Former Conti Ransomware Gang Members Helped Target Ukraine, Google Assert

A cybercriminal group containing former members of the notorious Conti ransomware gang is targeting the Ukrainian government and European NGOs in the region, Google says.

The details come from a new blog post from the Threat Analysis Group (TAG), a team within Google dedicated to tracking state-sponsored cyber activity. With the war in Ukraine has lasted more than half a year, cyber activity including hacktivism and electronic warfare has been a constant presence in the background.

Spiral Profit Seeking Ransomware Gangs

Now, TAG says that profit-seeking cybercriminals are becoming more active in the area in greater numbers. However, their activities seem closely aligned with Russian government-backed attackers, writes TAG’s Pierre-Marc Bureau.

One of these state-backed actors has already been designated by CERT — Ukraine’s national Computer Emergency Response Team — as UAC-0098. Nevertheless, a new analysis from TAG links it to Conti, a prolific global ransomware gang that shut down the Costa Rican government with a cyberattack in May.

Based on multiple indicators, TAG assesses that some members of UAC-0098 are former members of the Conti cybercrime group repurposing their techniques to target Ukraine, the Bureau writes.

The group known as UAC-0098 has previously used a banking Trojan known as IcedID to carry out ransomware attacks. Nevertheless, Google’s security researchers say it is now shifting to campaigns that are both politically and financially motivated.

Phishing Campaigns Impersonated Representatives of Starlink

The members of this group are using their expertise to act as initial access brokers — the hackers who first compromise a computer system and then sell off access to other actors.

Furthermore, Recent campaigns saw the group send phishing emails to several organizations in the Ukrainian hospitality industry.

Simply, purporting to be the Cyber Police of Ukraine or, in another instance, targeting humanitarian NGOs in Italy with phishing emails sent from the hacked email account of an Indian hotel chain.

Other phishing campaigns impersonated representatives of Starlink, the satellite internet system operated by Elon Musk’s SpaceX. The emails delivered links to malware installers disguised as software required to connect to the internet through Starlink’s systems.

Overall, Google researchers point to blurring lines between financially motivated and government-backed groups in Eastern Europe.