Friday 16th September 2022

IntSum – Week 37 | 12th – 16th September 2022

Key Issue: Former Conti affiliates target Ukrainian organisations
Cybercriminals: Cybercriminals employ new techniques to enhance operations
Nation-State: Nation-state actors continue to exploit critical vulnerabilities



Former Conti affiliates target Ukrainian organisations

This week we reported on the operations of the Russian threat group UAC-0098. The group has previously operated as an initial access broker for ransomware groups including, Quantum group and FIN12, but has now shifted to primarily target Ukrainian organisations.

UAC–0098 has experimented with an array of different tactics, techniques, and procedures (TTPs), tooling and lures across its phishing campaigns and has several similarities in techniques to the now defunct ransomware group Conti. Particularly, the shared code used in the Cobalt Strike payload and IcedID malware suggests that they are both encrypted with the same crypting service made by Conti.

As UAC-0098’s latest campaign follows previous phishing operations targeting the Ukrainian government in response to the Russian invasion in February 2022, it is suggested that the group is driven by the political intelligence requirements of the Kremlin to assist its ongoing military operations. Furthermore, UAC–0098’s operations, assisted by Conti know-how, also demonstrate the blurring of lines between financially motivated and government-backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests. It also reaffirms the trend of adversaries continually developing methods to further legitimise phishing emails by impersonating known and trusted sources


Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.