Financially motivated hackers with ties to a notorious Conti cybercrime group are repurposing their assets for use against targets in Ukraine, indicating the threat actor’s activities are closely tied to the Kremlin’s invasion of its neighboring country, a Google researcher reported Wednesday.
Since April, a group tracking investigators as UAC-0098 has carried out a series of attacks targeting hotels, non-governmental organizations and other targets in Ukraine, CERT UA reported in the past. Some members of UAC-0098 are former Conti members who are now using their advanced techniques to target Ukraine as it continues to fend off the Russian invasion, said Pierre-Marc Bureau, a researcher in Google’s Threat Analysis.
An unprecedented shift
“The attacker recently shifted his focus to attacking Ukrainian organizations, the Ukrainian government and European humanitarian and non-profit organizations,” Bureau wrote. “TAG assesses that UAC-0098 acted as an initial access broker for several ransomware groups, including Quantum and Conti, a Russian cybercrime gang known as FIN12/WIZARD SPIDER.”
He wrote that “UAC-0098 activities are representative examples of blurring lines between financially motivated and government-backed groups in Eastern Europe, illustrating a trend of threat actors changing their targets to align with regional geopolitical interests.”
In June, researchers at IBM Security X-Force reported much the same. It found that the Russia-based Trickbot group — which, according to researchers at AdvIntel, was effectively acquired by Conti earlier this year — had been systematically attacking Ukraine “since the Russian invasion” — an unprecedented shift as the group had not previously targeted Ukraine. “
The Conti “campaigns against Ukraine are notable for the degree to which this activity differs from historical precedents and the fact that these campaigns targeted Ukraine specifically with some payloads suggesting a higher degree of target selection,” according to the IBM Security X-Force . researchers wrote in July.
Reports from Google TAG and IBM Security X-Force cite a series of incidents. Those listed by TAG include:
- A phishing email campaign in late April spawned AnchorMail (referred to as “LackeyBuilder”). The campaign used lures with topics such as ‘Project’ Active citizen” and ‘File_change,_booking’.
- A month later, a phishing campaign targeted organizations in the hospitality industry. The emails pretended to be Ukraine’s national cyber police and attempted to infect targets with the IcedID malware.
- A separate phishing campaign targeted the hospitality industry and an NGO in Italy. It used a compromised hotel bill in India to trick its targets.
- A phishing campaign masquerading as Elon Musk and his satellite company StarLink in an effort to get targets in the Ukrainian technology, retail and government sectors to install malware.
- A campaign with more than 10,000 spam emails impersonated the State Tax Agency of Ukraine. The emails had an attached ZIP file that exploited CVE-2022-30190, a critical vulnerability known as Follina. TAG managed to disrupt the campaign.
The findings of Google TAG and IBM Security X-Force follow with documents leaked earlier this year showing some Conti members have ties to the Kremlin.