Hackers from the Conti group, who may be associated with the Russian Federation, attacked critical infrastructure facilities in Ukraine

A group of cybercriminals, which consists of former members of the Conti ransomware gang, is now involved not only in financial fraud, but also in political fraud, writes The Verge. DOU found out exactly how these hackers attacked critical infrastructure facilities in Ukraine about ten times since April 2022.

Due to the war in Ukraine, cyber activity is growing in the region, in particular hacktivism and electronic warfare. This encourages cybercriminals to join in the pursuit of money, but already focusing on the geopolitical situation.

From April to June 2022, Threat Analysis Group, A Google team that tracks cyber activity, recorded "an increase in the number of financially motivated threat actors targeting Ukraine whose activities appear to be closely linked to attackers backed by the Russian government."

DOU learned that the Ukrainian government's Computer Emergency Response Team CERT-UA recorded about a dozen cyber attacks directed against critical infrastructure facilities in Ukraine (transport, energy, etc.).

Members of this cluster use their expertise to act as intermediaries for initial access — hackers who first compromise a computer system and then sell access to other entities interested in exploiting the target.

In recent campaigns, criminals sent phishing emails to a number of Ukrainian government agencies and posed as the Cyber Police of Ukraine. In other phishing campaigns, they posed as Starlink representatives. These emails contained links to install malware, but were disguised as software required to connect to the Internet via Starlink. The Conti - related group also exploited the Follina vulnerability on Windows systems.

"Cybercriminals, along with Metasploit and Cobalt Strike Beacon, used a "unique" toolkit: malware: IcedID (Anubis), AnchorMail and the corresponding cryptor. These programs were the prerogative of organized malicious groups Wizard Spider (Conti/TrickBot) /Lunar Spider (IcedID) and until April 2022 were used in attacks on organizations outside of Ukraine. Taking into account the relevance of the detected activity for Ukraine, a separate cluster UAC-0098 has been created," says Yevgenia Volivnik, head of CERT — UA of the State Special communications service.

The CERT-UA team reported possible cyber attacks. In addition, they studied cyber threats in detail and confirmed the fact that the resources of these groups were used for targeted attacks on objects in Ukraine. For example, one of these" campaigns "had the conditional name"ZOV".

"Let me remind you that the Conti group, after the beginning of Russia's armed aggression against Ukraine, unsuccessfully declared its support for the actions of the aggressor country. Soon after, the mentioned team ceased to exist: some of its participants were deanonymized by researchers, and internal correspondence and other data were published on the Internet," Volivnik adds.

In general, such cases indicate that cybercriminals are now adapting their activities in accordance with geopolitical interests in a particular region.