Threat Actors: Conti Ransomware Group Announces it will Use ‘Retaliatory Measures’ Against ‘Western Warmongers’
On Friday, February 25th security researcher Brett Callow shared on Twitter a statement from the ransomware group Conti stating "The Conti Team is officially announcing a full support of Russian government. If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy." (1) By Sunday evening the Conti Team modified their statement to be more nuanced, beginning with “As a response to Western warmongering and American threats to use cyber warfare against the citizens of Russian Federation, the Conti Team is officially announcing that we will use our full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world…..” (2) While still politically charged, the updated Conti statement attempts to distance the group from the Russian government while threatening cyberattacks toward the U.S. and the West.
By Sunday, February 27th, an unidentified actor leaked alleged Conti Group internal communications, concluding that message with ‘Glory to Ukraine!’ (3) The leaked information included information about Conti’s relationship with other cybercrime organizations, details of ransom negotiations, Bitcoin addresses, and more. (4)
In the year a half since Conti was first observed, it seemed to enjoy a permissive environment in which their Russian benefactors allowed them significant autonomy. For example, Conti has been known for targeting critical infrastructure; in May 2021 the FBI released an advisory describing sixteen Conti ransomware attacks targeting U.S. healthcare and first responder networks. (5) The long-term impact of the Russia-Ukraine conflict on cybercriminal organizations like Conti Group is yet to be seen. With the Russia-Ukraine conflict bringing more scrutiny to cyber as a tool of war, EclecticIQ analysts speculate that the Conti Group and others like it may be forced to change their modus operandi. Increased public awareness of cybercrimes, a host government which is increasingly isolated, and even the group’s own internal divisions over issues like Russia’s invasion of Ukraine may force cybercriminal groups to adapt in unexpected ways. One of the more likely scenarios for the near term is an escalation on both sides of cyber conflict; increasingly aggressive and government-directed attacks on one side, with growing defense and counter measures on the other.
Policy and Governance: Governments Across the World Warn of (or Brace For) Conflict-Related Cyberattacks
Last week, EclecticIQ noted cyberattacks against Ukrainian websites were likely to continue as tensions between Russia and Ukraine increased. We also noticed warnings from authorities in Germany, Australia, and the U.S. that Russia may launch cyberattacks targeting assets of Ukraine and its allies, and that organizations should take measures to secure and defend their networks. (6, 7, 8) This week, our analysts note a spate of cyberattacks targeting organizations around the world, including against McDonalds, a supplier for Toyota plants in Japan, satellite giant Viasat (which enables remote control of wind turbines in Germany), and a Bridgestone tire plant in Iowa (U.S.). (9, 10, 11, 12)
More aggressive cyberattacks are probably increasingly likely once economic sanctions targeting Russian actors and assets are in place. So far, only one of the four recent attacks mentioned above has been claimed by Russian-linked threat actors (McDonalds). It is possible that the other three attacks could have been in the works for weeks or months. The timing of these attacks coincides with news that each of these nations will impose sanctions on Russia, but so far there is no definitive evidence Russia initiated attacks because of sanctions (13, 14). EclecticIQ analysts will watch for indicators that any forthcoming attacks may be specifically targeting nations which are most vocal in their opposition to Russian military action as a form of retribution, which could indicate Russian criminal actors shifted from a financial motivation to more ideological driven attacks.
New and Noteworthy: Many Industries, Including Big Tech, Find Themselves with a Role to Play as the War of Words Intensifies
This conflict is one of the clearest examples to date of private corporations using their business reach to participate in shaping the narrative surrounding the conflict. The EU announced part of its sanctions package against the Kremlin would include banning Russian state TV channels RT and Sputnik and their subsidiaries from sowing ‘division in our union.’ (15) U.S. tech giants Meta and Google announced they are disallowing Russian state-owned media from monetizing their platforms or spreading disinformation, and energy companies from the UK and Norway reduced or eliminated their cooperation with Russian partners. (16) Even more symbolic moves are gaining media attention; international soccer governing bodies FIFA and UEFA banned Russian teams from competing, but Polish and Swedish teams had already declined to play Russia in this spring’s World Cup qualifying matches. (17) Many U.S. state governors and business owners in the U.S. and Canada assumed a different tactic—either banning or refusing to sell Russian vodka in liquor stores and bars. (18) Russia is being equally aggressive in its aim to influence the narrative. Internal to Russia, where commerce and governance are more tightly controlled, the government asserted its control over the narrative by shutting down some free press outlets and banning press from describing Russia’s actions as an attack, an invasion, or a war. (19)
Most interesting to EclecticIQ is how the information warfare angle of the conflict is playing out when large TV stations, social media companies, and internet providers decide to amend information or access to it. Both sides are playing the media game with specific intent: Ukraine to garner quick international support of any kind (especially military support), and Russia to convince a domestic audience of the legitimacy of the conflict. Unlike normal CTI analysis of indicators and artefacts, the measure of success in a war of words comes down to popular opinion—or, as the phrase goes ‘winning hearts and minds.’
