A Russia-affiliated ransomware group decided to go political, which may have backfired.
gettyThe shadow war between Russia and Ukraine, waged online, has opened a new front.
Conti, a hacker crew best known for ransomware attacks on Ireland’s national health service and KP Snacks, a U.K. food company whose potato-chip supply was threatened by the hack, has itself been hacked and had internal data leaked. The news comes a matter of days after Conti declared that it had sided with Russia in the conflict with Ukraine, saying it would be striking back against any organizations that attacked Moscow entities.
A message from the Conti leaker, signed off with “Glory to Ukraine!,” said they were releasing chat communications of the ransomware gang, promising “more dumps” were coming. Dmitry Smilyanets, a threat analyst for Recorded Future, confirmed the leaked communications were authentic. The leaker promised the files were “very interesting,” though didn’t specify why.
The Conti crew initially announced it would launch attacks against those targeting Russia on Friday, but released a new message on its dark website on Sunday, reading: “As a response to Western warmongering and American threats to use cyber warfare against the citizens of Russian Federation, the Conti Team is officially announcing that we will use our full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world.
“We do not ally with any government and we condemn the ongoing war. However, since the West is known to wage its wars primarily by targeting civilians, we will use our resources in order to strike back if the well-being and safety of peaceful citizens will be at stake due to American cyber aggression.”
Another ransomware group, LockBit, took a different tack, saying it was apolitical and didn’t have a stance. “For us it is just business and we are all apolitical. We are only interested in money for our harmless and useful work. All we do is provide paid training to system administrators around the world on how to properly set up a corporate network,” according to a group post, tweeted by Smilyanets, the threat analyst.
“We will never, under any circumstances, take part in cyberattacks on critical infrastructures of any country in the world or engage in any international conflicts.”
Brett Callow, threat analyst and ransomware researcher at Emsisoft, said the Conti group “made an enormous tactical error in declaring a side as it risked upsetting individuals with knowledge of their operation, which is exactly what happened.”
“This will undoubtedly shake the confidence of affiliates and other associates, possibly to an extent that will make it hard for Conti to recover.”
The leaks are already having an impact, with one leak indicating Conti was targeting journalists with a focus on Russia. Later on Monday, executive director of Bellingcat, Christo Grosev, tweeted chats between two Conti hackers in which they discussed targeting a contributor to his publication. Grosev said the hackers appeared to have a strong interest in its reporting on the poisoning of Alexey Navalny, an opponent of Vladimir Putin. “The problem is, we had already published the Navalny investigation, so thanks for re-reading us,” Grosev tweeted.
While it pales in comparison to the on-the-ground conflict, cyberattacks are being launched from both sides. On Monday, Sberbank and the Moscow Exchange were both targeted by the Ukraine IT Army, an officially-endorsed group of hackers. They followed attacks launched by Russia on Kyiv banks and government sites, as well as a computer-wiping malware that spread across the country in the lead-up to the physical invasion.
