The infamous cybercriminal group behind the Conti ransomware has publicly announced its full support for the Russian government while the country’s army is invading Ukraine and threatened to strike the critical infrastructure of anyone launching cyberattacks or war actions against Russia.
The move comes after Twitter accounts claiming association with the Anonymous hacktivist collective declared “cyberwar” against the Russian government and took credit for distributed denial-of-service (DDoS) attacks against the websites of Russia Today, the Kremlin and the Russian Ministry of Defense.
The involvement of hacktivists and cybercrime groups in the conflict, supporting one side or another, could spiral into a wave of escalating attacks and provide cover for destructive cyber actions directed by government agencies.
Who is Conti?
The Conti ransomware is the successor of the infamous Ryuk ransomware that has hit hundreds of companies and government organizations since 2018. Ryuk and Conti are believed to be the creation of a cybercrime group tracked by the security industry as Wizard Spider. The same group is believed to be behind the TrickBot botnet, which has often been used to distribute Ryuk.
According to an alert from CISA and the FBI in September, Conti was used in over 400 attacks against US and international organizations. Like Ryuk, Conti is a manually deployed ransomware program where hackers first break into organizations and use stealthy manual hacking techniques to move laterally and obtain administrative rights in the environments. This means the group has the skills necessary to launch sophisticated attacks.
“The Conti Team is officially announcing a full support of Russian government,” the Conti gang announced Friday on the website it uses to post information about victims and threaten them with data leaks. “If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy.”
Whether Conti’s announcement is guided by patriotic sentiments or is done at the direction of Russian state agents is hard to say, but Russian intelligence agencies are known to have relied on cybercriminal elements in their operations for cover in the past. “The Russian government has relied on this strategy for nearly a decade,” Michael DeBolt, chief intelligence officer at Intel 471, tells CSO. “We know Evgeniy Bogachev and Gameover ZeuS was leveraged by the Russian government last decade for intel purposes. Another infamous Russian-linked threat actor, Maksim Yakubets, was observed to be directly co-opted by Russia’s Federal Security Service. Additionally, carding shops like Joker’s Stash and incidents like the SolarWinds hack have also been linked to financially motivated cybercriminals while also serving intelligence purposes for Russia. We don’t have any intelligence that suggests Conti is doing this as of right now, but it’s entirely possible.”
Conti could be used to deflect blame from the Russian government
In January, Russia’s Federal Security Service (FSB) arrested two hackers associated with the REvil ransomware, one of whom is suspected of being directly responsible for the 2021 attack on Colonial Pipeline. The arrests came after President Joe Biden warned Vladimir Putin in a conversation last year that the United States is ready to take action if ransomware groups operating from Russia are not stopped. The arrests were welcomed by the security industry but were largely seen just as a move to ease diplomatic tensions and not as a long-term commitment by Russian authorities to prosecute hackers.
DeBolt thinks it wouldn’t be surprising if Conti would take responsibility for attacks on operators of critical infrastructure in the future and be used as cover for state-directed actions. “We know that Russia’s Sandworm group, which is tied to the Russian government, has shown proficiency in attacks on critical infrastructure, having been tied to the 2015 attack that resulted in wide-scale power outages in Ukraine,” he says. “Yet, it’s possible that Conti (and potentially other Russian-based threat groups) are being directed and tasked by the Russian government as cover to deploy attacks against U.S. and Western critical infrastructure. Since President Biden very specifically warned that any cyberattacks against U.S. critical infrastructure will be met with severe cyberattacks in response, using Conti in this manner would allow the Russian government to achieve its objectives with plausible deniability.”
There is some precedence for this. The Russo-Georgian War of 2008 was accompanied by cyberattacks against internet infrastructure and official websites in Georgia. Some industry reports at the time blamed the attacks on a cybercrime collective called the Russian Business Networks, but some analysts pointed out the tools used to launch the attacks were customized and prepared in advance and that some of the attacks were launched from servers belonging to Russian telecommunication companies. A Russian government spokesperson cited by the New York Times said at the time that individuals in Russia or elsewhere might have taken it upon themselves to start the attacks.
A DHS memo distributed to critical infrastructure operators and state and local governments in January warned that depending on NATO and U.S. response to a Russian invasion of Ukraine, Russia could consider launching destructive cyberattacks against U.S. critical infrastructure, CNN reported at the time.
Meanwhile, Reuters reported Thursday that a recruitment call for volunteers to join offensive and defensive cyber operations was posted on an Ukrainian hacker forum by the co-founder of a Kyiv-based cybersecurity company who claimed the request came from the Ukrainian Ministry of Defense.
Anonymous itself is a collective of volunteer hacktivists without centralized leadership who organize themselves in subgroups that operate in many regions of the world. These groups have launched attacks in response to a wide range of issues from political to economic with either localized or global impact.