For years, Russian cybercrime groups have operated with relative impunity. The Kremlin and local law enforcement have largely turned a blind eye to disruptive ransomware attacks, as long as they are not targeting Russian companies. Despite direct pressure on Vladimir Putin to tackle ransomware groups, they are still intimately tied to Russian interests. A recent leak from one of the most notorious such groups offers insight into the nature of those ties and how tenuous they may be.
A cache of 60,000 chat messages and leaked files from the notorious Conti ransomware group offers clues to how well-connected the criminal gang is inside Russia. The documents, reviewed by WIRED and first published online in late February by an anonymous Ukrainian cybersecurity researcher who infiltrated the group, show how Conti operates on a daily basis and his crypto ambitions. They are likely to further reveal how Conti members have connections to the Federal Security Service (FSB) and keen knowledge of Russian government-backed military hacking operations.
As the world struggled to cope with the outbreak of the COVID-19 pandemic and the first waves in July 2020, cybercriminals around the world turned their attention to the health crisis. On July 16 of that year, the UK, US, and Canadian governments publicly denounced Russia’s state-backed military hackers for attempting to steal intellectual property related to early vaccine candidates. The Cozy Bear hacking group, also known as Advanced Persistent Threat 29 (APT29), was attacking pharmaceutical companies and universities using altered malware and known vulnerabilities, the three governments said.
Days later, Conti leaders spoke about Cozy Bear’s work and touched on its ransomware attacks. Stern, the Conti CEO-like figure, and the professor, another high-ranking gang member, discussed creating an office specifically for “government issues.” Details were first reported by WIRED in February, but are also included in Conti’s broader leaks. In the same conversation, Stern said that they had someone “outside” pay the group (although it is not said for what) and they were discussing taking over the targets of the source. “They want a lot about Covid right now,” the professor told Stern. “Cozy bears are already making their way up the list.”
“They refer to the creation of some long-term project and apparently dismiss the idea that [the external party] it would help in the future,” says Kimberly Goody, director of cybercrime analysis at security firm Mandiant. “We think it’s a reference to whether there would be law enforcement action against them, that this outside party could help them with that.” Goody notes that the group also mentions Liteyny Avenue in St. Petersburg, the home of local FSB offices.
While evidence of Conti’s direct ties to the Russian government remains elusive, the gang’s activities remain in line with national interests. “The impression from the leaked chats is that Conti leaders understood that they were allowed to operate as long as they followed the unspoken guidelines of the Russian government,” says Allan Liska, an analyst at security firm Recorded Future. “There seemed to be at least some lines of communication between the Russian government and the Conti leadership.”