A pro-Ukraine Conti member spilled 13 months of the ransomware group’s chats, while cyber actors are rushing to align with both sides.
The Russia-Ukraine cyber warzone has split the Conti ransomware gang into warring factions, leading to a Ukrainian member spilling 60,000 of the group’s internal chat messages online.
On Monday, vx-underground – an internet collection of malware source code, samples, and papers that are generally considered to be a benign entity – shared on Twitter a message from a Conti member saying that “This is a friendly heads-up that the Conti gang has just lost all their sh•t.”
The gang has also, apparently, lost a cache of chat data: the first dump of what the poster promised would be multiple, “very interesting” leaks coming from Conti’s Jabber/XMPP server.
“F•ck the Russian government, Glory to Ukraine!” the Conti member, who’s reportedly believed to be Ukrainian, proclaimed. Threatpost advises caution about clicking on any links provided in social media messages: They are, after all, provided by a ransomware group and should be treated with kid gloves.
Conti ransomware group previously put out a message siding with the Russian government.
Today a Conti member has begun leaking data with the message “Fuck the Russian government, Glory to Ukraine!”
You can download the leaked Conti data here: https://t.co/BDzHQU5mgw pic.twitter.com/AL7BXnihza
— vx-underground (@vxunderground) February 27, 2022
Cisco Talos’ Azim Khodjibaev said on Sunday verified that the dump does contain conversations between affiliates, administrators, and admins, rendered on Jabber instant-messaging accounts.
looks like the #conti leaks of 2022 indeed chat logs from jabber accounts between affiliates, administrators, and admins. Rejoice CTI analysts and data scientists, it is in JSON form! #busymonday pic.twitter.com/DiyqNoymsD
— Azim Khodjibaev (@AShukuhi) February 27, 2022
The conversations date back 13 months, from Jan. 29, 2021, to yesterday, Feb. 27, 2022.
The first dump contains 339 JSON files, with each file representing a full day’s log. Cybersecurity firm IntelligenceX has posted the spilled conversations here. Many of the messages are written in a Cyrillic-scripted language that appears, at least according to Google translate, to be Russian.
The Perhaps-Less-Than-100% Russian Conti
Conti, a Russia-based extortionist gang, is considered to be as ruthless as it is sophisticated: It was the first professional-grade ransomware group to weaponize Log4j2.
On Friday, Conti sided with Russia, pledging “full support” for President Vladimir Putin’s invasion of Ukraine.
“WARNING,” Conti blared on its blog, threatening to use its “full capacity” to retaliate in the face of “Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world.”
Cyberattacks Coming at and From Russia
The split-Conti story is just one of a myriad of cybersecurity headlines coming out of the siege of Ukraine. Some other events in the cyberwar that are rocking the security world:
Russia appears to deploy digital defenses after DDoS attacks
Anonymous Declares ‘Cyberwar’ on Russia and Pledges Support for Ukraine
Anonymous breached the internal network of Belarusian railways
Ukraine: Volunteer IT Army is going to hit tens of Russian targets from this list
Richard Fleeman, vice president of penetration testing ops at cybersecurity advisory services provider Coalfire, told Threatpost on Monday that collective groups such as Anonymous claim to be hacktivists, meaning they don’t attack for personal gain, but rather that they seek to spread their ideology and wage cyberwarfare against those that don’t align.
“These kinds of activities ebb and flow based on geopolitical events or collective objectives of these groups,” he said. This isn’t new, but they’ll likely escalate “amidst the global chaos to target various countries, government agencies, and corporations.”
“These groups thrive on sentiment and will likely continue to build momentum based on their objectives,” Fleeman observed.
The muddle of war can also obscure false flags or false information campaigns that target, influence or mislead others, he said. “This can be accomplished in a variety of ways, for example, China compromising Russian technology and targeting other nations through the compromised infrastructure to hide the origins of their attacks or embedding Russian language or terms into source code of malware would aid in the hiding [of] the true origin.”
He urged that situational awareness be elevated and that security teams “be vigilant, remain alert, and leverage their security mechanisms in place to identify threats and fluidly mitigate them.”
The Lure of War to Cyber Actors
Casey Ellis, founder, and CTO at crowdsourced cybersecurity provider Bugcrowd told Threatpost on Monday that the bloodless nature of cyber combat makes it tough to predict who’ll enter this conflict and how.
“The fact that a lot of unrelated but concerned actors have entered the conflict is unsurprising,” he noted via email. “Anonymous, for example, is well-known for having a principled position on topics and then acting or retaliating via the Internet.”
His primary concern: “the relative difficulty of attribution in cyberattacks, as well as the possibility of incorrect attribution or even an intentional false flag operation escalating the conflict internationally.”
Russia will likely avoid provoking the United States “until it’s tactically or strategically advantageous for them to do so, which we all hope we can avoid,” he noted. Last week, the White House denied considering plans to launch massive cyberattacks against Russia to cut off its ability to pursue its military aggression – denials made despite NBC News quoting multiple sources to the contrary.
“Having said that, the backdrop of conflict and the openness of the Internet provides greater than normal levels of’” aircover’ and background noise for cybercriminals, as well as other nation-states looking to plant a false flag,” Ellis said.
John Bambenek, the principal threat hunter at digital IT and security operations company Netenrich, told Threatpost via email that it’s the wild west out there: Traditional actors are using sabotage and DDoS related to military objectives, he observed, while others “will use the fog of war (quite literally) to take advantage. No one has to commit front line infantry if they want to take advantage anymore,” he said.
Expect a pig pile, he predicted: “Usually for conflicts in that region, other non-state regional actors will engage, either due to patriotism or opportunism. Now that more nations are developing this capability, more are coming to play. And there is no better training ground for nation-state actors than playing in an active warzone.”
What does that mean for security teams in the United States and other western countries? It depends on what the West does, he said. “If we get involved militarily, then the scope of attacks will increase to those nations as well. If it is targeted sanctions, likely attacks will focus on those in the chain of enforcement.”