Financially motivated hackers with ties to a infamous Conti cybercrime group are repurposing their assets to be used in opposition to targets in Ukraine, indicating that the risk actor’s actions carefully align with the Kremlin’s invasion of its neighboring nation, a Google researcher reported on Wednesday.
Since April, a group researchers observe as UAC-0098 has carried out a collection of assaults that has focused inns, non-governmental organizations, and different targets in Ukraine, CERT UA has reported up to now. Some of UAC-0098’s members are former Conti members who are actually utilizing their subtle strategies to focus on Ukraine because it continues to keep at bay Russia’s invasion, Pierre-Marc Bureau, a researcher in Google’s Threat Analysis mentioned.
An unprecedented shift
“The attacker has recently shifted their focus to targeting Ukrainian organizations, the Ukrainian government, and European humanitarian and non-profit organizations,” Bureau wrote. “TAG assesses UAC-0098 acted as an initial access broker for various ransomware groups including Quantum and Conti, a Russian cybercrime gang known as FIN12 / WIZARD SPIDER.”
He wrote that “UAC-0098 activities are representative examples of blurring lines between financially motivated and government-backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests.”
In June, researchers with IBM Security X-Force reported a lot the identical factor. It discovered that the Russia-based Trickbot group—which, in response to researchers at AdvIntel, was successfully taken over by Conti earlier this 12 months—had been “systematically attacking Ukraine since the Russian invasion—an unprecedented shift as the group had not previously targeted Ukraine.”
The Conti “campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection,” the IBM Security X-Force researchers wrote in July.
Reports from Google TAG and IBM Security X-Force cite a collection of incidents. Those listed by TAG embody:
- An e mail phishing marketing campaign in late April delivered AnchorMail (known as “LackeyBuilder”). The marketing campaign used lures with topics similar to “Project’ Active citizen'” and “File_change,_booking.”
- A phishing marketing campaign a month later focused organizations within the hospitality trade. The emails impersonated the National Cyber Police of Ukraine and tried to contaminate targets with the IcedID malware.
- A separate phishing marketing campaign focused the hospitality trade and an NGO situated in Italy. It used a compromised resort account in India to trick its targets.
- A phishing marketing campaign that impersonated Elon Musk and his satellite tv for pc enterprise StarLink in an try to get targets in Ukraine’s know-how, retail, and authorities sectors to put in malware.
- A marketing campaign with greater than 10,000 spam emails impersonated the State Tax Service of Ukraine. The emails had an connected ZIP file that exploited CVE-2022-30190, a crucial vulnerability often called Follina. TAG managed to disrupt the marketing campaign.
The findings by Google TAG and IBM Security X-Force observe with paperwork leaked earlier this 12 months exhibiting some Conti members have hyperlinks to the Kremlin.