Within days of Russia’s invasion of Ukraine, security experts in Waterloo were combing through a trove of leaked documents that pointed to a parallel cyber-attack on Ukraine’s Western allies by a notorious Russian-based ransomware group.
The documents, leaked in a major dump on Feb. 27, suggested that the Conti Ransomware Gang would be targeting countries that have imposed sanctions on Russia over President Vladimir Putin’s attempt to subjugate Ukraine. The leak was reportedly the work of disaffected Ukrainian members of Conti who were upset by the group’s statement of support for Putin’s actions, issued the day after the invasion began.
Global cybersecurity firm eSentire of Waterloo, in reviewing the leaked documents, warns that European and North American businesses, agencies and governments could face threats from cyber-gangsters who are not just after ransom, but revenge.
This week, the cybersecurity firm – which surpassed US$1 billion in value last month after raising US$325 million in new investment – released a 10-page early analysis of some of the translated chats, which includes 60,000 chat messages and financial data about Conti’s operations between Jan. 29, 2021 and Feb. 27, 2022.
To date, eSentire has processed only about one-quarter of the chats, but they have been very telling, said Keegan Keplinger, Research and Reporting Lead at eSentire: “They reveal tactics and techniques. You see loyalties, you see some drama. You see that it is really a marketplace, where people are coming in and buying and selling stuff, throwing down Bitcoin wallets and saying, ‘Hey, I put up your infrastructure. Pay me here.”
Speaking to the apparent disunity within Conti that the document leak reveals, Mark Sangster, Vice-President, Industry Security Strategies for eSentire, said, “You don’t tend to see that kind of civil unrest amongst the groups. They tend to collaborate . . . (and) look at other gangs to share tools or expertise throughout their criminal ecosystem. In that respect, (the document dump) is fairly uncommon.”
What the document dump does show is the sophisticated corporate structure of the cyber-gang. This is not a group of hotshot teenagers trying to outdo each other in defacing websites – the so-called “script kiddies.” The documents reveal the kind of communication one might see in any Fortune 500 environment, with a pecking order, purchase requests, discussions about market share and cost control.
“They can buy security products and test and sandbox them, just the way that we’re looking at malware, and reverse-engineer it,” Sangster said. “There’s a cleverness in how far they go. Some of the messages talk about setting up fake companies and engaging with representatives of security firms to get technical demos and walk-throughs, and you can picture [them asking], ‘So, how could you have stopped that last version of ransomware?’ And you’ll have an engineer on the white-hat side explain to them exactly how the technology works” and how they plan to avoid that in the future. The gang members then use that information to build their next-generation intrusion methods.
The 200 to 300 Conti members and associates have first-mover advantage by using deception to quiz unsuspecting company officials for tips that help them optimize their product, said Sangster, but “conversely, we can’t have the same conversations with them, unless we find some kind of traitor to the organization.”
It’s an arms race between the cyber criminals and their victims, Keplinger said, with two sides co-evolving, “and often, the better-resourced, better-equipped side comes out on top.” Conti, he said, is an example of a very well-resourced criminal organization.
The eSentire Threat Response Unit (TRU) believes that Conti has compromised more than 50 victims in three months, with most targets in Europe and the U.K., and others in the U.S., Canada, Australia and New Zealand. Among the targets: On one weekend, Belgium’s international terminal operator SEA-Invest and two German and one Dutch oil storage/transport companies were hit by cyber attacks that affected everything from food distribution to nearly 2,000 Shell stations. Other targets last fall included Australia’s largest electricity provider; a New Zealand IT company; and an Italian natural gas distributor.
On Feb. 25, one day after Russia’s invasion of Ukraine, Conti posted a warning on its data leak site announcing that if anyone organized a cyber attack or military attack on Russian assets, Conti would use “all possible resources to strike back at the critical infrastructures of an enemy.” That initial warning was walked back slightly the same day, but the threat remains: Conti is ready to defend Russian interests. The chat log gives examples of how to penetrate Western organizations, with one member claiming to have good contacts with the Russian diaspora in New York and other U.S. states.
But the chat logs also show that Conti members are trying to root out the Ukraine sympathizers within their group. One member — with the pseudonym Mango — states that “In general, we work for loot :)” but chats with another member who is compiling a list of those “who are working against the Russian Federation.” Mango asks a senior member, “…are we patriots…” and the reply is: “We are of course patriots.”
With this data dump, the odds are good that Conti operators will have to reconfigure or rename their organization.
Elizabeth Clarke, Director of Public Relations for eSentire, notes that the review of the document dump has revealed some of Conti’s key players, such as: Stern, the financier and strategic decision-maker; Mango, the lead developer; Carter, infrastructure management; Bentley, tools integration; the BazarLoader gang, botnet operators; Professor, expert on the intrusion tool Cobalt Strike; and Lemur, developer of their phishing email templates. Presumably, those aliases will be retired.
But it is unlikely this data dump will affect their Russian residency. Conti and similar groups thrive in destabilized countries, says Sangster. “They’ve operated with impunity – at best, the law enforcement agencies turn a blind eye, or in other countries, they may have inadequate resources to stop these guys. When you see the fighting that is going on now, we’re seeing cyberwar, cyber-tactics and cyber attacks added to kinetic war of rockets, tanks and troops, this hybrid war that we see now, this also could mean that they are working in conjunction with the Russian government.” So, not only do the criminals have the financial and technical resources, but they are intelligence-sharing. “This increases the amplitude of their ability to go out and attack Western targets.”
Keplinger believes the Conti-Kremlin relationship is more of a business relationship than a political partnership: It’s not even clear if Conti is being paid for their work. “The Russian government provided an ‘ask’ to some members of the group, and they conveyed it to the rest of the group. It was an opportunity for the Conti gang.” Some of the Ukraine-specific infrastructure attacks, said Keplinger, were likely Russian state-organized, particularly the DDoS (distributed denial of service) attacks on banks and the deployment of wiper viruses, which he said, were sloppily coded and delivered.
Conti’s intention, said Sangster, is to disrupt critical infrastructure beyond Ukraine’s borders, and “sowing fear and uncertainty . . . creates doubts in the public’s minds as to whether their government can protect them…” A country may want to apply sanctions against a bellicose power, “but this may hurt us at home. … And ultimately, it’s going to erode confidence in the governments who stand up to him (Putin).”
What can the “good guys” learn from the Conti chat dump?
Sangster said he hasn’t seen “as low a threshold for cyber attacks as we are seeing right now . . . we’re at this point now, with the conflict that’s happening in Eastern Europe where the gloves are off. They don’t care.” With sanctions affecting the money supply in Russia, cyber gangs will turn to cryptocurrency, the currency of choice for all cyber criminals.
“They will do it for money. They will do it for revenge. They are angry because they can’t go to their bank,” Sangster said.
The eSentire team noted that with all the attention being focused on Russia, Western governments are having gaps in their defences. Sangster warned that while large organizations may be the visible victims of cyber attacks, no company is too small. If the gangs can’t extort money directly from a small company, they can steal its data and sell it.
Sangster and Keplinger say companies and agencies of any size should be asking themselves: Do we have cyber insurance? Have we practised an incident response? Have we reviewed the online government advisories about the latest attacks? Are we thinking that antivirus is enough? Have we enabled multi-factor authentication?
Said Sangster: “Companies should not take comfort in the fact that they do not have operations or ties or supply chain members in Ukraine…. The reality is you are going to see more knock-on impacts.”
“In any kind of chaos, that’s when criminals strike.”