A cybercriminal group containing former members of the infamous Conti ransomware gang is focusing on the Ukrainian authorities and European NGOs within the area, Google says.
The main points come from a new blog post from the Menace Evaluation Group (TAG), a group inside Google devoted to monitoring state-sponsored cyber exercise.
With the struggle in Ukraine having lasted greater than half a yr, cyber exercise together with hacktivism and digital warfare has been a relentless presence within the background. Now, TAG says that profit-seeking cybercriminals have gotten lively within the space in larger numbers.
From April by means of August 2022, TAG has been following “an rising variety of financially motivated risk actors focusing on Ukraine whose actions appear intently aligned with Russian government-backed attackers,” writes TAG’s Pierre-Marc Bureau. One in every of these state-backed actors has already been designated by CERT — Ukraine’s nationwide Laptop Emergency Response Crew — as UAC-0098. However new evaluation from TAG hyperlinks it to Conti: a prolific international ransomware gang that shut down the Costa Rican authorities with a cyberattack in Could.
“Primarily based on a number of indicators, TAG assesses some members of UAC-0098 are former members of the Conti cybercrime group repurposing their strategies to focus on Ukraine,” Bureau writes.
The group often known as UAC-0098 has beforehand used a banking Trojan often known as IcedID to hold out ransomware assaults, however Google’s safety researchers say it’s now shifting to campaigns which might be “each politically and financially motivated.” In line with TAG’s evaluation, the members of this group are utilizing their experience to behave as preliminary entry brokers — the hackers who first compromise a pc system after which dump entry to different actors who’re fascinated by exploiting the goal.
Current campaigns noticed the group ship phishing emails to quite a lot of organizations within the Ukrainian hospitality trade purporting to be the Cyber Police of Ukraine or, in one other occasion, focusing on humanitarian NGOs in Italy with phishing emails despatched from the hacked electronic mail account of an Indian lodge chain.
Different phishing campaigns impersonated representatives of Starlink, the satellite tv for pc web system operated by Elon Musk’s SpaceX. These emails delivered hyperlinks to malware installers disguised as software program required to hook up with the web by means of Starlink’s methods.
The Conti-linked group additionally exploited the Follina vulnerability in Home windows methods shortly after it was first publicized in late Could of this yr. On this and different assaults, it’s not recognized precisely what actions UAC-0098 has taken after methods have been compromised, TAG says.
Total, the Google researchers level to “blurring strains between financially motivated and authorities backed teams in Japanese Europe,” an indicator of the way in which cyber risk actors typically adapt their actions to align with the geopolitical pursuits in a given area.
However it’s not at all times a method assured to win. At first of the Ukraine invasion, Conti paid the value for brazenly declaring assist for Russia when an nameless particular person leaked entry to over a yr’s price of the group’s inside chat logs.