Ransomware
Up next
Author
Tags
Share article
The post has been shared by 0 people.
Facebook 0
Twitter 0
LinkedIn 0
Reddit 0
Pinterest 0
Pocket 0
Mail 0

Google has announced that its Threat Analysis Group (TAG) has detected ongoing cyberattacks against Ukraine that include former members of the Conti hacker group.

TAG is group of subject matter experts focusing on cybersecurity and forensic analysis that defends Google and its users from nation-state and advanced persistent threats.

The attacks have been persistent, with TAG detailing five separate attack campaigns by a group tagged as UAC-0098 against Ukraine and European non-governmental organizations (NGOs).

The attacks possess multiple indicators of repurposed attacks from the Conti hacker group, and former members of the group are confirmed to now be a part of UAC-0098.

UAC-0098 has historically carried out human-operated ransomware attacks. Google’s TAG unit first started tracking the group in April 2022, where it launched an email phishing campaign using AnchorMail (also known as “LackeyBuilder”). AnchorMail uses the simple mail transfer protocol (SMTP) for command and control (C2) communication. AnchorMail was developed by Conti.

Additional email campaign attacks were launched in April utilizing other malware such as IcedID and CobaltStrike.

Although the techniques varied, the targeting was consistently against Ukrainian hotels and organizations, per TAG.

In May 2022, UAC-0098 launched another attack against Ukrainian organizations, this time impersonating the National Cyber Police of Ukraine. The email had a malicious link and urged recipients to download an update for their operating system.

The attack would run a PowerShell script downloaded from a malicious domain on the victim’s computer.

The attacks continue to escalate, with UAC-0098 impersonating Microsoft and StarLink against European NGOs.

The Russian Conti hacker group may have disbanded, but they have now splintered off into separate groups, including UAC-0098. Ransomware gangs like BlackCat, Hive, and AvosLocker have all been infiltrated by former Conti members, according to BleepingComputer.

Conti first surfaced in 2020, replacing the Ryuk ransomware group.

You May Also Like
Wiz Cloud Cybersecurity Platform raises $1B at $12B valuation

Wiz Cloud Cybersecurity Platform raises $1B at $12B valuation

Wiz is one of the fastest-growing cybersecurity startups, with an IPO on the horizon
Microsoft Deploys GPT-4 to Azure Government Top Secret Cloud for DoD

Microsoft Deploys GPT-4 to Azure Government Top Secret Cloud for DoD

OpenAI’s GPT-4 multimodal large language model is coming to Azure Government Cloud Top Secret
RSAC 2024: Crowdstrike Falcon Cloud Security enhanced for cloud asset visualization Falcon Query Builder Falcon Asset Graph

RSAC 2024: Crowdstrike Falcon Cloud Security enhanced for cloud asset visualization

Crowdstrike is enhancing its Falcon Cloud Security platform for AI-assisted cyber incident detection, mitigation and response