Srsly Risky Biz: Thursday March 3
Where Conti Ransomware Meets Russia's Ugly War
Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.
Where Conti Ransomware Meets Russia's Ugly War
There is no evidence that cyber operations have been used effectively in support of conventional military action in Russia's invasion of Ukraine, but the resulting chaos in the cybers is still making life interesting.
There have been many incidents affecting Ukrainian interests that are likely state-directed in support of Russia:
- A wiper affected Ukrainian banks and at least one government agency on the day the invasion was launched on 23 Feb.
- Belarusian state-sponsored groups targeted Ukrainian military personnel with phishing campaigns on 25 Feb.
- Another phishing campaign targeting European government personnel managing the flow of refugees fleeing Ukraine reported on 1 Mar.
- DDoS attacks against Ukrainian websites.
These kinds of nuisance attacks are ongoing and there are a lot of them, but we haven't seen the broadly destructive attacks that Russia has used against Ukraine in the past such as NotPetya in 2017 or the electricity network disruptions in 2015 and 2016.
In this case, we're yet to see any evidence that a cyber operation has provided Russia with the kind of decisive military advantage that cyber enthusiasts fantasise about. Of course, it could be that Russian forces simply aren't capable of taking advantage of a disruptive cyber operation. Australian Major General (retired) Mick Ryan described Russian military leadership as "professionally corrupt and incompetent" and the progress of Russian forces near Kyiv as "slow and plodding".
Another possibility is that — at least for some things like the telecommunications networks — more drastic disruption hasn't occurred because Russian forces need them. Russian communications equipment is unbelievably bad and troops are using both unencrypted radios and smartphones for communications. This is allowing a collective amateur SIGINT effort and also possibly providing the opportunity for the Ukrainian government to monitor phones. NATO country SIGINT agencies must be having a field day.
The Ukrainian government, however, has kicked Russian numbers off its telco networks, so Russian troops are increasingly stealing civilian phones for their communications. It's an interesting decision to kick the Russians off the network — do you prioritise intelligence collection or disruption?
The Ukrainian government, meanwhile, has asked the hackers everywhere to form an "IT Army of Ukraine". Mykhailo Fedorov, Ukraine's Minister of Digital Transformation, issued the callout on social media, and a tasking list is being distributed on Telegram.
The Ministry of Digital Transformation claims the "IT Army" has successfully downed the Moscow stock exchange, various banks including Sberbank (Russia's largest), the National Bank of Belarus and defacements of Russian state media. It's hard to know how much of this downtime is the result of attacks versus defensive measures — the Russian government is geofencing some sites to protect them from DDoS.
Again, these are mostly nuisance hacks, although some other hacks targeting state media have aimed to raise the Russian population's awareness of the human cost of the war by publicising the number of Russians Ukraine's military claims have perished. Unlike most of the disruptions taking place, this directly counters Russian state efforts to censor and suppress news of the war.
Other actions appear to be unrelated to the IT Army.
There have been some fun ones. @theanonleaks reportedly hacked maritime AIS to change Putin's private yacht's callsign to 'FCKPTN' and its location to make it appear to have crashed on Ukraine's Snake Island (significant for a Ukrainian military outposts' purported valiant stand against a Russian warship).
And the Belarus Cyber Partisans again disrupted train operations in Belarus, trying to slow the movement of Russian troops to the border.
We totally sympathise with the desire to strike back against Russian aggression, but is getting involved in these kinds of netizen actions a good idea?
We think not, mostly because they will likely interfere with intelligence collection operations that could contribute to state actions that will have far greater impact. Matt Burgess in Wired explores this issue in more depth in relation to the IT Army, but the ultimate problem here is that Russia, a nuclear-armed state, is behaving very badly. Only other states can muster the diplomatic, military and economic firepower to alter its behaviour — individuals or groups hacking to make themselves feel good won't alter Russia's trajectory one bit — they'll just encourage affected orgs to engage incident responders who might wind up kicking out other, more important intruders.
A case in point: Network Battalion 65, an offshoot of Anonymous, claims to have breached Roscosmos, the Russian space agency, and "shut down the control centre". We doubt this is true (Dmitry Rogozin, Roscosmos's Director General denies it), but this is exactly the sort of target that would be valuable to have access to under some circumstances. In addition, there's also the possibility of inadvertent escalation — Rogozin warned that hacking satellites would be considered an "act of war".
Despite our views, however, various hacking groups are taking sides — see the latest version of the 2022 Russia-Ukraine war — Cyber group tracker collated by CyberKnow.
Ransomware group Conti staked out its position relatively early on Friday 25 February:
The Conti Team is officially announcing a full support of Russian government [sic]. If any body will decide to organise a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy.
One way Russia could retaliate in the face of stringent sanctions would be to give Russia-based ransomware crews a green light (or even active encouragement) to attack US and European targets, so this seemed ominous.
