For years, Russian cybercrime groups have acted with relative impunity. The Kremlin and local law enforcement have largely turned a blind eye to disruptive ransomware attacks as long as they don’t target Russian companies. Despite direct pressure on Vladimir Putin to crack down on ransomware groups, they are still closely tied to Russia’s interests. A recent leak from one of the most infamous such groups gives a glimpse into the nature of those tires — and how weak they can be.
A cache of 60,000 leaked chat messages and files from the infamous Conti ransomware group gives a glimpse of how the criminal gang is well-connected in Russia. The documents, reviewed by WIRED and first published online in late February by an anonymous Ukrainian cybersecurity researcher who infiltrated the group, reveal how Conti operates on a day-to-day basis and his crypto ambitions. They are likely further revealing how Conti members have connections to the Federal Security Service (FSB) and a keen awareness of the operations of the Russian government-backed military hackers.
As the world struggled to get to grips with the outbreak of the COVID-19 pandemic and its early waves in July 2020, cybercriminals around the world turned their attention to the health crisis. On July 16 of that year, the governments of the UK, US and Canada publicly called on Russia’s state-backed military hackers to steal intellectual property related to the earliest vaccine candidates. The hacking group Cozy Bear, also known as Advanced Persistent Threat 29 (APT29), attacked pharmaceutical companies and universities using modified malware and known vulnerabilities, the three governments said.
Days later, Conti’s leaders spoke about Cozy Bear’s work and referred to the ransomware attacks. Stern, Conti’s CEO-like figure, and Professor, another senior mobster, talked about setting up a specific office for “government issues.” The details were first reported by WIRED in February, but have also been included in the wider Conti leaks. In the same conversation, Stern said they had someone “external” who paid the group (though it’s not stated for what) and discussed target acquisition at source. “They want a lot about Covid right now,” Professor told Stern. “The cozy bears are already working their way down the list.”
“They refer to setting up a long-term project and seemingly toss out this idea that they… [the external party] would help in the future,” said Kimberly Goody, director of cybercrime analysis at security firm Mandiant. “We believe this is a reference to if law enforcement action is taken against them that this third party can help them.” Goody points out that the group also mentions Liteyny Avenue in St. Petersburg, home to local FSB offices.
While there is no evidence of Conti’s direct ties to the Russian government, the gang’s activities remain aligned with national interests. “The impression from the leaked chats is that Conti’s leaders understood they were allowed to operate as long as they followed unspoken guidelines from the Russian government,” said Allan Liska, an analyst at security firm Recorded Future. “There seemed to have been at least some lines of communication between the Russian government and Conti’s leadership.”