Former Members of Conti Are Targeting Ukraine, Google SaysInitial Access Broker Also Tied to Hits on European Humanitarian Organizations
Hackers associated with the now-defunct Conti ransomware group have turned to disrupting Ukrainian targets, whether for profit or to aid the Russian invasion, or both.
Since the Russia-Ukraine war began nearly 200 days ago, Google's Threat Analysis Group says it has tracked an increasing number of financially motivated threat actors targeting Ukraine whose activities seem closely aligned with Kremlin objectives.
In particular, malware analyst Pierre-Marc Bureau writes in a new report that former Conti members are active in an attack group that previously acted as an initial access broker for ransomware groups including Conti and Quantum. Conti said it would dissolve after declaring "full support" for the Kremlin on the second day of official Russian hostilities in Ukraine. The group attempted to unwind its pledge, but it was too late (see: Russia's War Further Complicates Cybercrime Ransom Payments).
The group, designated as UAC-0098 by the Computer Emergency Response Team of Ukraine, has shifted focus to attacking organizations including government agencies in Ukraine as well as European humanitarian and nonprofit organizations, Google says. Among its favorite private sector targets is Ukraine's hospitality industry, and the group has launched multiple distinct campaigns against the same hotel chains. UAC-0098 is associated with a banking Trojan known as IcedID Trojan used to steal banking logon credentials.
Despite the expanded targeting, researchers have yet to identify what the group is doing after it makes a successful attack. The group's aims may remain entirely focused on stealing money, with an opportunistic expansion to include Ukraine in its targeting, which Eastern European cybercrime groups were previously careful to avoid for fear of upsetting Moscow.
Its activities are representative of a newfound blurring between "financially motivated and government-backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests," Bureau writes.
Security researchers variously track the operations of Conti, which is supposedly defunct, using the codenames FIN12, Wizard Spider, and ITG23. It's also sometimes known as the TrickBot group, owing to Conti last year having appeared to absorb TrickBot's operations.
Attacks Attributed to Former Conti Members
Bureau says that multiple indicators point to former members of the Conti cybercrime group working as UAC-0098 to repurpose their techniques to target Ukraine.
Google's TAG says that in April, it also saw attacks from the group that installed AnchorMail - aka LackeyBuilder, which is a Conti-developed piece of code that installs a backdoor. It says AnchorMail previously ran as a plug-in module for TrickBot but appeared to have been updated to run stand-alone.
In May, the group launching a phishing attack targeting hospitality workers that impersonated the National Cyber Police of Ukraine with a message urging them to update their operating system. Victims who clicked on the link instead downloaded a script that executed an IcedID dynamic link library for the Windows operating system.
Also in May, a phishing email targeting the Academy of Ukrainian Press contained a link to a cloud-stored Excel document that fetched a Cobalt Strike beacon - software that acts as an implant. The same IP address that delivered the beacon was earlier used to deliver IcedID payloads. Attackers also used the same link and the same file to target the hospitality industry.
In June, the group sent thousands of spam emails impersonating national tax authorities containing malicious documents containing the Follina remote code execution vulnerability. An opened document downloaded a Cobalt Strike beacon with technical similarities to the IcedID Trojan. Specifically, shared code in the Cobalt Strike payload and IcedID "suggests they are both encrypted with the same crypting service made by Conti group," TAG says.
Google's findings overlap with research from IBM Security X-Force researchers who tied UAC-0098 to at least six campaigns targeting Ukraine and said the tools used included IcedID malware, CobaltStrike red-team software and the AnchorMail backdoor.
UAC-0098 also used the compromised email account of a hotel in India to target humanitarian nongovernmental organizations in Italy, delivering IcedID through anonymous file-sharing service
dropfiles[.]me, with expiring links to the payload and a malware distribution service known as Stolen Image Evidence.
While security researchers tend to ascribe attacks to groups, this remains a difficult and imperfect exercise.
Conti formerly controlled a cybercrime empire that leaks of the group's internal communications suggested included at least 200 full-time employees. Before the group's demise and employee diaspora, it appeared to launch multiple spinoffs, including Alphv/BlackCat, AvosLocker, Black Basta and HelloKitty.
But even in active groups, individual employees come and go, taking knowledge and sometimes code with them. Also, the cybercrime-as-a-service economy is highly decentralized. Many participants act as independent contractors or temporary partners. Many ransomware groups focus on developing malware and rely on affiliates to take this malware and infect victims. Some affiliates work with multiple ransomware groups. Meanwhile, malware used by any individual or group might be bought, stolen or adopted by others. All of this complicates attribution.
Researchers have offered no evidence to suggest UAC-0098 is operating under Kremlin instructions. Rather, the group may simply be taking advantage of a new business opportunity created by Russia's invasion of Ukraine, which Pentagon officials estimate has caused the death of up to 80,000 Russian troops. The United Nations estimates at least 5,718 civilians have died in the fighting while the Ukrainian military has acknowledged the deaths of 9,000 troops.