Conti's position, however, lasted just an hour before being watered down.
As a response to Western warmongering and American threats to use cyber warfare against the citizens of Russian Federation, the Conti Team is officially announcing that we will use our full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world. We do not ally with any government and we condemn the ongoing war. However, since the West is known to wage its wars primarily by targeting civilians, we will use our resources in order to strike back if the well being and safety of peaceful citizens will be at stake due to American cyber aggression.
And by Sunday ContiLeaks, variously described as a Ukrainian security researcher or disgruntled affiliate, released over a year's worth of Conti's internal chats from Jabber logs — the initial tranche contained over 60,000 messages and ContiLeaks continues to release more material including more chat logs and also source code.
We think some of this material has been used in public reporting before. All the criminal usernames that appear in another Matt Burgess Wired article "Inside TrickBot" — Target, Hof, Professor, Stern — appear in the Conti leak as visualised by Jorge Gomes. Conti was at one time "typically delivered by TrickBot", according to computer security company Emsisoft, and TrickBot operators also communicated via Jabber. Messages reported by Burgess in his TrickBot story also appear in the current ContiLeaks dump. If the source is the same, it is consistent with ContiLeaks being a security researcher with long-term access, not so much with ContiLeaks being a disgruntled affiliate, and it eliminates the possibility of a US Cyber Command disruption operation.
There's some juicy stuff in these leaks (data available here, btw). Some messages even indicate there are links between Russia's FSB and Conti.
Bellingcat executive director, Christo Grozev, believes chat messages show Conti was working on behalf of the FSB to target Bellingcat's research into Russian opposition leader Alexey Navalny's poisoning. The messages indicate some sort of relationship with the FSB, but on their own it's unclear whether the relationship is one of tolerance or tasking — did Conti decide to pass Bellingcat information to the FSB to curry favour, or did FSB actively direct Conti?
Grozev's interpretation of these messages as tasking all hangs on an anonymous tip Bellingcat received last year. "A global cyber crime group acting on an FSB order has hacked one of your contributors. The only thing they were interested on [sic], was anything related to your @navalny investigation". It's pure speculation, but we can't help but wonder if this is a circle and these chat messages led our Conti leaker to send Bellingcat that anonymous tip. Hopefully a clearer picture of Conti's relationship with Russian law enforcement will emerge over time.
Everyone is making hay out of this. Brian Krebs has published part 1 of a Conti Ransomware Group Diaries series which covers, among other things, Conti's reaction to US Cyber Command's TrickBot takedown operation and also to the arrest of Latvian woman Alla Witte, who Krebs describes as "something of a maternal figure for many of Conti’s younger personnel". It's a series worth following.
The leaks also tell us something about the size and scope of Conti's operation, both in terms of finances and the number of people involved.
Bitcoin addresses found in the leak show that from April 2017 Conti took more than 65,000 BTC, valued at over USD$2.7bn at today's exchange rate. Only USD$3m currently remains in addresses found in the leaks. If they are not known already these addresses will also be used by blockchain analysts to help law enforcement and regulators follow the money.
The first tranche of chat logs contain 2,535 unique users, although it is not clear if each user represents a single person — some people may be using more than one account for OPSEC or other reasons.
The messages also show that other players want in on ransomware riches. One chat message indicates an unnamed journalist would help intimidate a victim — presumably by writing a story about them — for a 5% cut of the ransom. In another, a French negotiator offers to help Conti "Hello, I'm an official negotiator for ransoms about french companies/institutions… I will make you save time and money, I know everyone".
Other messages provide insight into how Conti operated. At times it deliberately targeted hospitals, at other times it banned targeting them. Interestingly, it was using the value of cyber insurance policies as one of its targeting criteria.
But aligning itself with the Russian state in a war could come back to bite Conti in another way — we think it very likely that insurers will use "cyber war" exclusion clauses to avoid paying for Conti- and Russia-related ransoms.
And let's not forget that aligning itself with Russia firmly places Conti within the crosshairs of Cyber Command. And if a security researcher can get access without being discovered we know Conti's OPSEC won't withstand serious dedicated efforts to breach them.
Brett Callow, threat analyst at Emsisoft thinks these leaks are a big blow for Conti. He told Seriously Risky Business "This incident is so devastating that Conti will be unlikely to come back from it".
"And not only the public leak. There’s no way of knowing whether all the information was released or whether some was passed directly to law enforcement. There’s also no way of knowing whether law enforcement had also compromised the operation. The bottom line is that anybody who’s ever had any dealings with Conti will be concerned that they’ve now been implicated."
Bill Siegel, CEO of ransomware incident response firm Coveware, was less convinced.
"Probably," he told this newsletter when asked if the leaks will hurt Conti, although he noted "they had been slowing down before the leaks occurred, and before the war started… [although] it does not seem to be 'helping' Conti's intra-organizational culture!"
