ISMG Editors: What Have We Learned From the Conti Leaks?

Anna Delaney: Hello, this is the ISMG Editors' Panel. I'm Anna Delaney and this is our weekly discussion and analysis of the latest cybersecurity stories. And with me this week are Mathew Schwartz, executive editor of DataBreachToday and Europe; Rashmi Ramesh, senior sub editor for ISMG's Global News Desk; and Tony Morbin, executive news editor for the EU. Wonderful to see you.

Tony Morbin: Good to see you.

Rashmi Ramesh: Thanks for having us.

Delaney: Tony, where are you today? Intriguing!

Morbin: Oh, it's pretty generic, but it's about satellite communications. And as I speak, you'll understand why.

Mathew Schwartz: Is this you contacting Mothership, Tony?

Morbin: Absolutely, yes.

Schwartz: Excellent!

Delaney: Talking of ships, I don't know if that's a great segue. But Rashmi, you're outside. There's some water.

Ramesh: I'm in a city, it's called Talakadu, which is about a three-hour drive from Bangalore where I live. So you basically have to walk through the woods to get to temples that were buried in sand, centuries ago. And as you walk on, you get to the riverbed behind me. People have excavated artifacts about 4,000 years old from here.

Delaney: Impressive! Were you there recently?

Ramesh: I was there about three weeks ago. I also went on one of these boats they call Cork boats. I think you have them in Britain as well or have had them in Britain at some point. They're made of bamboo and they're so much fun to ride.

Delaney: Hey, they sound fun. That's great. And Mathew, very residential, perhaps?

Schwartz: Very residential. This is a little getaway in Fife, in the center of Scotland. It was raining. I know that is an astounding surprise, never happens here in Scotland. But lovely to get away. Just farm fields. You can see the pockets, but there's all pockets and also some sheep.

Delaney: Lovely and we're keeping it fairly local then this week because I'm in London at the iconic London Eye. Just thought I'd warm us up for our London Summit coming up in a couple of weeks. So Mathew, let's start with ransomware. I hear there's a bit of chatter on Conti this week. Why is that?

Schwartz: There is a little leak in Conti's recent past. At the end of February, a Ukrainian security researcher got his hands on internal communications and source code for the Conti ransomware-as-a-service operation. If you're a journalist or into threat intelligence, or anyone who's interested in ransomware, the leaks are really interesting, reading in terms of how one of the most virulent, if you will, ransomware operations today operates. To learn from these leaks, we're relying on security firms, security experts, and researchers, who have been going through the Russian language communications and giving us translations. Kudos to them. And like I said, the leaks came out at the end of February, but we're still seeing interesting research and insights into what they contain, and what's going on. As these reports continue to get released, and interesting new trends get drawn out, I've been continuing to document them. One of the interesting things for me is, if I may quote a Beatles song, Conti does buy a little bit of help from its friends. Although friends might be overstating it. As I said in my piece, they beg, borrow, steal or do whatever else in pursuit of their illicit profits. For cybercrime, the imperative remains to make money and you'll find organizations doing that any way that they can that's probably easy, won't get them into too much trouble, and gives them the most amount of profit for the least amount of work. What we see here, which is fascinating to me, are little things sometimes. Like Conti looking at the ransom note from Ragnar Locker, which I don't know if you remember it, but it's interesting because Ragnar Locker threatened any victim who reached out to police or professional investigators. It said, if you do this, we will immediately leak all of your data. Scare tactics, right? Because the likelihood of them knowing that you had contacted the FBI for help, provided you took appropriate measures, perhaps not using the email that the ransomware gang had compromised, provided you did that they shouldn't really know the FBI was involved. But we see them when it comes to trying to pressure victims. There is a lot of non-tactical tactics brought to bear. I just thought that was fascinating. They liked the wording of this ransom note and so the leaked chats from the internal Conti people basically say, steal it, we're going to use that from now on. Other interesting details, the leaks have revealed a lot of back and forth with other groups. We saw some of this from the outside, we might see or we might have seen a victim, supposedly who got hit by one group. But the stolen data was being cross-posted on somebody else's ransom site. It looks like there was some kind of cartel activity between these different groups working together. The leaks provide more information on that. For example, the Maze group. Supposedly Maze, which went away at the end of 2020, was in discussions with Conti or possibly Conti's predecessor, Ryuk. The leaks have revealed very close ties between Conti and Ryuk. And again, this isn't a huge surprise because security experts said Conti's code appeared to be based on Ryuk's. But it wasn't clear how they might have gotten that. Did they hire a developer, for example? According to the leaks, it looks like there was extremely high-level access, at least some high ups, and Conti knew some high ups and Ryuk, maybe because they'd all been part of the same organization. Organizationally, another really fascinating takeaway is that the person codenamed Stern, who runs Conti, which has about 100 employees, appears to have extremely close ties with Russia's FSB, a law enforcement agency. There's multiple references to how Stern is tight with the Russian government, works for Putin, I think, in a general sense, is the implication there. But these leaks have also revealed extremely close connections, it seems between this Russian language ransomware group and Russia's law enforcement and intelligence apparatus. We suspected this, but leaks provide real proof that this is actually the case.

