Former members of Conti ransomware group repurposing tools to attack Ukraine, Google says
The findings suggest 'blurring lines between financially motivated and government backed groups in Eastern Europe'
Former members of Conti ransomware gang are operating as part of threat group UAC-0098 to target Ukrainian government and organisations, suggesting how closely the threat actor's operations align with the Kremlin's invasion of its neighbouring country.
The details of new attacks come in a blog post published last week by Google's Threat Analysis Group (TAG) that is dedicated to monitoring cyber activities from state-sponsored actors.
"As the war in Ukraine continues, TAG is tracking an increasing number of financially motivated threat actors targeting Ukraine whose activities seem closely aligned with Russian government-backed attackers," Pierre-Marc Bureau, a researcher at TAG, said in the post.
"UAC-0098 is a threat actor that historically delivered the IcedID banking trojan, leading to human-operated ransomware attacks," he said, adding that the attacker has lately changed their targets to include Ukrainian government and the Ukrainian organisations, as well as non-profit and humanitarian groups in Europe.
The analysis builds upon a recent study that was released in July 2022 and described the continued cyber attacks against Ukraine during its ongoing war with Russia.
TAG's analysis indicates that UAC-0098 is an initial access broker who has worked with multiple ransomware groups, including Conti and Quantum.
Conti, which was first detected in 2020, hit the headlines in February when it announced its support for Russia's invasion of Ukraine. Many of Conti's tools and internal data were leaked online after that announcement.
In May, the United States government announced a reward of up to $10 million for any information that leads to the identification or whereabouts of people who hold a key leadership position within the Conti gang.
A further $5 million was also offered for any information that leads to the arrest or conviction of a Conti member in any country conspiring or attempting to engage in a Conti variant ransomware incident.
TAG's report details two indicators suggesting a link between UAC-0098 and Conti. The first is the use of a command and control tool assessed to have been built by Conti.
The second is the use of a previously unreported private backdoor that was utilised by Conti-affiliated groups.
TAG's report covers five campaigns that UAC-0098 ran between April and August.
Late in April, a phishing email campaign distributed AnchorMail (referred to as "LackeyBuilder") and featured lures with subjects such as "Project Active Citizen" and "File_change_booking."
One month later, there was a phishing effort that specifically targeted businesses in the hospitality sector. The emails sought to infect individuals with the IcedID malware while posing as the National Cyber Police of Ukraine.
A different phishing campaign targeted the hospitality sector as well as an Italian NGO. To deceive its targets, it exploited a hacked hotel account in India.
In other phishing efforts, criminals pretended to be representatives of Starlink, the satellite internet service managed by Elon Musk's company, SpaceX.
These emails included URLs that led to malware installers posing as software required to connect to the internet through Starlink's systems.
TAG has not yet determined what actions UAC-0098 takes after a successful compromise in the post-exploitation phase.
In general, the researchers refer to "blurring lines between financially motivated and government backed groups in Eastern Europe", an indication of the way that cyber threat actors often adapt their actions to match with the geopolitical goals in a specific region.
According to TAG, the activities detailed in their post are consistent with findings from CERT-UA and IBM Security X-Force.
"TAG can further confirm attribution based on multiple overlaps between UAC-0098 and Trickbot or the Conti cybercrime group," it added.