The term cyber war is abused by many, referring to the hacking, espionage and disinformation activities that are characterizing this dramatic conflict. Unfortunately, the pure meaning of the term cyber warfare provides for a more destructive use of the IT tools we are used to. A cyber attack could destroy military systems as well as cause irreparable damage and a nuclear power plant potentially leading to loss of life. At the moment we are in the first phase of a cyber dispute that could have an important and at the moment unpredictable escalation given the offensive capabilities of states such as Russia.
Russia itself is notoriously home to several of the most dangerous cyber criminal organizations, capable in recent years of putting the world‘s leading companies in check with attacks of various kinds. Today we will talk about a striking case of the leading cybercriminal group in today’s threat landscape, the Conti ransomware gang.
One of the most troubling aspects of this conflict on the cyber front is the presence of numerous non-state actors on the battlefield, cyberspace. On the one hand, computer experts who responded to the call to arms of the Ukrainian government supported by numerous groups close to Anonymous, on the other hand some of the main criminal gangs, such as Conti and Stormous, who have announced full support for Moscow. Why does a criminal group have to side with a government that should in fact pursue its operations?
There are two hypotheses:
- Criminal groups offer support to Moscow in exchange for an amnesty on past crimes.
- The line that divides nation-state actors from cyber criminal groups is thinner than we imagine, revealing dangerous overlaps between the two worlds as often hypothesized.
It all began with the official declaration of the Conti group of support for Russia in the defense of its strategic and critical national perimeter.
Statement of the Conti group in support of Russia
The message appeared on the website of the group hosted in the Tor network did not go unnoticed, many affiliates of the group expressed strong dissent against the Conti organization. The climax led to an internal fracture of the criminal gang, someone with access to its internal structure has in fact published a large amount of internal material within the organization exposing its operations. Mole is a cybercriminal of Ukrainian nationality who succeeded in an unprecedented demonstration act.
With the support of cybersecurity expert Dario Fadda we analyzed the material initially leaked via AnonFiles shared via Twitter. The most interesting part is related to the conversations within the group and with their victims. With the passage, new leaks were added relating to conversations with affiliates and other criminal groups with which they interacted to use their services, including the dreaded criminal gang, Trickbot.
Trickbot was a dangerous criminal group, which set up a malicious botnet in 2016 in order to distribute its own malware, especially aimed at banking Trojan operations. Trickbot is recognized as one of the most efficient cybercriminal operations ever that once compromised the systems of companies around the world offered access to other criminal groups such as gangs specializing in spreading ransomware.
In the Conti documentation released online by the pro-Ukrainian cyber resistance there are obviously documents relating to Trickbot that highlight links between this criminal network and the Russian intelligence apparatuses, the FSB. The documents include information on the members who over the years have been part of this criminal organization, we even find identification cards, including nicknames, real names and surnames, social accounts, telephone numbers and personal photos. For each of the exposed members, also the intercepted chat conversations that are related to at least the last 18 months.
“Personally I have so far captured and analyzed 24 people present in the leaked data, all involved in cyber criminal operations using botnets like Trickbot, let’s talk about these individuals using gang logins to distribute ransomware of the main ransomware gangs such as Wizard Spiders, Maze, Conti in compromised networks , Diavol, and Ruyk. ” Fadda explains. “These data are gold for analysts and investigators who demonstrate the relationship between the Moscow government and the organized cybercrime ecosystem.”
In fact, the conversations describe the methods of exchanging information (and filesharing with the original links), passwords used to access platforms within the organization and planning of attacks carried out in the past.
“Clearly, therefore, that in analyzing the current war scenario from a cyber perspective we cannot overlook the plethora of non-state actors involved whose contribution to current and future military operations could be devastating.” Fadda continues.
We think of all the victims of the main ransomware gangs and of the accesses to companies and government organizations that these criminal groups have collected over time. We know this information is shared with Russian intelligence which could use it to target these companies in response to the growing pressure of international diplomacy. To protect our infrastructures, it is necessary to maintain a state of maximum alert by promoting the circulation of information and analysis on the operations of these criminal groups, of Russian state actors, and of the possible relationship between these malicious actors. The worst could be around the corner.