Skip to main content

Former Conti ransomware gang members helped target Ukraine, Google says

Former Conti ransomware gang members helped target Ukraine, Google says

/

A blog from the Threat Analysis Group describes the tactics of a Russia-linked threat actor

Share this story

Illustration of a phone with yellow caution tape running over it.
Photo by Amelia Holowaty Krales / The Verge

A cybercriminal group containing former members of the notorious Conti ransomware gang is targeting the Ukrainian government and European NGOs in the region, Google says.

The details come from a new blog post from the Threat Analysis Group (TAG), a team within Google dedicated to tracking state-sponsored cyber activity.

With the war in Ukraine having lasted more than half a year, cyber activity including hacktivism and electronic warfare has been a constant presence in the background. Now, TAG says that profit-seeking cybercriminals are becoming active in the area in greater numbers.

From April through August 2022, TAG has been following “an increasing number of financially motivated threat actors targeting Ukraine whose activities seem closely aligned with Russian government-backed attackers,” writes TAG’s Pierre-Marc Bureau. One of these state-backed actors has already been designated by CERT — Ukraine’s national Computer Emergency Response Team — as UAC-0098. But new analysis from TAG links it to Conti: a prolific global ransomware gang that shut down the Costa Rican government with a cyberattack in May.

“TAG assesses some members of UAC-0098 are former members of the Conti cybercrime group repurposing their techniques to target Ukraine”

“Based on multiple indicators, TAG assesses some members of UAC-0098 are former members of the Conti cybercrime group repurposing their techniques to target Ukraine,” Bureau writes.

The group known as UAC-0098 has previously used a banking Trojan known as IcedID to carry out ransomware attacks, but Google’s security researchers say it is now shifting to campaigns that are “both politically and financially motivated.” According to TAG’s analysis, the members of this group are using their expertise to act as initial access brokers — the hackers who first compromise a computer system and then sell off access to other actors who are interested in exploiting the target.

Recent campaigns saw the group send phishing emails to a number of organizations in the Ukrainian hospitality industry purporting to be the Cyber Police of Ukraine or, in another instance, targeting humanitarian NGOs in Italy with phishing emails sent from the hacked email account of an Indian hotel chain.

Other phishing campaigns impersonated representatives of Starlink, the satellite internet system operated by Elon Musk’s SpaceX. These emails delivered links to malware installers disguised as software required to connect to the internet through Starlink’s systems.

The Conti-linked group also exploited the Follina vulnerability in Windows systems shortly after it was first publicized in late May of this year. In this and other attacks, it is not known exactly what actions UAC-0098 has taken after systems have been compromised, TAG says.

Overall, the Google researchers point to “blurring lines between financially motivated and government backed groups in Eastern Europe,” an indicator of the way cyber threat actors often adapt their activities to align with the geopolitical interests in a given region.

But it’s not always a strategy guaranteed to win. At the start of the Ukraine invasion, Conti paid the price for openly declaring support for Russia when an anonymous individual leaked access to over a year’s worth of the group’s internal chat logs.