Conti virus gang suposedly linked to Russian hackers targeting Ukraine

Google claims that former Conti ransomware operators helped to target Ukraine

Amid the Ukraine-Russia conflict, Google links hacker gang to operations against NGOs and Ukrainian organizations

Some of the hackers linked with the major Conti ransomware attacks are now part of the threat gang tracked as UAC-0098, which targets Ukrainian organizations and European non-governmental organizations. Google reports^[1] that these tactics of Russia-linked threat actors link to the group of initial access brokers.^[2] These attackers use the IcedID banking trojan to provide particular ransomware groups with access to compromised systems within the networks.^[3]

Threat Analysis Group for Google works to defend users from state-sponsored attacks, and this threat group linked to Russian malware operations has been tracked since April. TAG team links overlap with former Conti ransomware operations, and these recent cybercrime campaigns started after Russia invaded Ukraine. The process started when the phishing campaign pushed via the Conti-linked Anchormail backdoor was the first incident noticed by the threat researchers:

In the initial encounter with UAC-0098, 'lackeyBuilder' was observed for the first time. This is a previously undisclosed builder for AnchorMail, one of the private backdoors used by the Conti groups.

These particular attacks were observed in Spring – Summer with additional changes to tactics and method, lures, and tooling. However, the main target remained to be Ukrainian organizations linked to humanitarian help. especially hotel chains. These campaigns included an impersonation of the National Cyber police of Ukraine or Elon Musk and StarLink representatives.^[4]

Using tools linked with particular cybercrimes

Analysis shows that since the start of the investigation, threat actors have used these tools and services that are generally employed by cybercriminals for the purpose of getting initial access to compromised machines. Those tools include the mentioned IcedID trojan, EtterSilent malicious document builder, and the Stolen Image Evidence social engineering malware spreading service.

The UAC-0098 group has released campaigns spreading IcedID, and Cobalt Strike malicious payloads in particular phishing attacks targeting organizations in Ukraine and European NGOs. The group uses hacktivism and electronic warfare^[5] to seek profit, and researchers state that these criminals are becoming active in the area in huge numbers.

Links to Conti ransomware group

Google threat intelligence researchers state that these attributions to the Conti ransomware^[6] group can be made due to the multiple overlaps between the TrickBot, this UAC-0098 group, and the Conti ransomware cybercrime gang. Various indicators show that members of the team repurpose their methods used before to target Ukraine.

The group potentially acted as the initial access broker for various ransomware groups and Russian cybercriminals groups known as FIN12 or Wizard Spider. All these links and techniques reported in the Google team blog post can be backed by previous reports from other cybersecurity research teams.

The infection known as Conti ransomware is a Russian-based threat that was first noticed in 2020 when Ryuk ransomware stopped operating. The gang is still active with other threats, and these particular criminals have taken over the distribution of TrickBot and BazarBackdoor malware pieces.

The particular source code of the Conti ransomware encryptor and other gang activities got revealed online by other researchers right after the invasion of Ukraine. These ransomware operations should be shut down now, but while the Conti ransomware might be down, criminals continue to operate in smaller groups included in ransomware and criminal operations.