Delaney: Fascinating! So Mathew, how damaging have these leaks been to the group?

Schwartz: Yeah, unfortunately, there seems to have been no fallout, no damage that we can perceive. Conti's attacks don't seem to have decreased. The spilled source code, as far as I can tell, doesn't appear to have given anti-ransomware firms or security firms a leg up on combating its attacks. Now perhaps it's happening quietly? That would be wonderful, if so, but definitely, we haven't seen the number of Conti's attacks go down. It's interesting, I'm not seeing an impact.

Delaney: And you say it's gone up?

Morbin: Yeah, 50 In the last month, I believe, including the huge one on Costa Rica.

Schwartz: The government of Costa Rica, and then Peru's intelligence agency, supposedly, is just a victim. As Tony says, we do know to an extent, the victim count. But Conti like other groups that run data leak sites only names victims who haven't paid and it doesn't always name them all. So we never have an accurate sense of who all it has hit. And in fact, the leaks have revealed, I think, close to 100 victims that had never come to light before publicly who had paid Conti. I think most of them had paid Conti. Lots going on that we don't know about. But definitely like Tony said, a huge number of victims still coming to light.

Delaney: Never stops, does it, Mathew? Rashmi, coming to you, our next story is on cryptocurrency mixers. And I know that Conti has not been impartial to using a few mixers, particularly Blender.io. So Blender has been in the news this week. What's up?

Ramesh: The Treasury recently sanctioned its first virtual currency itself, Blender, and it was part of its move to actually curb illicit activity by North Korean state-sponsored actors who used this mixer to launder stolen virtual currency. So a quick summary: Basically it takes cryptocurrencies, breaks them up into smaller pieces, mixes the pieces up with other clean coins, and then redistributes random increments of tumbled coins to designated cryptocurrency wallets at random times. This is basically done to make it harder for law enforcement to follow the flow of funds on the blockchain and trace it back to them. Back to Blender, it was actually used by hacker group Lazarus$ to launder a small portion of the $620 million it stole from Axie Infinity, which is by far one of the largest, if not the largest, virtual currency heights recorded. The Treasury Department said that the mixer was being used to launder money stolen from crypto exchanges and also other financial institutions to generate revenue for developing unlawful weapons of mass destruction and ballistic missile programs. And it's not just North Korea. Blender does not have borders. It has also facilitated money laundering for ransom by groups that Matt spoke about: Conti, Ryuk, TrickBot, and Sodinokibi. The US has taken measures against tumblers in the past, but this is the first one that is sanctioned.

Delaney: Just to be clear, a mixer is not illegal. It's just the lack of compliance controls.

Ramesh: Yes. You also have centralized mixers. You have decentralized ones that have anti-money laundering laws baked into them. Not all of them are illegal, of course.

Schwartz: It's a huge tool for money laundering, not just if you're a cybercriminal, but also drug cartels, anybody else who wants to try to launder money. These have been widely used tools.

Delaney: How do you think criminals will adapt? I'd love your thoughts. Matt, I'm sure you have thoughts as well because Bitcoin mixer is not the only way to obfuscate the transactions. How will the criminals evolve and adapt?

Ramesh: We've seen in the past that they've usually been quick to adapt whenever law enforcement has taken steps to curb illicit crime. But with lawmakers finally recognizing that this is something that you do need to pay attention to, and they are paying quite a bit of attention too, here's hoping that they're one step ahead of the cybercriminals.

Schwartz: Yeah, we see a lot of efforts to get exchanges and other services involved in cryptocurrency, to comply with existing regulations, know your customer rules, and also anti-money laundering rules. If you run a mixing service, and you comply with those rules, then the government is not going to come after you. But to your question of how are criminals going to respond if they can't easily obscure the trail of their Bitcoins. For example, if you're North Korea, as Rashmi noted, and attempting to launder millions to fund your weapons of mass destruction program, among other things, what do you do? And we've been seeing more groups look to Monero because that's a privacy coin. You don't need a mixer with Monero because it's already difficult to trace. Ransomware groups will sometimes ask for Bitcoin or Monero. If you pay with Bitcoin, they'll charge you a premium, usually anywhere between 10% and 20%, which covers their mixing charges. They're baking in the price of meeting to obscure where the money goes. I think we'll maybe see more use of things like Monero. Not that it's necessarily as easy to procure or as easy for victims to pay. There's a bit of a cost-benefit analysis there for criminals, but I think more Monero is definitely on the cards.

Delaney: We will watch that closely. Thank you both. Tony, the Ukraine-Russia crisis, the war continues. What are we seeing on the cyber activity front?

