Russia's invasion of Ukraine tears open political rift between cybercriminals
Is the West OK when the gun points the other way?
Cybercriminals are taking sides over Russia's deadly invasion of Ukraine, putting either the West or Moscow in their sights, according to Accenture.
The consultancy giant's Cyber Threat Intelligence team, which tracks illicit dark-web activity, said in a report [PDF] dated Monday that this is the first time it has witnessed "financially motivated threat actors divided along ideological factions."
These crooks, who typically act opportunistically to extort large sums of money from victims via ransomware, are either backing or opposing President Putin's war on Ukraine, and selecting their targets along those lines, we're told.
"Pro-Ukrainian actors are refusing to sell, buy, or collaborate with Russian-aligned actors and are increasingly attempting to target Russian entities in support of Ukraine," Accenture claimed.
"However, pro-Russian actors are increasingly aligning with hacktivist-like activity targeting 'enemies of Russia,' especially Western entities due to their claims of Western warmongering."
Some of these gangs are selling access to compromised networks, and other nefarious services, exclusively to Kremlin-linked miscreants and sympathetic entities, we're told. Related to that, specific sectors in the West face a higher risk of attack. "The targeting of financial and insurance entities is due to the perception that they are the working arms of Western financial sanctions, whereas the targeting of utilities and resources entities is due to those organizations' importance as critical national infrastructure," according to Accenture.
These political divides played out in the Conti leak. After the notorious ransomware group announced its unwavering support for President Vladimir Putin and his occupation of Ukraine, plus its intent to use "all possible resources to strike back" should anyone launch a cyberattack against Russia, the crew suffered a security breach of its own.
A Ukrainian security specialist stole and leaked Conti's source code, chat logs, and tons of other sensitive data about the gang's operations, tools, and costs.
LockBit, another pro-Russian ransomware gang, learned from Conti's misfortune and quickly retracted its Kremlin support, claiming apolitical neutrality. A note posted to the group's Tor-hidden blog stated: "We are only interested in money."
- Viasat, Rosneft hit by cyberattacks as Ukraine war spills online
- Analysis of leaked Conti files blows lid off ransomware gang
- Dunno about you, but we're seeing an 800% increase in cyberattacks, says one MSP
- Here's why prolonged Russia-Ukraine war would be really bad for us, say chip designers
However, this shift in motivations means criminal groups are, if not already, actively eyeing up Western critical infrastructure, Accenture reported. These types of targets have moved from "low-medium" priority to becoming the focus of targeted ransomware campaigns, the authors wrote. The team said it "observed multiple actors specifically stating desires to target Western critical infrastructure to support Russia."
Conti is one of these, and it's worth noting that last week several US agencies – CISA, the FBI, the NSA, and the Secret Service – posted a joint advisory warning that "Conti cyber-threat actors remain active and reported Conti ransomware attacks against US and international organizations have risen to more than 1,000."
Also noteworthy: Accenture found miscreants are paying more for specialized malware. The team said it has "has seen some of the biggest and seemingly ever-rising budgets for custom malware and exploits by these actors, with some actors like Integra and FlawlessMarble having budgets of $5m to $10m, allowing them to acquire almost any tool or exploit desired."
"We're also seeing budgets up to $500,000 for actors seeking network access," Accenture added.
Cyberattacks outside of Ukraine
Meanwhile, Mandiant (soon to be absorbed by Google Cloud) cautioned that while Ukraine remains a target for destructive cyberattacks, US and EU sectors face a "moderate-high" risk of attack from Kremlin-aligned miscreants.
Palo Alto Networks sounded a similar drumbeat. Its Unit 42 threat intelligence team also expects Russian-backed cyberattacks to spread beyond Ukraine.
And fresh Check Point analysis indicates this spread may have begun. According to the security shop's threat research group, cyberattacks against government and military organizations globally has increased 21 percent since the Russian invasion began. Online attacks on Europe as a whole are up 14 percent, 17 percent for North America, 20 percent for Ukraine, and one percent for Russia, apparently.
It sure is a busy time for cybersecurity vendors. ®