HAVE HACKS, WILL TRAVEL
Researchers from Google and IBM see unprecedented blurring of lines.
Financially motivated hackers with ties to a notorious Conti cybercrime group are repurposing their resources for use against targets in Ukraine, indicating that the threat actor’s activities closely align with the Kremlin’s invasion of its neighboring country, a Google researcher reported on Wednesday.
Since April, an organization researchers track as UAC-0098 has completed a number of attacks which has targeted hotels, non-governmental organizations, along with other targets in Ukraine, CERT UA has reported in the past. A few of UAC-0098’s members are former Conti members that are now utilizing their sophisticated ways to target Ukraine since it continues to defend against Russia’s invasion, Pierre-Marc Bureau, a researcher in Google’s Threat Analysis said.
An unprecedented shift
“The attacker has shifted their focus to targeting Ukrainian organizations, the Ukrainian government, and European humanitarian and non-profit organizations,” Bureau wrote. “TAG assesses UAC-0098 acted being an initial access broker for various ransomware groups including Quantum and Conti, a Russian cybercrime gang referred to as FIN12 / WIZARD SPIDER.”
He wrote that “UAC-0098 activities are representative types of blurring lines between financially motivated and government-backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests.”
In June, researchers with IBM Security X-Force reported quite similar thing. It discovered that the Russia-based Trickbot groupwhich, in accordance with researchers at AdvIntel, was effectively bought out by Conti earlier this yearhad been “systematically attacking Ukraine because the Russian invasionan unprecedented shift because the group hadn’t previously targeted Ukraine.”
The Conti “campaigns against Ukraine are notable because of the extent to which this activity differs from historical precedent and the truth that these campaigns appeared specifically targeted at Ukraine with some payloads that suggest an increased amount of target selection,” the IBM Security X-Force researchers wrote in July.
Reports from Google TAG and IBM Security X-Force cite a number of incidents. Those listed by TAG include:
- A contact phishing campaign in late April delivered AnchorMail (known as “LackeyBuilder”). The campaign used lures with subjects such as for example “Project’ Active citizen'” and “File_change,_booking.”
- A phishing campaign per month later targeted organizations in the hospitality industry. The emails impersonated the National Cyber Police of Ukraine and attemptedto infect targets with the IcedID malware.
- Another phishing campaign targeted the hospitality industry and an NGO situated in Italy. It used a compromised hotel account in India to trick its targets.
- A phishing campaign that impersonated Elon Musk and his satellite venture StarLink so that they can get targets in Ukraine’s technology, retail, and government sectors to set up malware.
- A campaign with an increase of than 10,000 spam emails impersonated hawaii Tax Service of Ukraine. The emails had an attached ZIP file that exploited CVE-2022-30190, a crucial vulnerability referred to as Follina. TAG were able to disrupt the campaign.
The findings by Google TAG and IBM Security X-Force track with documents leaked earlier this season showing some Conti members have links to the Kremlin.