Key Issue: Former Conti affiliates target Ukrainian organisations
Cybercriminals: Cybercriminals employ new techniques to enhance operations
Nation-State: Nation-state actors continue to exploit critical vulnerabilities
KEY ISSUE EXPLAINED
Former Conti affiliates target Ukrainian organisations
This week we reported on the operations of the Russian threat group UAC-0098. The group has previously operated as an initial access broker for ransomware groups including, Quantum group and FIN12, but has now shifted to primarily target Ukrainian organisations.
UAC–0098 has experimented with an array of different tactics, techniques, and procedures (TTPs), tooling and lures across its phishing campaigns and has several similarities in techniques to the now defunct ransomware group Conti. Particularly, the shared code used in the Cobalt Strike payload and IcedID malware suggests that they are both encrypted with the same crypting service made by Conti.
As UAC-0098’s latest campaign follows previous phishing operations targeting the Ukrainian government in response to the Russian invasion in February 2022, it is suggested that the group is driven by the political intelligence requirements of the Kremlin to assist its ongoing military operations. Furthermore, UAC–0098’s operations, assisted by Conti know-how, also demonstrate the blurring of lines between financially motivated and government-backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests. It also reaffirms the trend of adversaries continually developing methods to further legitimise phishing emails by impersonating known and trusted sources