www.wired.com Open in urlscan Pro
151.101.130.194  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Skip to main content

Open Navigation Menu
Menu
Story Saved

To revisit this article, visit My Profile, then View saved stories.

Close Alert
Close

Leaked Ransomware Docs Show Conti Helping Putin From the Shadows
 * Backchannel
 * Business
 * Culture
 * Gear
 * Ideas
 * Science
 * Security

Story Saved

To revisit this article, select My Account, then View saved stories

Close Alert
Close
My AccountChevron
 * My Account
 * Verify Subscription
 * View Saved Stories

Sign Out




Search
Search
 * Backchannel
 * Business
 * Culture
 * Gear
 * Ideas
 * Science
 * Security

 * Podcasts
 * Video
 * Artificial Intelligence
 * Climate
 * Games
 * Newsletters
 * Magazine
 * Events
 * Wired Insider
 * Coupons




Matt Burgess

Security
Mar 18, 2022 7:00 AM


LEAKED RANSOMWARE DOCS SHOW CONTI HELPING PUTIN FROM THE SHADOWS

Members of the hacker gang may act in Russia’s interest, but their links to the
FSB and Cozy Bear hackers appear ad hoc.
 * Facebook
 * Twitter
 * Email
 * Save Story
   Save this story for later.


Illustration: WIRED; Getty Images

 * Facebook
 * Twitter
 * Email
 * Save Story
   Save this story for later.



For years, Russia’s cybercrime groups have acted with relative impunity. The
Kremlin and local law enforcement have largely turned a blind eye to disruptive
ransomware attacks as long as they didn’t target Russian companies. Despite
direct pressure on Vladimir Putin to tackle ransomware groups, they’re still
intimately tied to Russia’s interests. A recent leak from one of the most
notorious such groups provides a glimpse into the nature of those ties—and just
how tenuous they may be.

A cache of 60,000 leaked chat messages and files from the notorious Conti
ransomware group provides glimpses of how the criminal gang is well connected
within Russia. The documents, reviewed by WIRED and first published online at
the end of February by an anonymous Ukrainian cybersecurity researcher who
infiltrated the group, show how Conti operates on a daily basis and its crypto
ambitions. They likely further reveal how Conti members have connections to the
Federal Security Service (FSB) and an acute awareness of the operations of
Russia's government-backed military hackers.

As the world was struggling to come to grips with the Covid-19 pandemic’s
outbreak and early waves in July 2020, cybercriminals around the world turned
their attention to the health crisis. On July 16 of that year, the governments
of the UK, US, and Canada publicly called out Russia’s state-backed military
hackers for trying to steal intellectual property related to the earliest
vaccine candidates. The hacking group Cozy Bear, also known as Advanced
Persistent Threat 29 (APT29), was attacking pharma businesses and universities
using altered malware and known vulnerabilities, the three governments said.

“It seemed to us that we were being followed, as unfamiliar cars were standing
in the yard, two bodies were sitting in the car.”

Kagas, a Conti member, in a leaked chat

Days later, Conti’s leaders talked about Cozy Bear’s work and referenced its
ransomware attacks. Stern, the CEO-like figure of Conti, and Professor, another
senior gang member, talked about setting up a specific office for “government
topics.” The details were first reported by WIRED in February but are also
included in the wider Conti leaks. In the same conversation, Stern said they had
someone “externally” who paid the group (although it is not stated what for) and
discussed taking over targets from the source. “They want a lot about Covid at
the moment,” Professor said to Stern. “The cozy bears are already working their
way down the list.”



“They reference the setting up of some long-term project and seemingly throw out
this idea that they [the external party] would help in the future,” says
Kimberly Goody, director of cybercrime analysis at the security firm Mandiant.
“We believe that's a reference to if law enforcement actions would be taken
against them, that this external party may be able to help them with that.”
Goody points out that the group also mentions Liteyny Avenue in St.
Petersburg—the home to local FSB offices.



While evidence of Conti’s direct ties to the Russian government remains elusive,
the gang’s activities continue to fall in line with national interests. “The
impression from the leaked chats is that the leaders of Conti understood that
they were allowed to operate as long as they followed unspoken guidelines from
the Russian government,” says Allan Liska, an analyst for the security firm
Recorded Future. “There appeared to have been at least some lines of
communication between the Russian government and Conti leadership.”

The Conti Files
The Workaday Life of the World’s Most Dangerous Ransomware Gang

Matt Burgess

The Conti Files
The Big, Baffling Crypto Dreams of a $180 Million Ransomware Gang

Matt Burgess

In April 2021, Mango, a key Conti manager who helps organize the group, asked
Professor: “Do we work on politics?” When the Professor asked for more
information, Mango shared chat messages they had with one person using the
handle JohnyBoy77—all the members of the gang use monikers to help hide their
identities. The pair were discussing people who “work against the Russian
Federation” and the potential interception of information about them. JohnyBoy77
asked whether the Conti members could access data of someone linked to
Bellingcat, the open source investigative journalists who have exposed Russian
hackers and secret networks of assassins.

In particular, JohnyBoy77 wanted information linked to Bellingcat’s
investigation into the poisoning of Russian opposition leader Alexey Navalny.
They asked about Bellingcat’s files on Navalny, referenced access to passwords
of a Bellingcat member, and mentioned the FSB. In response to the Conti
conversations, Bellingcat’s executive director, Christo Grozevm, tweeted that
the group had previously received a tip that the FSB had been speaking with a
cybercrime group about hacking its contributors. “I mean, are we patriots or
what?” Mango asked Professor about the files. “Of course we are patriots,” they
replied.



