Five attack campaigns conducted against Ukrainian government agencies and businesses this spring and summer have been linked to an initial access broker that appears to be staffed with former members of the Conti ransomware gang, according to a report from Google’s Threat Analysis Group.
From April to August this initial access broker has paid special attention to organizations in Ukraine and to humanitarian and non-profit aid groups based in Europe. The group has impersonated StarLink, Microsoft and the National Cyber Police of Ukraine in its attempts, and has used an assortment of tools and tactics previously employed by Conti.
Conti ransomware resurfaces in targeted Ukraine attacks
The attackers appear to be members of private criminal groups seeking financial gain, but the Google report sees ties between this particular initial access broker and Russia’s state-backed hacking teams.
The five-month campaign by threat group UAC-0098 is thought to be headed up by former members of the Conti ransomware gang, the largest group of its type before it went out of service earlier this year. UAC-0098 was active prior to this campaign, but appeared to narrow its focus to targets in Ukraine starting in April. The group used to serve as an initial access broker for Conti as well as a number of other ransomware groups.
When the Conti ransomware group broke up, security analysts believed its core members drifted to various smaller operations in a bid to keep working with less heat on them. Some evidence points to some of these members joining UAC-0098. One of these is the use of “AnchorMail” (also called “LackeyBuilder”), an email phishing tool developed by Conti for their own use. Another is code found in the ransomware payload, making use of a crypting service that Conti was previously known to use.
The initial access broker has a tendency to approach targets by pretending to be either a major tech outfit or a Ukrainian authority. In a May attack, it impersonated the National Cyber Police of Ukraine in a string of attempts on hospitality companies in the country, claiming that they needed to download a system update for protection. They have also threatened NGOs in Europe with fake copyright violation claims, and have impersonated both Microsoft and Elon Musk’s StarLink making claims that updates needed to be downloaded to keep service functioning.
The Google researchers note that the line between Russia’s criminal groups and state-supported hacking teams is becoming ever more blurry as campaigns like this play out. The Conti ransomware group declared its support for Russia soon after the invasion of Ukraine began in late February, threatening to attack foreign organizations that intervened. This is believed to be one of the things that led to the group breaking up several months later, with serious internal dissension over the announcement and increased heat brought on the group by attaching itself to the war.
Initial access broker continues to seek profit, but restricts operations to Ukraine and supporters
The attack leaves some question as to why the initial access broker has had such a focus on hotels in Ukraine. Hotels are a general industry of interest to ransomware gangs, as they generally hold big stockpiles of customer payment information and cannot afford to have booking systems down for extended periods. The Conti ransomware gang was known to go after the hospitality industry while it was active, attacking the Nordic Choice brand and the McMenamins restaurant and hotel chain among others. But if there is a connection to the Russian invasion it is also possible that this is to both acquire intelligence on who is traveling in and out of the country, and potentially dissuade volunteers from visiting.
Relationships between criminal gangs and national governments rarely manage to break out into the news, but Tom Kellermann (CISM & Senior Vice President of Cyber Strategy at Contrast Security) believes that the Conti ransomware gang (and most likely this initial access broker) have cozier ties with Russian intelligence than is widely known: “Conti has long enjoyed their perceived “untouchable” status from western law enforcement due to the protection racket this Cybercartel has with the Glavnoye Razvedyvatelnoye Upravlenie (GRU – Russian: Chief Intelligence Office) and Komitet Gosudarstvennoy Bezopasnosti (FSB). This alliance by design underscores the use of cyber proxies in geopolitical conflict. Conti’s recent engagement in the war illustrates not only their patriotism to Russia but their need to pay homage to the regime.”
Former Conti ransomware gang members have spread far and wide across the criminal underworld, with some turning up in smaller ransomware outfits (such as BlackCat and Hello Kitty) and others joining groups that focus on data extortion (most notably the very active BlackByte and Karakurt). UAC-0098 has been an initial access broker for a number of these groups, such as Quantum.
The Conti ransomware alums are still very much wanted by international law enforcement; the US State Department has $10 million in bounties out on information leading to them, and it has issued a picture of a hacker who uses the handle “Target” and is thought to be a core member of the group. The gang’s final brazen act was to hold the Costa Rican government to ransom with a string of attacks, threatening to overthrow it and prompting the involvement of the US in tracing them and aiding with defenses.