Financially motivated hackers with ties to a notorious Conti cybercrime group are repurposing their resources for use against targets in Ukraine, indicating that the threat actor’s activities closely align with the Kremlin’s invasion of its neighboring country, a Google researcher reported on Wednesday.
Since April, a group that researchers track as UAC-0098 has carried out a series of attacks that have targeted hotels, non-governmental organizations, and other targets in Ukraine, CERT UA has reported in the past. Some of UAC-0098’s members are former Conti members who are now using their sophisticated techniques to target Ukraine as it continues to ward off Russia’s invasion, Pierre-Marc Bureau, a researcher in Google’s Threat Analysis, said.
An unprecedented shift
“The attacker has recently shifted their focus to targeting Ukrainian organizations, the Ukrainian government, and European humanitarian and non-profit organizations,” Bureau wrote. “TAG assesses UAC-0098 acted as an initial access broker for various ransomware groups including Quantum and Conti, a Russian cybercrime gang known as FIN12 / WIZARD SPIDER.”
He wrote that “UAC-0098 activities are representative examples of blurring lines between financially motivated and government-backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests.”
In June, researchers with IBM Security X-Force reported much the same thing. It found that the Russia-based Trickbot group—which, according to researchers at AdvIntel, was effectively taken over by Conti earlier this year—had been “systematically attacking Ukraine since the Russian invasion—an unprecedented shift as the group had not previously targeted Ukraine.”
The Conti “campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection,” the IBM Security X-Force researchers wrote in July.
Reports from Google TAG and IBM Security X-Force cite a series of incidents. Those listed by TAG include:
- An email phishing campaign in late April delivered AnchorMail (referred to as “LackeyBuilder”). The campaign used lures with subjects such as “Project’ Active citizen'” and “File_change,_booking.”
- A phishing campaign a month later targeted organizations in the hospitality industry. The emails impersonated the National Cyber Police of Ukraine and attempted to infect targets with the IcedID malware.
- A separate phishing campaign targeted the hospitality industry and an NGO located in Italy. It used a compromised hotel account in India to trick its targets.
- A phishing campaign that impersonated Elon Musk and his satellite venture StarLink in an attempt to get targets in Ukraine’s technology, retail, and government sectors to install malware.
- A campaign with more than 10,000 spam emails impersonated the State Tax Service of Ukraine. The emails had an attached ZIP file that exploited CVE-2022-30190, a critical vulnerability known as Follina. TAG managed to disrupt the campaign.
The findings by Google TAG and IBM Security X-Force track with documents leaked earlier this year showing some Conti members have links to the Kremlin.