Russian patriotism is constant throughout the Conti group, which has many of its
members based in the country. However, the group is international in its scope,
has members in Ukraine and Belarus, and has links to members farther afield. Not
all of the group agree with Russia’s invasion of Ukraine, and members have
discussed the war. “With the globalization of these ransomware groups, just
because Conti leadership aligned well with Russian politics does not mean that
the affiliates felt the same way,” Liska says. In one series of conversations
dating back to August 2021, Spoon and Mango chatted about their experiences in
Crimea. Russia invaded Crimea and annexed the region from Ukraine in 2014, a
move that Western leaders say they should have done more to stop. The area was
beautiful, they said, but Spoon hadn’t visited for 10 years. “I'll have to go
and check it out next year,” Spoon said. "Russian Crimea.”

Featured Video



A Timeline of Russian Cyberattacks on Ukraine



Most Popular
 * Business
   
   Russia's Killer Drone in Ukraine Raises Fears About AI in Warfare
   
   Will Knight

 * Science
   
   Why You (and the Planet) Really Need a Heat Pump
   
   Matt Simon

 * Culture
   
   We Need to Talk About That Character in Horizon Forbidden West
   
   Eric Ravenscraft

 * Ideas
   
   The End of Infinite Data Storage Can Set You Free
   
   Drew Austin

 * 





While members of the group reference Russian interests or government agencies,
it's unlikely they are working on behalf of officials. Senior members of Conti
may have contacts, but rank-and-file coders and programmers aren’t likely to be
as well connected. “I think it's really a more limited subset of actors that
actually might have those direct relationships, rather than group operations in
its entirety,” Goody says.



Since Conti’s internal files were published on February 27 and 28, the group has
continued to work. “They definitely reacted,” says Jérôme Segura, director of
threat intelligence at the security firm Malwarebytes. “You can see from the
chats that they were closing some stuff and switching to private chats. But it
was really business as usual.” The group has continued to post the names and
files of ransomware victims on its website in the weeks since the leak.

Conti’s hacking continues despite security researchers using the details in the
Conti leaks to potentially name the group’s individual members. The greater
threat to the group, however, could come from Russia’s government itself. On
January 14, Russia took its most significant action yet against a ransomware
gang. The FSB arrested 14 members of the REvil group after tip-offs from US
officials, although the group had largely been dormant for several months.
“Action will be taken if the Russian authorities feel the leaders of Conti have
outlived their usefulness, but if Conti is able to continue on or if they are
able to rebrand, there will likely be no action,” Liska predicts. “If action is
taken, it will likely be similar to the action taken against members of REvil,
with a series of showy arrests, only to quietly release most of those arrested a
month or so later.”

It’s unclear whether authorities will take similar actions against Conti
members. But they have been paranoid even before their details were leaked. In
November 2021, Conti member Kagas sent a flustered message to Stern. “It seemed
to us that we were being followed, as unfamiliar cars were standing in the yard,
two bodies were sitting in the car,” they wrote. Kagas referenced a court case
and that they would stop working until it was over. “Lawyers say that until the
13th it is better to sit quietly and do nothing,” Kagas said. “Live an ordinary
life. And then we'll see what happens.”

--------------------------------------------------------------------------------

More Great WIRED Stories
 * 📩 The latest on tech, science, and more: Get our newsletters!
 * Driving while baked? Inside the high-tech quest to find out
 * Horizon Forbidden West is a worthy sequel
 * North Korea hacked him. He took down its internet
 * How to set up your desk ergonomically
 * Web3 threatens to segregate our online lives
 * 👁️ Explore AI like never before with our new database
 * ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums
   to affordable mattresses to smart speakers





Matt Burgess is a senior writer at WIRED focused on information security,
privacy, and data regulation in Europe. He graduated from the University of
Sheffield with a degree in journalism and now lives in London. Send tips to
Matt_Burgess@wired.com.
Senior writer
 * Twitter

TopicshackingRussiasecuritycybersecurity



WIRED is where tomorrow is realized. It is the essential source of information
and ideas that make sense of a world in constant transformation. The WIRED
conversation illuminates how technology is changing every aspect of our
lives—from culture to business, science to design. The breakthroughs and
innovations that we uncover lead to new ways of thinking, new connections, and
new industries.
 * Facebook
 * Twitter
 * Pinterest
 * YouTube
 * Instagram
 * Tiktok

More From WIRED

 * Subscribe
 * Newsletters
 * FAQ
 * Wired Staff
 * Press Center
 * Coupons
 * Editorial Standards

Contact

 * Advertise
 * Contact Us
 * Customer Care
 * Jobs

 * RSS
 * Site Map
 * Accessibility Help
 * Condé Nast Store
 * Condé Nast Spotlight
 * Manage Preferences

© 2022 Condé Nast. All rights reserved. Use of this site constitutes acceptance
of our User Agreement and Privacy Policy and Cookie Statement and Your
California Privacy Rights. Wired may earn a portion of sales from products that
are purchased through our site as part of our Affiliate Partnerships with
retailers. The material on this site may not be reproduced, distributed,
transmitted, cached or otherwise used, except with the prior written permission
of Condé Nast. Ad Choices









WE CARE ABOUT YOUR PRIVACY

We and our partners store and/or access information on a device, such as unique
IDs in cookies to process personal data. You may accept or manage your choices
by clicking below or at any time in the privacy policy page. These choices will
be signaled to our partners and will not affect browsing data.


WE AND OUR PARTNERS PROCESS DATA TO PROVIDE:

Use precise geolocation data. Actively scan device characteristics for
identification. Store and/or access information on a device. Personalised ads
and content, ad and content measurement, audience insights and product
development. List of Partners (vendors)

I Accept
Show Purposes