For years, Russia’s cybercrime groups have acted with relative impunity. The Kremlin and local law enforcement have largely turned a blind eye to disruptive ransomware attacks as long as they didn’t target Russian companies. Despite direct pressure on Vladimir Putin to tackle ransomware groups, they’re still intimately tied to Russia’s interests. A recent leak from one of the most notorious such groups provides a glimpse into the nature of those ties—and just how tenuous they may be.
A cache of 60,000 leaked chat messages and files from the notorious Conti ransomware group provides glimpses of how the criminal gang is well connected within Russia. The documents, reviewed by WIRED and first published online at the end of February by an anonymous Ukrainian cybersecurity researcher who infiltrated the group, show how Conti operates on a daily basis and its crypto ambitions. They likely further reveal how Conti members have connections to the Federal Security Service (FSB) and an acute awareness of the operations of Russia’s government-backed military hackers.
As the world was struggling to come to grips with the COVID-19 pandemic’s outbreak and early waves in July 2020, cybercriminals around the world turned their attention to the health crisis. On July 16 of that year, the governments of the UK, US, and Canada publicly called out Russia’s state-backed military hackers for trying to steal intellectual property related to the earliest vaccine candidates. The hacking group Cozy Bear, also known as Advanced Persistent Threat 29 (APT29), was attacking pharma businesses and universities using altered malware and known vulnerabilities, the three governments said.
Days later, Conti’s leaders talked about Cozy Bear’s work and referenced its ransomware attacks. Stern, the CEO-like figure of Conti, and Professor, another senior gang member, talked about setting up a specific office for “government topics.” The details were first reported by WIRED in February but are also included in the wider Conti leaks. In the same conversation, Stern said they had someone “externally” who paid the group (although it is not stated what for) and discussed taking over targets from the source. “They want a lot about Covid at the moment,” Professor said to Stern. “The cozy bears are already working their way down the list.”
“They reference the setting up of some long-term project and seemingly throw out this idea that they [the external party] would help in the future,” says Kimberly Goody, director of cybercrime analysis at the security firm Mandiant. “We believe that’s a reference to if law enforcement actions would be taken against them, that this external party may be able to help them with that.” Goody points out that the group also mentions Liteyny Avenue in St. Petersburg—the home to local FSB offices.
While evidence of Conti’s direct ties to the Russian government remains elusive, the gang’s activities continue to fall in line with national interests. “The impression from the leaked chats is that the leaders of Conti understood that they were allowed to operate as long as they followed unspoken guidelines from the Russian government,” says Allan Liska, an analyst for the security firm Recorded Future. “There appeared to have been at least some lines of communication between the Russian government and Conti leadership.”