According to a new report from Google’s Threat Analysis Group (TAG), former members of the notorious Conti ransomware group have repurposed many of their tools to attack Ukrainian organizations.
Google researchers confirmed an IBM report in July that initial Conti access brokers – a term used to describe people with access to hacked corporate networks – changed their focus from criminal attacks general to those specifically targeting Ukrainian organizations in the hospitality industry.
Google noted that Ukrainian cybersecurity experts from CERT-UA tracked the group as UAC-0098 and said they were linked to at least five different campaigns that ran from April to August 2022.
“UAC-0098 is a threat actor that has historically delivered the IcedID banking trojan, leading to human-operated ransomware attacks. The attacker has recently focused on Ukrainian organizations, the Ukrainian government, and organizations European humanitarian and nonprofit organizations,” Google security researchers said on Wednesday.
“TAG assesses that UAC-0098 acted as an initial access broker for various ransomware groups, including Quantum and Conti, a Russian cybercrime gang known as FIN12/WIZARD SPIDER.”
TAG began tracking UAC-0098 after discovering a phishing campaign in April that attempted to distribute a tool to access systems through a backdoor. The tool — named AnchorMail — was developed by the Conti Group, according to TAG.
The report notes that the campaign “stood out because it appeared to be both financially and politically motivated” because of its experimental nature and because it attacked Ukrainian organizations.
From April to mid-June, Google tracked a group campaign repeatedly targeting Ukrainian hotels.
A May 11 attack on Ukrainian organizations working in the hospitality industry involved phishing emails claiming to be from the National Cyber Police of Ukraine.
The emails urged victims to click on a malicious link to download updates for their operating system.
Six days later, the same group took control of a compromised hotel email account in India and began sending phishing emails containing malicious ZIP archives to organizations working in the hospitality industry. in Ukraine.
TAG discovered that the same compromised Indian hotel email account had been used to attack NGOs in Italy.
On May 19, the group pivoted again, using a different tactic to trick people into clicking on malicious links. The phishing emails were believed to have come from representatives of Starlink, the satellite internet subsidiary of Elon Musk’s rocket company SpaceX.
Some of the emails claimed to come directly from Musk representatives, urging people to click on a malicious link for an alleged StarLink satellite software update. Musk provided Ukraine with access to StarLink technology in an effort to help the country during its war with Russia.
Ukrainian organizations operating in the technology, retail and government sectors were then hit by a similar attack on May 23. A day later, the Ukrainian Press Academy was the target of phishing emails containing dropbox links to malicious documents.
In June, UAC-0098 launched a new campaign involving CVE-2022-30190 – informally known as “Follina” by security experts.
“On June 19, TAG interrupted a campaign with more than 10,000 spam emails posing as the State Tax Service of Ukraine. The emails had an attached ZIP file containing a malicious RTF file,” the researchers explained. Google.
The report includes a copy of one of the fake emails, which claims to be from the National Tax Service of Ukraine and urges people to open a malicious document related to paying taxes.
TAG researchers said the activities of UAC-0098 are an example of how the lines between financially motivated cyberattacks and government-backed hacks are blurring.
“Rather uniquely, the group demonstrates a keen interest in violating companies operating in the hospitality industry in Ukraine, going so far as to launch several separate campaigns against the same hotel chains. So far, TAG has not identified post-exploitation actions taken by UAC-0098 after a successful compromise,” the researchers said.
Conti had been linked to more than 850 ransomware attacks since 2019, according to data collected by Recorded Future, including 2021 attacks on Ireland’s Health Service Executive and hospital systems in New Zealand.
But in May the group began destroying much of its infrastructure after the US State Department offered a $10 million bounty for information on the whereabouts of its neighbors. The bounty came as Conti brazenly held Costa Rica’s government to ransom and threatened to “overthrow” the country’s newly elected president.
Last month, the US Rewards for Justice program took an unprecedented step by sharing an image of a man it believes is linked to the group calling itself ‘Target’, and said it was looking for other members who use the handles “Reshaev,” “Professor,” “Tramp,” and “Dandis.”
The State Department also highlighted the group’s ties to Russia – Conti vowed to support the Russian government after it invaded Ukraine in February “and threatened critical infrastructure organizations in countries perceived to be carrying out cyberattacks. or a war against the Russian government,” the US State Department said. said.
Emsisoft threat analyst Brett Callow, a ransomware expert who tracks the various criminal groups behind the attacks, told The Record that given Conti’s previous threats of retaliatory attacks against American critical infrastructure in the event that the United States attacks Russia after its invasion of Ukraine, “it would be ‘It would not be at all surprising if some members of the Conti team were targeting Ukraine.