A cybercriminal group that includes former members of the infamous Conti ransomware gang is targeting the Ukrainian government and European NGOs in the region, Google says.
The details come from a new blog post from the Threat Analysis Group (TAG), a team within Google dedicated to tracking state-sponsored cyber activity.
Now that the war in Ukraine has lasted more than half a year, cyber activity, including hacktivism and electronic warfare, has been constantly in the background. Now TAG says profit-hungry cybercriminals are becoming more active in the area.
From April to August 2022, TAG is tracking “an increasing number of financially motivated threat actors targeting Ukraine, whose activities are closely aligned with Russian government-backed attackers,” writes TAG’s Pierre-Marc Bureau. One of these state-backed actors has already been designated UAC-0098 by CERT, Ukraine’s National Computer Emergency Response Team. But a new analysis from TAG links it to Conti, a prolific global ransomware gang that took out the Costa Rican government in a cyberattack in May.
“Based on multiple indicators, TAG assesses that some members of UAC-0098 are former members of the Conti cybercrime group who are re-using their techniques to target Ukraine,” Bureau writes.
The group known as UAC-0098 has previously used a banking Trojan known as IcedID to launch ransomware attacks, but Google’s security researchers say it’s now shifting to campaigns that are “both politically and financially motivated”. According to TAG’s analysis, the members of this group use their expertise to act as initial access brokers – the hackers who first compromise a computer system and then sell the access to other actors interested in exploiting the target.
In recent campaigns, the group sent phishing emails to a number of organizations in the Ukrainian hospitality industry masquerading as Ukraine’s cyber police or, in another case, targeting humanitarian NGOs in Italy with phishing emails being sent. from the hacked email account of an Indian hotel chain.
Other phishing campaigns posed as representatives of Starlink, the satellite internet system of Elon Musk’s SpaceX. These emails provided links to malware installers disguised as software needed to connect to the Internet through Starlink’s systems.
The group linked to Conti also exploited the Follina vulnerability in Windows systems shortly after it was first published in late May this year. In these and other attacks, it is not known exactly what actions UAC-0098 took after systems were compromised, TAG says.
Overall, the Google researchers point to “blurring of the lines between financially motivated and government-backed groups in Eastern Europe,” an indicator of how cyber threat actors often tailor their activities to the geopolitical interests in a given region.
But it is not always a strategy that is guaranteed to win. At the start of the invasion of Ukraine, Conti paid the price for openly declaring support for Russia when an anonymous person leaked access to more than a year of the group’s internal chat logs.