Financially motivated hackers with ties to a notorious Conti cybercriminal group are repurposing their resources to use against targets in Ukraine, suggesting that the threat’s activities associated with the Kremlin’s invasion of its neighbour, a Google researcher reported on Wednesday.
Since April, a group of researchers tracking UAC-0098 has carried out a series of attacks against hotels, NGOs and other targets in Ukraine, CERT UA yes report inside past. Several members of UAC-0098 are former Conti members who are now using their sophisticated techniques to target Ukraine as the country continues to thwart the Russian invasion, said Pierre-Marc Bureau, an expert Research in Google Threat Analytics says.
An unprecedented change
“The attacker has recently shifted focus to Ukrainian organisations, the Ukrainian government, and European humanitarian and non-profit organisations,” the bureau wrote. “TAG rates UAC-0098 as acting as an initial access broker for various ransomware groups including Quantum and Conti, a Russian cybercriminal gang known as FIN12/WIZARD SPIDER.”
He writes that “UAC-0098’s activities are a prime example of the blurred line between financially motivated and government-backed groups in Eastern Europe, illustrating the trend of threat actors change their goals to align with regional geopolitical interests.”
In June, IBM Security X-Force researchers report many similar things. It discovered that the Trickbot team was based in Russia — which, based on researchers at AdvIntel, effectively taken over by Conti earlier this year – have “systematically attacked Ukraine since the Russian invasion – an unprecedented change because the group’s previous This is not targeted at Ukraine.”
The Conti operations “against Ukraine are remarkable given the extent to which this activity differs from historical precedents and the fact that these operations are specifically aimed at Ukraine with several payloads indicating a degree of target selection. higher,” IBM Security’s X-Force researchers wrote in July.
Reports from Google TAG and IBM Security X-Force cite a wide range of crashes. People listed by TAG include:
- An email phishing campaign in late April offered AnchorMail (called “LackeyBuilder”). The campaign used tactics with themes such as “The ‘Active Citizen’ Project” and “File_change, _booking”.
- A month later, a phishing campaign targeted organizations in the hospitality industry. These emails impersonated the Ukrainian National Cyber Police and attempted to infect the targets with the IcedID malware.
- A separate phishing campaign targeted the hotel industry and an NGO in Italy. It used a compromised hotel account in India to trick its targets.
- A phishing campaign impersonated Elon Musk and his StarLink satellite venture in an attempt to get targets in Ukraine’s tech, retail and government sectors to install malware.
- A campaign with over 10,000 spam emails impersonating the State Tax Service of Ukraine. The emails with the ZIP file attached exploited CVE-2022-30190, a critical vulnerability known as Follina. TAG managed to interrupt the campaign.
The findings by Google TAG and IBM Security X-Force follow up with leaked documents earlier this year showing several Conti members affiliated with the Kremlin.