The retraining of these cybercriminals will come as no surprise. Google’s cyberthreat experts have just observed a significant movement of former members of Conti, the highly active ransomware gang that exploded mid-flight after internal exchanges were leaked amid dissension over the war in Ukraine. More specifically, it is the group referred to as UAC-0098 by security researchers, known for having used, for example, the banking Trojan IcedID.
According to Google’s Threat Analysis Group, these cybercriminals specializing in the penetration of computer networks for the benefit of ransomware operators such as Conti or Quantum indeed turned their computer weapons towards Ukrainian targets in the spring.
Goal alignment
Consider an example, for Google, of the retraining of cybercriminals towards activities “closely aligned with the Russian government”. For researchers from the Mountain View giant, these attacks show the porosity in Eastern Europe between cybercrime and offensive computer actions of state origin.
At the end of April, Google specialists first noticed a first phishing campaign by e-mail. Then cybercriminals were caught targeting Ukrainian hotels posing as Ukrainian cyberpolice.
Similarly, in May, they tried to make their interlocutors believe that they worked for Starlink, this satellite communication system which was extended by billionaire Elon Musk to Ukraine after the Russian invasion. In another campaign, this time it was the identity of the Ukrainian tax service that had been usurped.
Latest examples developed by Google: cybercriminals would have targeted humanitarian NGOs in Italy or the Ukrainian Press Academy.