![](\"https:\/\/media.wired.com\/photos\/62341097db39095ba1184ff2\/master\/pass\/security-conti-putin.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Matt Burgess| Date: Fri, 18 Mar 2022 11:00:00 +0000<\/strong><\/p>\n Matt Burgess<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n For years, Russia\u2019s<\/span> cybercrime groups have acted with relative impunity. The Kremlin and local law enforcement have largely turned a blind eye<\/a> to disruptive ransomware attacks as long as they didn\u2019t target Russian companies<\/a>. Despite direct pressure on Vladimir Putin to tackle<\/a> ransomware groups, they\u2019re still intimately tied to Russia\u2019s interests. A recent leak from one of the most notorious such groups provides a glimpse into the nature of those ties\u2014and just how tenuous they may be.<\/p>\n A cache of 60,000 leaked chat messages and files<\/a> from the notorious Conti ransomware group provides glimpses of how the criminal gang is well connected within Russia. The documents, reviewed by WIRED and first published online at the end of February by an anonymous Ukrainian cybersecurity researcher who infiltrated the group, show how Conti operates on a daily basis and its crypto ambitions<\/a>. They likely further reveal how Conti members have connections to the Federal Security Service (FSB) and an acute awareness of the operations of Russia's government-backed military hackers<\/a>.<\/p>\n As the world was struggling to come to grips with the Covid-19 pandemic\u2019s outbreak and early waves in July 2020, cybercriminals around the world turned their attention to the health crisis. On July 16 of that year, the governments of the UK, US, and Canada publicly called out Russia\u2019s state-backed military hackers<\/a> for trying to steal intellectual property related to the earliest vaccine candidates. The hacking group Cozy Bear<\/a>, also known as Advanced Persistent Threat 29 (APT29), was attacking pharma businesses and universities using altered malware and known vulnerabilities, the three governments said.<\/p>\n \u201cIt seemed to us that we were being followed, as unfamiliar cars were standing in the yard, two bodies were sitting in the car.\u201d<\/p>\n Kagas, a Conti member, in a leaked chat<\/p>\n Days later, Conti\u2019s leaders talked about Cozy Bear\u2019s work and referenced its ransomware attacks. Stern, the CEO-like figure of Conti, and Professor, another senior gang member, talked about setting up a specific office for \u201cgovernment topics.\u201d The details were first reported by WIRED in February<\/a> but are also included in the wider Conti leaks. In the same conversation, Stern said they had someone \u201cexternally\u201d who paid the group (although it is not stated what for) and discussed taking over targets from the source. \u201cThey want a lot about Covid at the moment,\u201d Professor said to Stern. \u201cThe cozy bears are already working their way down the list.\u201d<\/p>\n \u201cThey reference the setting up of some long-term project and seemingly throw out this idea that they [the external party] would help in the future,\u201d says Kimberly Goody, director of cybercrime analysis at the security firm Mandiant. \u201cWe believe that's a reference to if law enforcement actions would be taken against them, that this external party may be able to help them with that.\u201d Goody points out that the group also mentions Liteyny Avenue in St. Petersburg\u2014the home to local FSB offices<\/a>.<\/p>\n While evidence of Conti\u2019s direct ties to the Russian government remains elusive, the gang\u2019s activities continue to fall in line with national interests. \u201cThe impression from the leaked chats is that the leaders of Conti understood that they were allowed to operate as long as they followed unspoken guidelines from the Russian government,\u201d says Allan Liska, an analyst for the security firm Recorded Future. \u201cThere appeared to have been at least some lines of communication between the Russian government and Conti leadership.\u201d<\/p>\n Matt Burgess<\/span><\/span><\/p>\n Matt Burgess<\/span><\/span><\/p>\n In April 2021, Mango, a key Conti manager who helps organize the group, asked Professor: \u201cDo we work on politics?