Let me take you back a week or so – in the early days of what we can only describe as the human tragedy of massive proportions that is unfolding in Eastern Europe, a number of hacking groups began to declare their support for each side of the conflict. Anonymous, for example, declared against Russia. Conti, the most prolific and rapacious ransomware group in existence did the opposite.
Within days, gigabytes of Conti’s chat logs and tactics, techniques and procedures started to be leaked. It’s still unclear if they were hacked, or if the leaks were an inside job by members who hold a different view of the conflict to their leaders (who themselves are no doubt right now asking how they were ‘pwned’ so quickly!). However, what is clear is that the leaked data is a treasure trove of intelligence for cyber-defenders around the world.
A number of folk have been working through the data – here’s some of the highlights that are available in the public domain:
- Talos (Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Translated: Talos' insights from the recently leaked Conti ransomware playbook) translated one of the groups operational playbooks. It’s clear that Conti make extensive use of Cobalt Strike, and also invest a great deal of time in reconnaissance. Talos have included the translated link at the bottom of their blog (https://talosintelligence.com/resources/269) – it’s worth a read; particularly the part about how Conti uses AD data to interpret their targets’ organisational structure to determine whose credentials to steal as part of their lateral movement.
- Brian Krebs (Krebs on Security – In-depth security news and investigation) has written a three part summary of the data which is, in typical Krebs fashion, excellent. Part 3, where he talks about weaponry is worth a read, particularly in relation to Conti’s tactics around companies with insurance coverage in place. However, Part 2 is probably the highlight of Krebs’ analysis. In it, he runs through the organisational structure and procedures by which Conti manage themselves. It covers Conti’s version of ‘follow the sun’, as well as the (rather small) salaries they pay their employees.
- A number of cyber-folk on Twitter have also done their own analysis of the Conti data – Marcus ?Hutchins (of WannaCry fame) has done a great job (Marcus Hutchins (@MalwareTechBlog) / Twitter), as has Emilio Gonzalez (émilio Gonzalez (@res260) / Twitter). Marcus talks about some of the tactics Conti uses to drive the double extortion outcome home, including allegedly having an unnamed journalist on the payroll. Emilio covers quite a lot in his tweets – including how Conti brought tools like Carbon Black and SonicWall to help further develop their toolsets. He also picked up a really interesting comment in a chat between members of the group: “where there is no Trend Micro, everything is ok” (émilio Gonzalez on Twitter: "hey @TrendMicro you seem to have quite a reputation in the conti group, you should be proud! ?? https://t.co/xGU8nL9iFm" / Twitter)… I suspect the folk at Trend will see this endorsement as even more important than Gartner!
A number of other extremely good threat intelligence production firms have also generated their own analysis of the Conti data (which is well worth accessing if you are able to do so via a paid subscription – there are a few I’d recommend if folk are interested to know more).
The best cyber defenders out there know how to think like an attacker and use this knowledge to continuously harden and improve their cyber posture. Wars like the one playing out in Ukraine rarely result in good outcomes – hopefully one small positive among many negatives is that the cyber-intelligence that became available this week will help organisations the world over to make themselves less susceptible to being exploited by malicious actors well into the future.?
Manager Cyberspace Operations
2 年Great summary Dirk.