Google said former Conti ransomware gang members helped target Ukraine

 Google said former Conti ransomware gang members helped target Ukraine

A cybercriminal group containing former members of the notorious Conti ransomware gang is targeting the Ukrainian government and European NGOs within the region, Google says.

The details come from a replacement blog post from the Threat Analysis Group (TAG), a team within Google dedicated to tracking state-sponsored cyber activity.

With the war in Ukraine has lasted quite half a year, cyber activity including hacktivism and EW has been a relentless presence within the background. Now, TAG says that profit-seeking cybercriminals have become active within the area in greater numbers.

From April through August 2022, TAG has been following “an increasing number of financially motivated threat actors targeting Ukraine whose activities seem closely aligned with Russian government-backed attackers,” writes TAG’s Pierre-Marc Bureau. one among these state-backed actors has already been designated by CERT — Ukraine’s national Computer Emergency Response Team — as UAC-0098. But a new analysis from TAG links it to Conti: a prolific global ransomware gang that finish off the Costa Rican government with a cyberattack in May.

“Based on multiple indicators, TAG assesses some members of UAC-0098 are former members of the Conti cybercrime group repurposing their techniques to focus on Ukraine,” Bureau writes.

The group referred to as UAC-0098 has previously used a banking Trojan called IcedID to hold out ransomware attacks, but Google’s security researchers say it's now shifting to campaigns that are “both politically and financially motivated.” in step with TAG’s analysis, the members of this group are using their expertise to act as initial access brokers — the hackers who first compromise an ADP system then unload access to other actors who have an interest in exploiting the target.

Recent campaigns saw the group send phishing emails to a variety of organizations within the Ukrainian hospitality industry purporting to be the Cyber Police of Ukraine or, in another instance, targeting humanitarian NGOs in Italy with phishing emails sent from the hacked email account of an Indian hotel chain.

Other phishing campaigns impersonated representatives of Starlink, the satellite internet system operated by Elon Musk’s SpaceX. These emails delivered links to malware installers disguised as the software required to attach to the web through Starlink’s systems.

The Conti-linked group also exploited the Follina vulnerability in Windows systems shortly after it absolutely was first publicized in late May of this year. during this and other attacks, it's not known exactly what actions UAC-0098 has taken after systems are compromised, TAG says.

Overall, the Google researchers point to “blurring lines between financially motivated and government-backed groups in Eastern Europe,” an indicator of the way cyber threat actors often adapt their activities to align with the geopolitical interests of a given region.

But it’s not always a method bound to win. At the beginning of the Ukraine invasion, Conti paid the value for openly declaring support for Russia when an anonymous individual leaked access to over a year’s worth of the group’s internal chat logs.