Morbin: Well, in addition to condemning Russia for its unjustified and brutal invasion of Ukraine, yesterday, we saw the EU member states, the UK, the US, and allies, all confirming and condemning Russia for conducting malicious cyber activity against Ukraine. And they were particularly focused on the satellite KA-SAT network operated by Viasat that was attacked an hour before Russia's invasion of Ukraine. Part of the concern, in addition to the attack on Ukraine, is that it also disrupted wind farms and internet users in Central Europe. There were tens of thousands of terminals damaged, made inoperable, and they just can't be repaired. This move exacerbated existing concerns that cyberattacks targeting Ukraine, including its critical infrastructure, are spilling over into other countries and could cause systemic effects putting citizens and other countries at risk. In various meetings yesterday, we had different senior people condemning the actions. There was US Secretary of State Antony Blinken, blaming Russian military hackers for a whole series of data wiping attacks on Ukrainian government agencies and companies prior to the invasion of Ukraine, and significant DDoS attacks, Wiper activity, and various other cyberattacks keeping Ukraine busy since then. The other concern is that any malware tools deployed in Ukraine might not stay in Ukraine even accidentally, as we saw with NotPetya. Once you set these things out into the wild, you don't know what's going to happen to them. Again, the EU, the UK, and the US allies announced that they're considering further unspecified steps to prevent discourage, deter, and respond to this malicious activity in cyberspace. We also got some more details on what had been done previously with the US Agency for International Development, saying how they've been providing hands-on support to Ukrainian government agencies, and critical infrastructure. That was including the FBI briefing Ukrainian officials about Russian intelligence services hacking operations, and receiving leads themselves on cyberthreats for the FBI to investigate. It was a ramping up of a 38 million cybersecurity reform program from USAID to strengthen Ukraine's cybersecurity, and its legal regulatory environment. They embedded 20+ technical experts, this was from back in 2020 and improving their cyber response and recovery. Other people affected by the fallout of this whole war include the people like Russian-linked products and services providers, such as Kaspersky, with the UK and the US advising individuals and organizations to immediately review any use of Russian security products or services, and there are government agencies banned from such use. At yesterday's CYBERUK conference in Wales, Jeremy Fleming, the director of Britain's GCHQ, noted that despite the absence of a cyber blitzkrieg in Ukraine, there has been plenty of cyber activity around that has been attributed to Ukraine. He also confirmed the spillover activity into other countries and affecting other countries, saying that GCHQ have seen evidence of Russia's cyber operatives continuing to look for targets in countries that oppose their actions. Of course, the whole issue has been blurred as well, by hacktivists supporting either side, making attribution of attacks difficult with Russia-based ransomware gangs supporting Russia, Anonymous collective supporting Ukraine. This is a strange positive knock-on effect of the war. Rob Joyce, director of the US National Security Agency's Cybersecurity Directorate told delegates there's been a reduction in the number of ransomware attacks in the last month or two. And he was suggesting that as the sanctions have increased, it's made it harder to move money. Ironically, Rashmi was saying it was Ukraine that got out; it was Korea that effectively was the impetus for that move. But it's become harder to buy infrastructure in the West. That's made it less effective for the attacks. As Matt was saying, that doesn't mean that the ransomware gangs are going away. And as we mentioned Conti has done 50 attacks in April, including the huge one on Costa Rica. The threat of cyber retaliation beyond Ukraine hasn't gone away. As we saw Russia, its big error was underestimating its opponent. We shouldn't underestimate Russia's ability. Many are suggesting that we haven't actually seen Russia’s A-game in cyber, because it's using it more as a deterrent effect. And if it actually uses it, then that deterrent effect is kind of gone.

Delaney: Great overview, Tony. Certainly, any organization and critical infrastructure have got their hands full at the moment. Do we have any ideas as to whether or how the CISA campaign—the Shields Up campaign—has done? Have organizations listened and put their shields up?

Morbin: I think that it's kind of preaching to the choir, those who are good, have done more and got better. Those who are less aware, aren't listening. There have been definite improvements in critical infrastructure. The people who are listening, you know that there have been some really good things. But supply chains mean that you have to get further down your chain and so supply chains will be the weak link in that.

Schwartz: At the CYBERUK conference yesterday, Abigail Bradshaw, who leads Australia's cybersecurity agency noted seeing a big increase in companies not just requesting briefings to their board, but that the briefers stick around for when the chief security officer brief the board. The Australian cybersecurity officials stuck around to give them feedback on the quality of their controls. She said, at least at some organizations, the business resilience and planning and incident response discussion was far elevated from what she saw even just a year or two ago. So that's good news.

Delaney: Finally, some good news. I think we'll be continuing all of these conversations down the line for sure. A final question to you all. We are nearly half a year into this year 2022. Looking back over the past nearly six months, give me one word to describe what this year has been in cybersecurity. Busy?

Morbin: Explosive rather than busy.

Delaney: Explosive, dynamic.

Schwartz: Surprising, not least with the Russia-Ukraine war. It just continues to surprise me.

Ramesh: Yeah, I would probably say unprecedented.

Delaney: That's been a word for a while now. But it applies this year as well. Thank you for that, those gut instincts. No one said it was pleasant, jolly, calming. We must be doing something wrong. Thank you very much, Matt, Tony, Rashmi. Always a pleasure.

Schwartz: Thanks, Anna. Enjoy the Eye!

Morbin: Thank you, Anna.

Delaney: Take care. Thank you very much for watching.