Within days of Russia’s invasion of Ukraine, security researchers in Waterloo were combing through a trove of leaked documents suggesting a parallel cyberattack on Ukraine’s western allies by a notorious Russia-based ransomware group.
The documents, spilled in a large garbage dump on February 27th, suggested that the Conti ransomware gang would target countries that have imposed sanctions on Russia over President Vladimir Putin’s attempt to subjugate Ukraine. The leak was reportedly the work of dissatisfied Ukrainian Conti members who were upset with that of the group Statement in support of Putin’s actionsissued the day after the invasion began.
Waterloo-based global cybersecurity firm eSentire, reviewing the leaked documents, warns that European and North American companies, agencies and governments could face threats from cybercriminals out for not only ransom but revenge.
This week, the cybersecurity firm — which surpassed $1 billion last month after raising $325 million in new investment — released a 10-page early analysis of some of the translated chats, which included 60,000 chat messages and financial data on Conti’s business between January 29, 2021 and February 27, 2022.
To date, eSentire has only processed about a quarter of the chats, but they were very insightful, said Keegan Keplinger, Research and Reporting Lead at eSentire: “They reveal tactics and techniques. You see allegiances, you see drama. You see it’s really a marketplace where people come in and buy and sell things, throw away bitcoin wallets and say, “Hey, I built your infrastructure. Pay me here.”
Addressing the apparent disunity within Conti exposing the document leak, Mark Sangster, vice-president, industry security strategies at eSentire, said, “You don’t see this type of civil unrest among the groups. They tend to collaborate. . . (and) look to other gangs to share tools or expertise in their criminal ecosystem. In that respect, (the document dump) is quite unusual.”
What the document dump reveals is the cyber gang’s sophisticated corporate structure. This isn’t a bunch of hot teens trying to outdo each other by defacing websites – the so-called “script kiddies“. The documents show the type of communication one might see in any Fortune 500 environment, with a pecking order, purchase requests, discussions of market share, and cost control.
“You can buy security products and test them and sandbox them the same way we look at malware and reverse engineer them,” Sangster said. “There is wisdom in how far they go. Some of the news is about setting up fake companies and collaborating with security company representatives to get technical demos and walk-throughs and you can imagine it [them asking], ‘So how could you have stopped this latest version of ransomware?’ And you have an engineer on the white hat side who explains to them exactly how the technology works and how they plan to avoid that in the future. Gang members then use this information to develop their next-generation intrusion methods.
The 200 to 300 Conti members and employees have a first-party advantage by duping unsuspecting company representatives for tips that will help them optimize their product, Sangster said, but “conversely, we can’t have the same conversations with them.” , unless we find some kind of traitor to the organization.”
It’s an arms race between cybercriminals and their victims, Keplinger said, in which two sides evolve together, “and often the side with the better resources comes out on top.” Conti is an example of a very well-equipped criminal organization.
The eSentire Threat Response Unit (TRU) believes Conti compromised more than 50 victims in three months, with most destinations in Europe and the UK and others in the US, Canada, Australia and New Zealand. Among the targets: Over a weekend, Belgium’s international terminal operator SEA-Invest, as well as two German and one Dutch oil storage/transport companies, were hit by cyberattacks, affecting everything from food distribution to almost 2,000 Shell stations. Other targets last fall included Australia’s largest electricity supplier; a New Zealand IT company; and an Italian natural gas distributor.
On February 25, the day after the Russian invasion of Ukraine, Conti posted a warning on its data leak website, announcing that if anyone launched a cyber attack or a military Attack on Russian assets organizes enemy’s infrastructure.” That initial warning was scaled back somewhat on the same day, but the threat remains: Conti stands ready to defend Russian interests. The chat log shows examples of intrusions into Western organizations, with one member claiming to have good contacts with the Russian diaspora in New York and other US states.
However, the chat logs also show that Conti members are trying to eradicate the Ukraine sympathizers within their group. One member – using the alias Mango – explains that “we generally work for loot :)” but chats with another member who compiles a list of those “working against the Russian Federation”. Mango asks a senior member, “…are we patriots…” and the answer is, “Of course we are patriots.”
With this data dump, chances are good that Conti operators will have to reconfigure or rename their organization.
Elizabeth Clarke, director of public relations at eSentire, notes that review of the document dump has revealed some of Conti’s key players, such as: Stern, the financier and strategic decision maker; Mango, the main developer; Carter, infrastructure management; Bentley, tool integration; the BazarLoader gang, botnet operators; Professor, expert on the Cobalt Strike attack tool; and Lemur, developers of their phishing email templates. Presumably these aliases will be phased out.
But this data dump is unlikely to affect her Russian residency. Conti and similar groups thrive in destabilized countries, Sangster says. “They have been operating with impunity – at best, law enforcement will turn a blind eye, or in other countries they may not have the resources to stop these guys.” If you see the fighting that’s happening now we’re seeing cyber warfare, cyber tactics and cyber attacks adding to the kinetic warfare of missiles, tanks and troops, this hybrid warfare that we’re seeing now, that could also mean they work in conjunction with the Russian government.” So, not only do the criminals have the financial and technical resources, they also share information. “This increases the amplitude of their ability to step out and engage western targets.”
Keplinger sees the relationship between Conti and the Kremlin as more of a business relationship than a political partnership: It’s not even clear whether Conti will be paid for her work. “The Russian government gave some members of the group a ‘question’ and they relayed it to the rest of the group. It was an opportunity for the Conti gang.” Some of the Ukraine-specific infrastructure attacks, Keplinger said, were likely orchestrated by the Russian state, most notably the DDoS (distributed denial of service) attacks on banks and the use of wiper viruses that his I think they were sloppily coded and delivered.
Conti’s intention, Sangster said, is to disrupt critical infrastructure beyond Ukraine’s borders and “to sow fear and insecurity. . . raises public doubts about their government’s ability to protect them…’ A country may want to impose sanctions on a belligerent power, ‘but that can hurt us at home. … And ultimately it will erode confidence in the governments that oppose him (Putin).”
What can the “goodies” learn from the Conti-Chat-Dump?
Sangster said he “didn’t see such a low threshold for cyberattacks as we’re seeing now. . . We’re at that point now, with the conflict that’s happening in Eastern Europe, where the gloves are off. They don’t care.” With sanctions affecting the money supply in Russia, cybergangs will turn to cryptocurrency, the currency of choice for all cybercriminals.
“You will do it for money. They will do it out of revenge. They’re angry because they can’t go to their bank,” Sangster said.
The eSentire team found that despite all the attention focused on Russia, western governments have gaps in their defenses. Sangster warned that while large companies could be visible victims of cyberattacks, no company is too small. If the gangs can’t extort money directly from a small business, they can steal and sell its data.
Sangster and Keplinger say companies and agencies of all sizes should ask themselves: do we have cyber insurance? Have we practiced an incident response? Have we checked online government advisories on the latest attacks? Do we think antivirus is enough? Have we enabled multi-factor authentication?
Sangster said: “Companies should not take comfort in the fact that they have no branches or connections or members of the supply chain in Ukraine…. The reality is you will see more knock-on effects.”
“In any kind of chaos, criminals strike.”