If Russia Hacked Burisma, Brace for the Leaks to Follow

The Kremlin likely hacked the oil giant. Its next play: selectively release—and even forge—documents. Did the US learn enough from 2016 to ignore them?
aerial of man walking in Ukraine and it reflected in window
Photograph: Taylor Weidman/Getty Images

The oil firm Burisma sits at the center of the Venn diagram of two of the Kremlin's hacking obsessions: It's in Ukraine, Russia's favorite playground for all manner of cyberattacks. And it's at the core of a political controversy that might further divide the US and aid Donald Trump's reelection campaign. All of that makes Burisma an almost inevitable target for another hack-and-leak operation of the sort that Russia carried out against the Democratic National Committee and the Clinton campaign in 2016—once again with the goal of influencing a US election.

Now the first evidence has surfaced, in a report from security firm Area 1, that the very same team of Russian hackers who hit those targets may in fact have hacked Burisma. If so, the next step in the Kremlin playbook is very likely another round of selectively leaked documents aimed at swaying the 2020 election result. The possibility raises a tough question: Did the US learn anything from the last round? Or are voters—and the media—as susceptible as ever to a well-executed Russian influence operation?

On Monday evening, The New York Times reported, citing Area 1, that the hacking group known as Fancy Bear or APT28 targeted Burisma with a phishing campaign that began in November, just as the company found itself at the center of a political maelstrom. Democratic presidential hopeful Joe Biden's son Hunter served on its board until last year, and Trump's impeachment has centered around allegations that he pressured the Ukrainian government to open a corruption investigation into Burisma to harm the senior Biden's campaign.

For now, it's still not entirely proven that Russia did hack Burisma. Some cybersecurity analysts see Area 1's evidence tying the phishing campaign to Fancy Bear—and determining that those phishing emails worked—as less than definitive. (Security firm ThreatConnect, for instance, looked at some of the same phishing domains used in the campaign late last year and concluded with only "moderate confidence" that Fancy Bear was behind them. Area 1, meanwhile, tells WIRED that its findings are "incontrovertible" and that it has more evidence that it declined to share publicly.)

But given the potential for even the slightest speck of Biden dirt found on Burisma's server to carry political weight, a hacking campaign targeting the firm or other Biden-linked organizations was almost inevitable, says Clint Watts, a research fellow at the Foreign Policy Research Institute and author of the book Messing with the Enemy. As are subsequent leaks.

"Anyone who's worked with Hunter Biden should be having a panic attack right now," Watts says. In some respects, he argues, a Russian influence operation based on stolen files is even easier in 2020 than it was in 2016, when Russian intelligence used an invented "hacktivist" named Guccifer 2.0 to distribute Clinton's stolen files to news outlets.

"Last time they did broad hacking to find as much information as possible to dig through and find derogatory narratives," Watts says. "This time they’ve got the president advancing a very specific narrative already. So rather than finding the dirt, this time they can pursue a narrative that's already out there and make it come true."

Lessons Learned—and Not

Still, Watts argues, most Americans are by now at least aware of Russia's influence operation tricks. If politically charged documents leak publicly following reports of Russian hacking, many voters and reporters would likely look at them far more skeptically than they did last time, when many prominent news outlets published stories from Russia-leaked documents.

But that doesn't mean media outlets won't still pick up leaks, or that Fancy Bear won't selectively release emails or documents that some voters will interpret as confirmation of anti-Biden suspicions. "If media runs with it this time, they do so willingly. Some people will be complicit," Watts says. "A Fox News audience will say, 'We need to know, and the Russians helped us find out.'"

The idea that postmortem analysis of 2016 somehow immunized the US against a rerun of the same tactics is "fanciful," says Thomas Rid, a professor of strategic studies at Johns Hopkins and author of the forthcoming book Active Measures, which explores the history of disinformation and influence operations.

Rid also warns that any 2020 leaking campaign by a foreign intelligence agency will almost certainly include false documents or ones that have been slightly modified to better suit the leaker's agenda. His book cites previously unreported examples where Russia tweaked its US-targeted leaks in 2016 to better fit the Kremlin's narrative. Examples of those "tainted leaks" pertaining to Russia's own domestic politics have also been well-documented by the nonprofit security research group Citizen Lab.

"Sure, we have some improved resistance, but it all depends on how juicy the leaked content is," Rid says. "A really juicy leaked story, perhaps boosted by some subtle forgery, could easily break into prime-time cable TV coverage—then emotions will trump facts, and nuance and detail go out the window."

Media in the Crosshairs

If 2016 taught any lesson, it's that the media needs to be far more vigilant about intelligence-driven leaks in 2020. And if outlets do run with stories from stolen documents, they need to be far more transparent about the nature of that sourcing, says Renee Diresta, a disinformation-focused researcher at Stanford's Internet Observatory. "In 2020 we need to see more contextualization of where the content came from, who executed the hack, why, and how that actor benefits from shaping our media coverage or political dynamics," she says. "Media has to recognize that they are a target for manipulation."

But even after all the postmortems of Russia's 2016 election interference—and its similar effort during the following year's French election—there's still no full picture of how exactly Russian agents worked to influence the media in 2016 and 2017, argues Camille Francois, a researcher for network analytics firm Graphika who helped the Senate Select Intelligence Committee investigate 2016 election interference. No one has comprehensively cataloged how they reached out to news outlets—or in some cases how WikiLeaks did, with leaks that Russian agents provided—or exactly which outlets were targeted. "In general, every time we think we know the whole story, there are still clear blind spots about operational details," Francois says.

Investigators also don't always share everything they know about media targeting with the potential targets of the next influence operation, Francois points out. "The media absolutely has a responsibility here. But let’s ask ourselves: Have we properly prepared reporters for this threat?" she asks. "Did we share the details and forensics they need in order to understand what foreign outreach looks like in practice and how it has manifested in previous operations? What are the systems in place to warn them if and when they are targeted by foreign adversaries?"

On all those fronts, it seems, the targets of the last influence operation may still not have caught up with the manipulator's tactics. And the next operation may already be well under way.


More Great WIRED Stories