The Ukraine-Russia conflict is significant from a geopolitical standpoint and also because of the scale at which unrecognized and unaffiliated groups are getting involved. This has resulted in unprecedented cyber warfare, whose first casualty appears to be the Conti ransomware group. The leaks indicate that Conti was a well oiled operation akin to a modern business.
Days after the Conti ransomware gang declared but also backtracked on its “full support†to Russia amid the Ukraine-Russia conflict, it is reeling from the leak of an internal chat between members. In a statement posted on its dark web site on February 25, Conti threatened the use of “all possible resources to strike back at the critical infrastructures of an enemy†who will attack Russia, either in the digital world or on the ground.
The statement didn’t go down well with all of Conti’s members. The hacker group has an international membership base with different ethnicities, including Ukrainians. Soon after, Conti released a revised statement on the conflict, voicing their support to Russia specifically against the western aggression but categorically denying allegiance to any government.
“We do not ally with any government and we condemn the ongoing war,†Conti said. It seems this wasn’t enough for a Ukrainian member who quickly leaked 13 months of internal conversations the group’s members had with each other on XMPP/Jabber servers.
In total, the member leaked 339 JSON files that have approximately 60,000 internal messages sent between January 29, 2021, to February 27, 2022, i.e., until the day of the leak. Each leaked JSON file contains one day’s chat log. Later on Monday, March 1, 2022, 148 additional JSON files with over 100,000 messages going back to Conti’s founding in June 2020 were leaked.
Conti was among several cyber groups, threat actors, and hacktivists who expressed support to Russia or Ukraine. Before the outbreak of the conflict, it was widely believed that Russian and Ukrainian hacker groups worked in tandem, either independently or at the behest of those sitting in the upper echelons of power. Some were even reported to have ties to Russian intelligence.
See More: Ukraine-Russia Crisis: Hacker Groups Take Sides As the Crisis Escalates
However, the conflict polarized these groups, forcing them to choose sides and making the situation murkier than usual. Executive director at Bellingcat Christo Grozev said Conti was among those groups that take orders from FSB, the Russian intelligence agency.
We tried to figure out what that cyber-crime group was – that apparently takes orders from the FSB. The Russian invasion of Ukraine finally brought the answer. A pro-Ukraine hacker from that cyber-crime group leaked their internal chats. It’s the #contiOpens a new window group.
— Christo Grozev (@christogrozev) February 28, 2022Opens a new window
Conti operates under a ransomware-as-a-service model. Its operators and affiliates are responsible for multiple ransomware attacks, including the attack on Ireland’s Health Services Executive (HSE) which cost $100 million in recovery.
All messages are in Russian. The translations of the messages and their analysis are underway. From what has already been analyzed by multiple sources, including security researcher Bill DemirkapiOpens a new window , security company IntelligenceXOpens a new window , threat research group vx-undergroundOpens a new window , and others, this leak can prove devastating for the malicious group.
Based on Grozev’s findings, Conti was clearly keen on accessing information that journalists had on Alexey Navalny, a lawyer cum activist widely considered a threat to President Vladimir Putin. According to AdvIntel CEO Vitaly Kremez, Conti was planning to support extradited Latvian national Alla Witte by paying her legal defense over her indictment in the U.S. for developing malware for TrickBot, meaning Conti has some ties to TrickBot.
The leak also sheds light on the inner workings of the ransomware gang, which has managed to earn upwards of $25 millionOpens a new window from its malicious operations between July and November 2021. The leaked messages reveal Conti’s operational prowess and hierarchical structure, as noted by an independent hacker below.
Even criminal groups have Project Managers.#contiOpens a new window #ransomwareOpens a new window
— Tinker 🔆 (@TinkerSec) March 1, 2022Opens a new window
The leaked conversations also blew the lid off how Conti attempted to test the productsOpens a new window of Sophos and CarbonBlack on the pretext of product demonstrations by posing as a legitimate company. Conti probably even advertised on Russian job sites as a legitimate company. It also doles out bonusesOpens a new window to and hikes the salaries of members.
is a job search site. Does this mean #ContiOpens a new window advertised for workers like a legitimate business? pic.twitter.com/Abq7oeH9loOpens a new window
— Brett Callow (@BrettCallow) March 1, 2022Opens a new window
If the leaks are any indication, the Conti ransomware gang was essentially run as a modern business.
Other leaked details include members’ discussions about security vulnerabilities, insight into the Conti infrastructure at the technical level, source code of internally used software, the Bitcoin wallet addresses where members and affiliates received ransomware payments, and that its members were involved in non-fungible tokens or NFTs.
The latter should prove to be helpful for law enforcement to track Conti’s past financial dealings and possible money laundering activities. In contrast, the former two may prove beneficial to other threat groups who now may use some of these tactics, techniques, and procedures (TTPs).
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!