Cybercriminals also argue with each other. And it is only one of the effects that Russia’s aggression towards Ukraine has unleashed, transforming it into the first real-time conflict on the web fought with cyber-katiuscia and computational propaganda.
A Ukrainian member of the Conti ransomware group, a gang of criminals responsible for stealing data from Italian companies San Carlo, Artsana and Clementoni, leaked the gang’s internal chats after the group’s leaders posted a pro-Russian message on their blog in the Darkweb in the aftermath of the Russian invasion of Ukraine. “The Conti group officially announces its full support for the Russian government. If anyone decides to organize a cyber attack or any war activity against Russia, we will use all possible resources to counterattack the critical infrastructure of the enemies” read the message.
The guide
The most reliable sources on which to inquire about the situation in Ukraine
by Viola Stefanello
Angered by the incident, the group’s rebel would then hack the Jabber / Xmpp server used by the gang for secure chats, and containing conversations from January 29, 2021 to February 27, 2022. Among these are messages showing Conti’s relationship with the malware groups TrickBot and Emotet, from which they rented access to infected computers to distribute their own malware, ransom negotiations, and the bitcoin addresses where the gang received payments. But they would only be a small portion of a larger whole.
The trend
The actions of video game developers against the Russian invasion of Ukraine multiply
by Alessandra Contin
Gianfranco Tonello of the Paduan TG Soft confirms this: “From this leak, the number of affiliates of the Conti group would seem to be very high, and this would explain the massive number of attacks carried out by this group of cyber-criminals. From the analysis of the chats, yes. they can extract a lot of information including the names of victims who most likely paid the ransom and track wallets for payments. ” Following the disclosure of these messages and the stance taken by other groups who instead reaffirmed their sole financial interest, Conti changed the message, clarifying that “he is against all wars”. In fact, another criminal group, Lockbit 2.0, responsible for the attacks on Thalesgroup, Accenture and other Italian targets, has made it known that “For us it is just business and we are all apolitical. We are only interested in money for our harmless and useful work ”.
In short, it would seem only the latest episode of the first open cyberwarfare in which activist guerrilla groups such as Anonymous participate who have repeatedly attacked Russian sites and servers, paramilitary groups close to Western intelligence such as GhostSec that have disclosed information and credentials of Russian personalities, trolls and bots that have broken through the Kremlin’s propaganda.
Conti Group’s Italian targets
Conti is one of the major gangs of ransomware, the software that steals and takes hostage the data of the targets to “free” them only after the payment of a ransom. Specialized in double extortion, which foresees the threat of the publication of stolen data in the absence of a ransom, mainly Russian-speaking, particularly active and dangerous, the gang has repeatedly attacked Italy in recent months. Among their latest targets are small and medium-sized enterprises in central and northern Italy such as the Cantina dei colli del Soligo in Treviso, Ciam in Assisi which deals with technologies for refrigeration, Arcese Trasporti in the province of Trento, Comerio Ercole di Busto Arsizio, the the municipality of Turin and the Clementoni game company in Recanati, the San Carlo potato chip company, the Della Toffola wine group in Veneto, the Artsana company in Grandate in Lombardy and many others.
Among the most relevant targets abroad, however, Conti hit the Indonesian Bank, the Vienna Insurance Group, the Metro construction group in New York and the Perrin clothing group also in the US. Previously Russian and Ukrainian hackers had worked together. The community of experts does not yet have a shared opinion on what happened. However, it is known that these criminal groups are often of state origin as in the case of the North Koreans of Lazarusthey act thanks to the distraction or complicity of the governments of the countries from which they organize their operations.
According to analyst1 experts, organized cybercrime of Russian origin, despite US federal indictments, is protected by the Russian government, which does not consider ransomware attacks a crime as long as they do not target Russian organizations. Analyst1 would have discovered the connections between the Russian intelligence apparatuses, SVR and FSB, and the criminals who compromised organizations affiliated with the United States government between October and December 2020 and made a serious accusation: the Russian Federal Security Service would have directly hired perpetrators of ransomware attacks and other hackers specializing in banking malware operations by finding a trace in a spyware, known as Sidoh, which shares the source code with Ryuk ransomware, the first name of Conti, used to find and steal government / military documents of the United States and with the aim of attacking financial institutions by stealing Swift and Iban data.
Their report also talks about EvilCorp’s Russian government ties, apparently of Ukrainian origin and which has now distanced itself from Conti. According to Emanuele De Lucia, chief researcher of Cluster25, “it is clear that the conflict between Ukraine and Russia is destined to reshape even the most stable assets of the Russian-speaking criminal underground. Groups and individuals who previously collaborated closely may now have changed their ideology ”. While for Tonello “This is a severe blow to the Conti criminal union and it is no wonder that they will soon be re-branded by adopting a different name”. As if it were a normal company after any reputational damage.