Former Conti ransomware actors are attacking political targets such as the Ukrainian government, according to a new post by Google's Threat Analysis Group.
TAG's Wednesday report covered five campaigns conducted by a threat actor from April to August. The group, tracked as UAC-0098 by the Ukrainian computer emergency response team, CERT-UA, has recently focused its attacks toward the Ukrainian government, Ukrainian organizations, and various European humanitarian and nonprofit organizations.
According to TAG's report, UAC-0098 is an initial access broker that has worked with various ransomware groups including Conti and Quantum, and it was historically known to use the IcedID banking Trojan.
A notable piece of TAG's new report concerns the ransomware group Conti.
"Based on multiple indicators, TAG assesses some members of UAC-0098 are former members of the Conti cybercrime group repurposing their techniques to target Ukraine," Google software developer and post author Pierre-Marc Bureau wrote.
According to threat analysts and government officials, the vast majority of cyber attacks against Ukraine have been conducted by state-sponsored groups run by Russian intelligence agencies rather than cybercriminal gangs or independent contractors. However, Conti has stood out as a rare exception.
Though the gang was first detected in 2020, Conti gained prominence in late February when it declared support for Russia in the country's invasion of Ukraine. This was followed by a massive leak of Conti tools and internal documentation, as well as a $10 million bounty from the U.S. government after the gang hacked the Costa Rican government in mid-April.
According to a May report from threat intelligence vendor AdvIntel, Conti has been in the process of rebranding and splitting into multiple groups after its pro-Russian declaration caused ransom payments to dry up.
Bureau's report provided two indicators connecting UAC-0098 to Conti: a previously undisclosed private backdoor used by Conti-affiliated groups, and the use of a command and control tool assessed to be developed by Conti. TechTarget Editorial asked for other indicators, but Google has not responded at press time.
The TAG post provided technical details for a number of recent UAC-0098 attacks; a standout aspect was that the attacks appeared to blur the lines between financial and politically motivated cybercrime. For example, one UAC-0098 campaign targeted Ukrainian organizations in the hospitality industry, but the attack itself included the deployment of banking Trojan IcedID.
"UAC-0098 activities are representative examples of blurring lines between financially motivated and government backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests," Bureau wrote. "Rather uniquely, the group demonstrates strong interest in breaching businesses operating in the hospitality industry of Ukraine, going as far as launching multiple distinct campaigns against the same hotel chains."
Bureau noted that TAG has not identified post-exploitation activity conducted by the threat actor.
Alexander Culafi is a writer, journalist and podcaster based in Boston.