Conti is now deleting its servers — and hilariously we know this because ContiLeaks is still publishing its chat logs.
Other ransomware crews have avoided Conti's misstep and claim to be apolitical.
ALPHV (aka BlackCat and notable for its recent rapid rise) issued a statement, as reported on Twitter by Dmitry Smilyanets. "We are extremely saddened by what is happening. In our business, there are no nationalities, fictional borders, or any other reason why people can kill people… We categorically condemn #conti and any other pp \ group for giving a dirty, political context to our common ecosystem in order to hide their roots. The Internet, and even more so its dark side, is not the place for politics."
Lockbit's statement, via Lawrence Abrams on Twitter is similarly circumspect. "For us it is just business and we are all apolitical. We are only interested in money for our harmless and useful work." Lockbit describes itself as a "international community of post-paid pentesters" that provides "paid training to system administrators around the world on how to properly set up a corporate network".
But it is not just hackers and ransomware criminals that are taking care to choose (or avoid choosing) sides. Apple has stopped sales in Russia, and also stopped its Apple Pay service after bank sanctions.
Apple and Google have both turned off their map's traffic data in Ukraine as it could potentially be used to track troop movements. They've also, along with Microsoft, removed Russian state media news apps from app stores.
In line with EU actions, Facebook and YouTube are restricting access to Russian state media across the EU.
There is now no denying the reality of the splinternet. Apple, Meta, Microsoft and Google are not global tech companies, they are US tech companies that operate globally.
Three Reasons to be Cheerful this Week:
- Bye Bye TrickBot: Even before ContiLeaks outed them, TrickBot's operators were shutting down the botnet. Efforts by US Cyber Command and industry coupled with the arrest of some of its developers made a difference here. TrickBot at one point had infected more than a million computers and was one of the main ways Conti infected victims.
- You Are the Weakest Link: New research has identified six factors that indicate an NPM package may be vulnerable to compromise by malicious actors (NPM is a javascript code repository). The six factors are mostly dumb stuff like expired domains, too many maintainers, not enough maintainers, or not being maintained at all — but these simple indicators could be used automatically to select packages for extra security checks.
- Sweet, sweet revenge: Maersk, the Danish shipping and logistics company badly damaged by the Russian GRU NotPetya attack, has stopped shipments to Russia (except for food, and medical and humanitarian supplies).
Paying the Bills
In our latest YouTube product demo, Eugenio Pace shows Patrick how the Auth0 platform integrates modern authentication into an application. These demo videos support the newsletter, so if you happen to subscribe to our product demo page on YouTube we sure would appreciate it.
Shorts
NVIDIA's "Hack Back" was, Sadly, Quite Boring
GPU and chip design company NVIDIA was breached, apparently by South American-based ransomware gang Lapsu$. The group claimed to have stolen over 1TB of data from NVIDIA, and then complained that NVIDIA had 'hacked back' and used ransomware to encrypt the stolen data.
It appears Lapsu$ hacked NVIDIA via its corporate VPN and had installed NVIDIA's Mobile Device Management agent as a prerequisite to gaining access. NVIDIA used the MDM to encrypt the stolen data, although Lapsu$ say they made a backup.
In our view, this incident doesn't qualify as a true example of hacking back, but it does illustrate one of its potential benefits (our data was rendered useless to the attacker!) and also one of its limits (the hackers backed it up already!).
Some Very Tidy Malware from China
Symantec has described the Daxin malware as the most advanced piece of malware its researchers have seen used by a China-linked actor. CISA also described it as "a highly sophisticated rootkit backdoor with complex, stealthy command and control (C2) functionality that enabled remote actors to communicate with secured devices not connected directly to the internet".
Symantec states the earliest known sample dates to 2013, with "all of the advanced features seen in the most recent variants, with a large part of the codebase having already been fully developed". Yikes!
Chinese Attribute Historical Campaign to Equation Group
In a nice symmetry, Pangu Lab, a Chinese cyber security company has released a report into malware it calls Bvp47 that it attributes to NSA. This malware was also detected in 2013. It's possible that this report indicates a new naming and shaming strategy for the Chinese.
Sandworm Assembles Botnet
CISA and the UK governments released a joint advisory on new malware they believe originates from the Sandworm group, which has been attributed to Russia's GRU military intelligence unit. Cyclops Blink targets home and small office networking devices, in particular Watchguard firewall devices (although perhaps not exclusively). Cyclops Blink replaces VPNFilter, another widespread GRU botnet. To us, it looks like these botnets are enablers for the GRU, effectively providing a widespread VPN that also includes various attack capabilities such as MITM and HTTPS downgrade attacks.
Why the Warning on MuddyWater?
The UK and US governments issued a joint cyber security advisory about the Iranian Ministry of Intelligence and Security group MuddyWater aka SeedWorm. There is no specific information about what MuddyWater are actually doing, but it must be something to warrant an alert given other current events in Ukraine.