Financially motivated hackers with ties to a notorious Conti cybercrime group are repurposing their sources for use against targets in Ukraine, indicating that the threat actor’s activities closely align with the Kremlin’s invasion of its neighboring nation, a Google researcher reported on Wednesday.
Since April, a group researchers track as UAC-0098 has carried out a series of attacks that has targeted hotels, non-governmental organizations, and other targets in Ukraine, CERT UA has reported in the previous. Some of UAC-0098’s members are former Conti members who are now applying their sophisticated methods to target Ukraine as it continues to ward off Russia’s invasion, Pierre-Marc Bureau, a researcher in Google’s Threat Analysis stated.
An unprecedented shift
“The attacker has not too long ago shifted their concentrate to targeting Ukrainian organizations, the Ukrainian government, and European humanitarian and non-profit organizations,” Bureau wrote. “TAG assesses UAC-0098 acted as an initial access broker for many ransomware groups which includes Quantum and Conti, a Russian cybercrime gang identified as FIN12 / WIZARD SPIDER.”
He wrote that “UAC-0098 activities are representative examples of blurring lines among financially motivated and government-backed groups in Eastern Europe, illustrating a trend of threat actors altering their targeting to align with regional geopolitical interests.”
In June, researchers with IBM Security X-Force reported a lot the exact same factor. It discovered that the Russia-primarily based Trickbot group—which, according to researchers at AdvIntel, was successfully taken more than by Conti earlier this year—had been “systematically attacking Ukraine considering the fact that the Russian invasion—an unprecedented shift as the group had not previously targeted Ukraine.”
The Conti “campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the truth that these campaigns appeared especially aimed at Ukraine with some payloads that recommend a greater degree of target choice,” the IBM Security X-Force researchers wrote in July.
Reports from Google TAG and IBM Security X-Force cite a series of incidents. Those listed by TAG include things like:
- An e mail phishing campaign in late April delivered AnchorMail (referred to as “LackeyBuilder”). The campaign utilised lures with subjects such as “Project’ Active citizen'” and “File_alter,_booking.”
- A phishing campaign a month later targeted organizations in the hospitality business. The emails impersonated the National Cyber Police of Ukraine and attempted to infect targets with the IcedID malware.
- A separate phishing campaign targeted the hospitality business and an NGO positioned in Italy. It utilised a compromised hotel account in India to trick its targets.
- A phishing campaign that impersonated Elon Musk and his satellite venture StarLink in an try to get targets in Ukraine’s technologies, retail, and government sectors to set up malware.
- A campaign with additional than ten,000 spam emails impersonated the State Tax Service of Ukraine. The emails had an attached ZIP file that exploited CVE-2022-30190, a crucial vulnerability identified as Follina. TAG managed to disrupt the campaign.
The findings by Google TAG and IBM Security X-Force track with documents leaked earlier this year displaying some Conti members have hyperlinks to the Kremlin.