From years of Russia Cybercrime groups have operated with relative impunity. The Kremlin and local law enforcement largely turn a blind eye to devastating ransomware attacks as long as they don’t target Russian companies. Despite direct pressure on Vladimir Putin to crack down on ransomware groups, they are still closely tied to Russia’s interests. A recent leak from one of the most prominent such groups provides insight into the nature of these ties – and how fragile they can be.
The cache of 60,000 leaked chat messages and files from the notorious Conti ransomware group provides glimpses of how well-connected the criminal gang is in Russia. The documents, reviewed by WIRED and first published online in late February by an anonymous Ukrainian cybersecurity researcher who infiltrated the group, show how Conti operates on a day-to-day basis and its crypto ambitions. They are likely to further reveal how Conti members have ties to the Federal Security Service (FSB) and are well versed in the operations of Russian government-backed military hackers.
As the world struggled to cope with the outbreak and early waves of the Covid-19 pandemic in July 2020, cybercriminals around the world turned their attention to the health crisis. On July 16 of that year, the governments of the UK, US and Canada publicly called out Russia’s state-backed military hackers for attempting to steal intellectual property related to the earliest vaccine candidates. The Cozy Bear hacking group, also known as Advanced Persistent Threat 29 (APT29), attacked pharmaceutical companies and universities using modified malware and known vulnerabilities, the three governments said.
Days later, Conti leaders talked about Cozy Bear’s work and mentioned its ransomware attacks. Stern, Conti’s CEO-like figure, and Professor, another senior member of the gang, talked about creating a specific office for “government issues.” The details were first reported by WIRED in February, but are also included in the wider Conti leaks. In the same conversation, Stern said there was someone “outside” who paid the group (although it wasn’t specified for what) and they discussed taking over targets from the source. “They’re asking a lot for Covid right now,” said Stern’s professor. “Cozy bears are already working their way down the list.”
“They refer to the creation of some long-term project and seem to throw out this idea that they [the external party] will help in the future,” says Kimberly Goody, director of cybercrime analytics at security firm Mandiant. “We believe this is a reference to if they are going to be pursued by law enforcement, that this outside party may be able to help them with that.” Goody points out that the group also mentions Foundry Avenue in Saint Petersburg – the home of local FSB offices.
While evidence of Conti’s direct ties to the Russian government remains elusive, the gang’s activities continue to align with national interests. “The impression from the leaked chats is that Conti leaders understand they are allowed to operate as long as they follow unspoken instructions from the Russian government,” said Alan Liska, an analyst at security firm Recorded Future. “There appears to have been at least some lines of communication between the Russian government and Conti management.”
In April 2021 Mango, a key Conti manager who helps organize the group, asked the professor, “Are we working on politics?” When the professor asked for more information, Mango shared the chat messages they had with one person using the name JohnyBoy77 — all members of the gang uses pseudonyms to hide their identity. The pair discussed people “working against the Russian Federation” and the potential interception of information about them. JohnyBoy77 asked if Conti members had access to data of anyone associated with Bellingcat, the open source investigative journalists who exposed Russian hackers and secret networks of assassins.
In particular, JohnyBoy77 is requesting information related to Bellingcat’s investigation into the poisoning of Russian opposition leader Alexei Navalny. They asked about Bellingcat files on Navalny, mentioned access to Bellingcat member passwords, and mentioned the FSB. In response to Conti’s talk, Bellingcat CEO Christo Grozevm, tweeted that the band had previously received a tip that the FSB was talking to a cybercrime group about hacking its associates. “I mean, are we patriotic or what?” Mango asked the professor about the files. “Of course we are patriots,” they replied.
Russian patriotism is constant throughout the Conti group, whose members are based in the country. However, the group is international in scope, with members in Ukraine and Belarus, and links with members from further afield. Not everyone in the group agrees with Russia’s invasion of Ukraine, and members have discussed the war. “With the globalization of these ransomware groups, just because Conti’s leadership aligned well with Russian politics didn’t mean affiliates felt the same way,” Liska says. In a series of conversations dating back to August 2021, Spoon and Mango talked about their experiences in Crimea. Russia invaded Crimea and annexed the region from Ukraine in 2014, a move Western leaders say they should have done more to stop. The area was beautiful, they said, but Spoon hadn’t visited in 10 years. “I’ll have to go check it out next year,” Spoon said. “Russian Crimea”.
