A New Hampshire state senator has a key role with the firm that last week revealed Russian military intelligence operatives hacked into the Ukrainian gas company at the heart of President Donald Trump’s impeachment trial.
Sen. Jon Morgan, D-Brentwood, said the entire episode reveals how easy it remains for cyber thieves to do their business and how many “global enterprises” are defenseless to stop it because they aren’t protected.
“You would be surprised at the number of global enterprises that don’t have adequate protection, still to this day,” Morgan said during an interview.
“It goes back to human nature. Oh, it’s not going to happen to me or what we have is enough or we will take care of it when we need to. Well, you need to.”
Morgan is senior director of security operations at Area 1 Security, a Redwood City, Calif., cyber security company.
The firm specializes in preventing and protecting its customers against phishing attacks, or malicious attempts to trick computer users into giving over their username and password information in order to steal content.
In early November, Area 1 officials discovered the Main Intelligence Directorate of the General Staff in the Russian Army (GRU) had launched a targeted campaign against a few select executives at Burisma Holdings.
Hunter Biden, the son of Democratic presidential candidate and former Vice President Joe Biden, was paid $50,000 a month to serve on Burisma’s board. Trump’s July 2019 call with Ukraine, in which he urged the country’s president to investigate the Bidens and Burisma, led to the House’s impeachment inquiry. Trump has said his goal was to fight corruption in Ukraine and that he expects to be exonerated in the Senate trial that’s to begin in earnest this week.
“This was a sophisticated state-sponsored Russian military campaign designed to disrupt the 2020 election cycle,” Morgan said of the attack. “The point of the campaign, from our perspective, was to sow confusion, chaos, mistrust.”
One of the original staffers
Morgan is one of Area 1’s original employees. He previously had done terrorism assessment work for a few years for a Department of Defense contracting firm.
“My original job with Area 1 was to broker relationships with hosting providers, internet service providers and small- and medium-sized businesses all over the world and deploy what we call active sensors, which basically watch bad guys in real time. We tell clients we look for their TTPs: tactics, techniques and procedures,” Morgan said.
The firm possesses one of the world’s fastest web crawlers that searches the entire internet every 10 days and looks for evidence of these hackers, who most commonly work for state-sponsored groups or organized crime syndicates, Morgan said.
Area 1 calls this group Russia 1 and has been watching it for years.
The same GRU was linked to the hacking of the Democratic National Committee in 2015 and 2016.
“We are inherently conservative as a company. You absolutely do not want to make judgment calls; don’t call it before you know it,” Morgan said.
“What we know is based on statistics. We know this was a successful campaign against Burisma. We don’t yet know what specific information they are after. We don’t know what specific information they obtained.”
Area 1 was one of the first firms to alert federal law enforcement to this group’s hacking of former Hillary Clinton Campaign Chairman John Podesta’s emails in March 2016, which were later all disclosed by Wikileaks in the midst of the presidential campaign.
“If it follows the same playbook as 2015 and 2016, they have infiltrated and already obtained significant documentation that can be taken out of context and will leak it at opportune times to take the greatest advantage,” Morgan said.
How Burisma got hacked
In one case, the targeted executives were approached online by a domain name that read, “kub-gas.com.” This was the malicious GRU masquerading as the legitimate domain, which is a Burisma subsidiary under the name, “kub-gas-ua.”
“Are you really paying attention to whether it says .ua or .com? Of course you are not,” Morgan said.
“The user, the potential victim, has to be tricked into putting their username and password in and then clicking log in. Then the Russians can go into the legitimate domain, log in and take whatever they want.”
Area 1 security has also further connected this GRU phishing campaign to one targeting a media organization founded by Ukraine President Volodymyr Zelensky.
A first-term senator, Morgan said the Sept. 11 terrorist attacks influenced his career choice.
“I went to Notre Dame, Class of 2005. Rewind four years. September of 2001, I remember sitting in my freshman dorm room thinking about what I wanted to do with the rest of my life. I knew I wanted to serve in some capacity,” Morgan said.
He double majored in Arabic studies and political science.
“When I got out, I had job offers to work for the NSA [National Security Agency] or for a private defense contractor,” Morgan recalled. “I decided very quickly I didn’t want to be sitting in a dark cubicle listening on headphones for the rest of my life.”
Phishing still top method
Phishing stunts that warn users with such threats as “You need to change your password” are still the most popular entry points to hacking.
“These attacks are not sophisticated in nature,” Morgan said. “Nine out of 10 successful attacks started from a simple phishing campaign.”
Morgan said it’s no longer enough for a company to just have a capable IT department. The company needs a relationship with a cyber security expert, he said.
“It is exponentially less of a problem to be proactive and preemptive about these things. Protect yourself up front rather than clean up the mess,” Morgan said.
“Going in after the fact is a nightmare because it is so incredibly costly and it is crippling for any victim, whether it’s government, business, hospitals, whatever.”