As Russia’s invasion of Ukraine enters its fifth day, a coalition led by the US and Europe has mounted a coordinated response focused on financial sanctions and, increasingly, military aid. While the conflict grows in scale and intensity, organizations far beyond the apparatus of military and government are being drawn in — including ransomware groups active in Russia and Ukraine.
That gravitational pull is particularly fraught in Russia, where the borders between hackers and the Russian intelligence services are sometimes porous, and one group in particular has been made to pay for its allegiance to the Putin regime.
On Friday, the notorious ransomware gang Conti surprised many observers by explicitly casting its lot with Putin’s military agenda, declaring “full support” for the Russian government and threatening to mount attacks on critical infrastructure of any adversaries launching cyberattacks against Russia.
Two days later, on February 27th, Conti’s posturing came to backfire spectacularly when an anonymous individual leaked a cache of chat logs from the organization, revealing a huge amount of previously unpublished information about the ransomware group’s internal workings.
The leaked data contains over a year’s worth of chat logs from the open-source instant messaging service Jabber, containing messages between at least 20 chat handles presumed to belong to members of the gang. Among other things, these logs seem to confirm a chain of command linking Conti to Russian intelligence agencies. According to Christo Grozev, executive director of open-source intelligence research group Bellingcat, the chat logs show that members of Conti tried to hack a Bellingcat contributor on the orders of Russia’s main internal security service, the FSB.
Russia has been widely criticized for harboring cybercriminal groups in the past, and with certain exceptions — notably the public takedown of the REvil hacker group by the FSB in January — they are largely allowed to operate with impunity provided they refrain from attacking domestic targets. But while proximity to the Russian government has been an advantage for cybercriminals in the past, there are some signs that the dynamics of the Ukraine invasion are turning it into a liability.
Though the identity of the leaker has not been revealed, Alex Holden, the Ukrainian-born founder of cybersecurity company Hold Security, said that the logs had been leaked by a Ukrainian security researcher who had managed to infiltrate the Conti gang.
“This is a Ukrainian citizen, a legitimate cybersecurity researcher, who is doing this as part of his war against cybercriminals who support the Russian invasion,” Holden said. Further details of the leaker’s identity could not be disclosed without risking his safety, Holden said.
The Record also reports that the chat logs contain Bitcoin addresses where payments made to the Conti gang were received, and messages detailing negotiations between Conti and companies that had not disclosed a ransomware incident.
Bill Demirkapi, a security researcher who published a version of the logs translated into English via Google, confirmed to The Verge that the logs contained details of Conti’s technical infrastructure, logistical operations, discussions of zero-day vulnerabilities, and details about internal tooling. Given the short timeline since the release of the logs, Demirkapi said, it was hard to assess the long-term impact it would have on the group.
Although many of the most prolific ransomware groups are considered to be aligned with Russia, in practice, many of them are transnational entities and include a diversity of ethnicities and nationalities, said Chester Wisniewski, principal research scientist at Sophos. With international opinion overwhelmingly favoring Ukraine, many of them may have decided to steer clear of the conflict rather than declare support for the Russian invasion.
“The polarizing nature of this conflict — which effectively seems to be the whole world versus Russia — means there’s way less [cybercriminal] activity than we expected,” Wisniewski said. “I think there’s a lot of sympathy for Ukraine among members of these different groups, and as a result they’re sitting it out.”
LockBit, another ransomware group and effectively a competitor to Conti, released a statement on Sunday saying that the group would not target Western infrastructure, supposedly due to the international makeup of the organization. Rather than profess any support for Ukraine, the statement declared neutrality in the conflict.
“For us it is just business and we are all apolitical,” the message posted by LockBit said.
Though ransomware gangs (with the exception of Conti) have been reluctant to choose sides, certain hacktivist groups — which are by definition political — have rushed to join the cause. A hacktivist group operating from Belarus has claimed to be disrupting the movement of military units by shutting down railways in the country, after the Belarusian government launched missile strikes against Ukraine and agreed to support Russia by sending troops over the Ukrainian border.
Separately, a Twitter account linked to Anonymous declared that the hacking collective was “officially in cyber war against the Russian government,” and the group claimed responsibility for a number of DDoS attacks and other hacks against Russian government websites and media channels.
Though other groups with offensive hacking capabilities may be tempted to join the conflict, cybersecurity professionals have cautioned against escalation. Regardless of intent, cyberattacks can have unforeseen consequences, particularly if targets are tied to infrastructure or other critical services with applications beyond the military.
“I’m worried about collateral damage from the ‘good guys,’ the vigilantes,” Wisniewski said. “Encouraging people to attack [cyber targets], that to me is a very dangerous situation … it’s not just an innocent activity when you don’t know the side effects.”