\u201d When the Professor asked for more information, Mango shared chat messages they had with one person using the handle JohnyBoy77\u2014all the members of the gang use monikers to help hide their identities. The pair were discussing people who \u201cwork against the Russian Federation\u201d and the potential interception of information about them. JohnyBoy77 asked whether the Conti members could access data of someone linked to Bellingcat, the open source investigative journalists who have exposed Russian hackers<\/a> and secret networks of assassins<\/a>.<\/p>\n In particular, JohnyBoy77 wanted information linked to Bellingcat\u2019s investigation into the poisoning of Russian opposition leader Alexey Navalny<\/a>. They asked about Bellingcat\u2019s files on Navalny, referenced access to passwords of a Bellingcat member, and mentioned the FSB. In response to the Conti conversations, Bellingcat\u2019s executive director, Christo Grozevm, tweeted that the group<\/a> had previously received a tip that the FSB had been speaking with a cybercrime group about hacking its contributors. \u201cI mean, are we patriots or what?\u201d Mango asked Professor about the files. \u201cOf course we are patriots,\u201d they replied.<\/p>\n Russian patriotism is constant throughout the Conti group, which has many of its members based in the country. However, the group is international in its scope, has members in Ukraine and Belarus, and has links to members farther afield<\/a>. Not all of the group agree with Russia\u2019s invasion of Ukraine, and members have discussed the war<\/a>. \u201cWith the globalization of these ransomware groups, just because Conti leadership aligned well with Russian politics does not mean that the affiliates felt the same way,\u201d Liska says. In one series of conversations dating back to August 2021, Spoon and Mango chatted about their experiences in Crimea. Russia invaded Crimea and annexed the region from Ukraine in 2014, a move that Western leaders say they should have done more to stop<\/a>. The area was beautiful, they said, but Spoon hadn\u2019t visited for 10 years. \u201cI'll have to go and check it out next year,\u201d Spoon said. "Russian Crimea.\u201d<\/p>\n While members of the group reference Russian interests or government agencies, it's unlikely they are working on behalf of officials. Senior members of Conti may have contacts, but rank-and-file coders and programmers aren\u2019t likely to be as well connected. \u201cI think it's really a more limited subset of actors that actually might have those direct relationships, rather than group operations in its entirety,\u201d Goody says.<\/p>\n Since Conti\u2019s internal files were published on February 27 and 28, the group has continued to work. \u201cThey definitely reacted,\u201d says J\u00e9r\u00f4me Segura, director of threat intelligence at the security firm Malwarebytes. \u201cYou can see from the chats that they were closing some stuff and switching to private chats. But it was really business as usual.\u201d The group has continued to post the names and files of ransomware victims on its website in the weeks since the leak.<\/p>\n Conti\u2019s hacking continues despite security researchers using the details in the Conti leaks to potentially name the group\u2019s individual members. The greater threat to the group, however, could come from Russia\u2019s government itself. On January 14, Russia took its most significant action yet against a ransomware gang. The FSB arrested 14 members of the REvil group<\/a> after tip-offs from US officials, although the group had largely been dormant for several months. \u201cAction will be taken if the Russian authorities feel the leaders of Conti have outlived their usefulness, but if Conti is able to continue on or if they are able to rebrand, there will likely be no action,\u201d Liska predicts. \u201cIf action is taken, it will likely be similar to the action taken against members of REvil, with a series of showy arrests, only to quietly release most of those arrested a month or so later.\u201d<\/p>\n It\u2019s unclear whether authorities will take similar actions against Conti members. But they have been paranoid even before their details were leaked. In November 2021, Conti member Kagas sent a flustered message to Stern. \u201cIt seemed to us that we were being followed, as unfamiliar cars were standing in the yard, two bodies were sitting in the car,\u201d they wrote. Kagas referenced a court case and that they would stop working until it was over. \u201cLawyers say that until the 13th it is better to sit quietly and do nothing,\u201d Kagas said. \u201cLive an ordinary life. And then we'll see what happens.\u201d<\/p>\n