flag-ukraine
Image: Yehor Milohrodskyi

Google: Conti repurposing tools for Ukraine attacks using Follina bug, Musk impersonation

Former members of the notorious Conti ransomware group have repurposed many of their tools for attacks on Ukrainian organizations, according to a new report from Google’s Threat Analysis Group (TAG).

Google researchers confirmed a report from IBM in July that found Conti initial access brokers — a term used to describe people with access to hacked enterprise networks — had switched their focused from general criminal attacks to ones targeted specifically at Ukrainian organizations in the hospitality industry. 

Google noted that Ukrainian cybersecurity experts from CERT-UA tracked the group as UAC-0098 and said they are tied to at least five different campaigns conducted from April to August 2022.

“UAC-0098 is a threat actor that historically delivered the IcedID banking trojan, leading to human-operated ransomware attacks. The attacker has recently shifted their focus to targeting Ukrainian organizations, the Ukrainian government, and European humanitarian and non-profit organizations,” Google security researchers said on Wednesday. 

“TAG assesses UAC-0098 acted as an initial access broker for various ransomware groups including Quantum and Conti, a Russian cybercrime gang known as FIN12/WIZARD SPIDER.”

TAG began tracking UAC-0098 after uncovering a phishing campaign in April that tried to spread a tool that provided backdoor access to systems. The tool — named AnchorMail — was developed by the Conti group, according to TAG. 

The report notes that the campaign “stood out because it appeared to be both financially and politically motivated” due to how experimental it was and because it went after Ukrainian organizations.

From April to mid-June, Google tracked a campaign from the group that repeatedly targeted Ukrainian hotels.

A May 11 attack on Ukrainian organizations working in the hospitality industry involved phishing emails purporting to be from the National Cyber Police of Ukraine.

The emails urged victims to click on a malicious link as a way to download updates for their operating system. 

Six days later, the same group took over a compromised email account of a hotel in India and began sending phishing emails with malicious ZIP archives to organizations working in the hospitality industry in Ukraine.

TAG found that the same compromised Indian hotel email account was used to attack NGOs in Italy.

By May 19, the group pivoted again, using a different tactic to get people to click on malicious links. The phishing emails purported to be from representatives of Starlink — the satellite internet subsidiary of Elon Musk’s rocket company SpaceX. 

Some of the emails pretended to be directly from representatives of Musk, urging people to click on a malicious link for an alleged software update for StarLink satellites. Musk has provided Ukraine with access to StarLink technology in an effort to help the country during its war with Russia. 

Ukrainian organizations operating in the technology, retail and government sectors were then hit with a similar attack on May 23. One day later, the Academy of Ukrainian Press was targeted with phishing emails containing dropbox links to malicious documents. 

Blurred lines

In June, UAC-0098 started a new campaign involving CVE-2022-30190 — informally know as “Follina” by security experts. 

“On June 19, TAG disrupted a campaign with more than 10,000 spam emails impersonating the State Tax Service of Ukraine. The emails had an attached ZIP file containing a malicious RTF file,” Google researchers explained.

The report includes a copy of one of the fake emails, which claim to come from the State Tax Service of Ukraine and urge people to open a malicious document related to paying taxes. 

TAG researchers said UAC-0098 activities are an example of how the lines between financially motivated cyberattacks and government-supported hacks are blurring. 

“Rather uniquely, the group demonstrates strong interest in breaching businesses operating in the hospitality industry of Ukraine, going as far as launching multiple distinct campaigns against the same hotel chains. So far, TAG has not identified what post-exploitation actions UAC-0098 takes following a successful compromise,” the researchers said. 

Conti had been linked to more than 850 ransomware attacks since 2019, according to data collected by Recorded Future, including 2021 attacks against Ireland’s Health Service Executive.

But in May, the group started taking down much of its infrastructure after the U.S. State Department put out a $10 million bounty for information on the whereabouts of its neighbors. The bounty came as Conti brazenly held the government of Costa Rica for ransom and threatened to “overthrow” the country’s newly-elected president.

The U.S. Rewards for Justice program took the unprecedented step last month of sharing an image of a man it said is tied to the group who goes by the name “Target,” and said it is searching for other members who use the handles “Reshaev,” “Professor,” “Tramp,” and “Dandis.”

The State Department also highlighted the group’s ties to Russia — Conti pledged support to the Russian government following its invasion of Ukraine in February “and threatened critical infrastructure organizations of countries perceived to carry out cyberattacks or war against the Russian government,” the U.S. State Department said.

Emsisoft Threat Analyst Brett Callow, a ransomware expert tracking the various criminal groups behind attacks, told The Record that given Conti’s previous threatens of retaliatory attacks on U.S. critical infrastructure in the event of the U.S. attacking Russia after its invasion of Ukraine, “it wouldn’t be at all surprising if some of the Conti team were targeting Ukraine.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.