One measure of the effectiveness of the war on words is the myriad of players who recently entered the hacktivism space willingly. In addition to Conti declaring support for the Russian government (discussed above), reporting indicates several hacking groups including Anonymous will use their skills to support Ukrainian cyber objectives. (20, 21) Ukraine’s Vice Prime Minister Fedorov called supporters to create an ‘IT army’ to fight Russian cyber intrusions. (22) EclecticIQ analysts will continue reporting on the success and challenges associated with this phenomenon as the conflict continues.
Appendix
- https://twitter.com/BrettCallow/status/1497249143663652865
- https://twitter.com/y_advintel/status/1497293187798507525
- https://twitter.com/vxunderground/status/1498060366445613056
- https://www.databreachtoday.com/ukrainian-researcher-leaks-conti-ransomware-gang-data-a-18620
- https://www.aha.org/system/files/media/file/2021/05/fbi-tlp-white-report-conti-ransomware-attacks-impact-healthcare-and-first-responder-networks-5-20-21.pdf
- https://www.tagesschau.de/newsticker/liveblog-russland-ukraine-krise-donnerstag-101.html#Deutsche-Behoerden-sorgen-sich-um-Cybersicherheit
- https://www.cyber.gov.au/acsc/view-all-content/alerts/australian-organisations-encouraged-urgently-adopt-enhanced-cyber-security-posture
- https://www.cbsnews.com/video/biden-administration-warns-of-russian-cyber-attacks-on-u-s-infrastructure/
- https://www.dailymail.co.uk/news/article-10553013/Russia-linked-hacker-gang-claims-ransomware-attack-McDonalds.html
- https://asia.nikkei.com/Business/Automobiles/Toyota-to-halt-operations-at-all-Japan-plants-due-to-cyberattack
- https://news.sky.com/story/satellite-giant-viasat-probes-suspected-broadband-cyberattack-amid-russia-fears-12554004
- https://www.desmoinesregister.com/story/money/business/2022/02/28/bridgestone-tire-factory-des-moines-cancels-shifts-amid-cyberattack/6972256001/
- https://www.reuters.com/business/japan-govt-cbank-executives-meet-ukraine-crisis-jolts-markets-2022-02-28/
- https://apnews.com/article/russia-ukraine-business-europe-european-union-704b3b6678c5d23bd05482c89a0384d2
- https://www.theguardian.com/media/2022/feb/27/eu-ban-russian-state-backed-channels-rt-sputnik
- https://fortune.com/2022/02/28/business-sanctions-russia-ukraine-invasion-google-daimler-meta-fifa/
- https://www.reuters.com/lifestyle/sports/poland-will-not-play-world-cup-match-with-russia-polish-fa-head-2022-02-26/
- https://www.axios.com/russia-vodka-boycott-us-canada-ukraine-cc6942df-0ffa-45c6-a0fa-ac4adab4cb1f.html
- https://www.theguardian.com/world/2022/feb/26/propaganda-filters-truth-ukraine-war-russian-media
- https://securityaffairs.co/wordpress/128392/hacktivism/anonymous-cyber-attacks-russia.html?utm_source=feedly&utm_medium=rss&utm_campaign=anonymous-cyber-attacks-russia
- https://cyberknow.medium.com/2022-russia-ukraine-war-cyber-group-tracker-update-1-ee3834fb03c
- https://www.reuters.com/world/europe/ukraine-launches-it-army-takes-aim-russian-cyberspace-2022-02-26/
Structured Data
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.
TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery
You may also download the content as eiq_json, stix1_2, stix2_1.
Please refer to our support page for guidance on how to access the feeds.
About EclecticIQ Threat Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.