsored and others that are typically part of organized crime syndicates. He said by cataloging the entire web, Area 1 employs various methods to identify the typical tools, tactics and procedures, or TTPs, employed by sophisticated hacking groups, such as the use of phishing, which the Area 1 report states is the genesis of “nine out of 10 cyber attacks.”
According to Area 1’s report, beginning in 2019, GRU began a phishing campaign targeting the servers of subsidiary companies belonging to Burisma Holdings. The report states GRU phished credentials to permit hackers to appear as specific Burisma email users by creating a “lookalike” domain login. In several instances, the GRU fake domain was near identical to the legitimate one.
For example, the Burisma subsidiary KUB-Gas LLC’s legitimate domain is kub-gas.com.ua. The suspected malicious domain was kub-gas[.]com. The brackets are inserted around the dot in the report so people reading it know not to visit on a phishing domain, Morgan said.
Morgan declined to state what Area 1’s connection is to Burisma, only saying his company has a policy of not specifically discussing possible or potential clients.
The report states, “Like all phishing campaigns, we observe the GRU was successful because they found a way to appear authentic to their targets, rather than using any technical sophistication.” However, Morgan said it’s difficult to draw conclusions on what the Russians may have been searching for.
“This report is a very conservative analysis and due to the sensitivity surrounding Burisma, we don’t want to draw any conclusions,” he said. “We wouldn’t release a report like this unless we feel it’s necessary to inform the public that there is a malicious hacking campaign underway.”
So how did Area 1 conclude Russia’s GRU was responsible for the Burisma attack?
Morgan said the timing of the hacking operation was similar to past Russian-tied hacking efforts beginning in 2015 in the run up to the U.S. 2016 general election. Area 1 refers to GRU hackers as RUS-1, or “Fancy Bear,” and Morgan said his company has monitored GRU since it was suspected of hacking the Democratic National Committee in 2016 and stealing incendiary emails from party insiders, which were published by Wikileaks.
“We can say there is a correlation between the timing of the start of the Burisma hack with the impeachment trial,” Morgan said. “It’s following the same timeline, traditional playbook that began in 2015-2016. The GRU is attempting to insert itself into the confusion of the 2020 election cycle and it can’t be ignored.”
Burisma is at the center of the impeachment trial because Democrats are accusing Trump and his administration of holding up military aid to Ukraine until its government announced a formal investigation against presidential candidate and former Vice President Joe Biden and his son, Hunter.
Burisma once employed Hunter Biden as a board member, paying him a reported $50,000 a month beginning in 2014 while his father was still vice president. Hunter Biden’s stint on Burisma’s board began shortly after he was discharged from the Navy for testing positive for cocaine. Conservatives believe Joe Biden as vice president exerted influence on the Ukrainian government to fire a prosecutor who vowed to investigate Burisma.
“There’s a belief among voters political elites will take care of their own and Burisma officials are on record saying they hired Biden’s son because that’s simply what it takes to do business with the West,” said Dr. Dean Spiliotes, a Southern New Hampshire University professor and founder of NHPoliticalCapital.com. “Hunter Biden’s checkered history is well-documented and that’s him, not Joe Biden. In the past, family issues like Billy Carter’s or Roger Clinton’s drinking problems were not considered fair game as much as they are now.”
Spiliotes said if Biden becomes the Democratic nominee for president, his past work in Ukraine will be a double-edged sword that is awarding him a personalized campaign talking point. However, Ukraine will likely be a point Trump hammers in the general election, regardless of how much or how little the accusations against Biden are grounded in reality, he said.
“Certainly, the personal connection Biden has to Ukraine gives him the sole opportunity to attack the Republicans and Trump for trying to target him,” Spiliotes said. “But Biden never has given a good explanation for this and just thought by ignoring it, it would go away. That’s not how it’s going to work going against Trump. We also don’t know what was uncovered through the hack, and if it’s something damaging, we’re not going to learn about it until after he’d become the nominee.”
Morgan did not want to comment on how the Burisma hack would affect the Democratic primary field.
“Politics is ugly business,” he said. “At that level, it’s no holds barred and both sides are using extraordinarily divisive information to lob attacks at each other. Our report has nothing to do with politics. We work with Republicans, Democrats, Green Party; they all deserve the highest level of (cyber) protection and privacy, which we seek to provide in the best way we can.”