Ransom-War In Real Time, Case Study 1: Conti, EvilCorp and Cozy Bear – Malware Analysis

Previous installments of our “Ransom-War” series set the context for Russian cybercriminal/intelligence interaction by showing that Russian ransomware criminals do not operate in a vacuum and that the Russian political context colors everything they do. This helps explain why, in at least some cases, the ransomware actors allow themselves to be coopted for operations in Russia’s hybrid war against Ukraine and the West.

Skeptics of the Natto Team’s “hybrid ransomware” thesis have raised numerous important questions: Can Russian cybercriminals seriously be receiving direct government tasking? If so, how do they communicate? Or are they improvising based on more diffuse “patriotic entrepreneurialism”? If so, how do they know what Putin’s government wants them to do and when? Whether they receive direct instructions or improvise, how could criminals unleash ransomware on short notice? More broadly, how can Russian intelligence services work with such an unruly bunch? Who holds the upper hand? The “Ransom-War” series attempts to answer these questions based on publicly available information.

In the case studies that follow, we seek more granularity on Russian criminal/intelligence interactions in specific operations, asking where the incidents fit on cybersecurity researcher Jason Healey’s “spectrum of state responsibility” for cyber operations (see “Ransom-War” Part 1), and what role they play in Russia’s hybrid warfare against Ukraine and the West.

In this posting, we return to the case of the Conti ransomware group (also known as the Wizard Spider or Trickbot group) and also look at Evil Corp, both of which are known to cooperate with intelligence services. We focus on their real-time mechanisms of interaction with state officials.

  • We find that this cooperation sometimes involves data sharing for espionage and/or hack-and-leak operations.

  • We find a common modus operandi, where criminals perform initial breaches of many machines as part of their regular extortion operations, but then the intelligence agencies piggyback on them for further operations, whether espionage or cyber-enabled information operations.

  • Then we explore these two groups’ relationship with the SVR hacker group Cozy Bear (APT29). In at least one incident, an Evil Corp ransomware attack appears to have been directly connected with the 2020 SolarWinds supply-chain espionage operation, which the US and UK governments have attributed to the SVR. Evidence on that operation unearthed in 2021 by cybersecurity researchers at Prodaft, Truesec and Analyst1 allow us to hypothesize that Evil Corp and the Conti group may indeed play integral roles in the APT29 operating model. 

In subsequent postings we will apply these findings to provide plausible scenarios for real-time criminal/intelligence interaction in other ransomware operations where the relationship is not as clear, such as the 2019 attack on NorskHydro — in which Russian intelligence may have played a role in stimulating the development of destructive ransomware — and the 2021 Colonial Pipeline attack.

Share

A group commonly known as the Conti or Trickbot group or Wizard Spider, and associated with malware families Trickbot, Conti, and Ryuk, is well-known to work with the Russian government, based on leaks that multiple analysts consider to be reliable sources.1 In previous Natto Thoughts postings, we saw that several top group members would solicit paid or unpaid assignments from at least two offices, apparently referring to local offices of Russia’s Foreign Intelligence Service (SVR) and the Federal Security Service (FSB). Group leaders did not share specific information about these government contacts with lower-level group members. This caginess — a good practice for operational security — also created an atmosphere of rumor and intrigue that likely bolstered the group leaders’ cachet.  

Operational security was necessary, as group members did not know how much government protection they could count on. They perceived themselves as navigating between friendly and less-friendly Russian special services, using bribes when necessary to evade punishment. Top member “Silver” assured member “Brooks” in November 2021 chat that the FSB and SVR were likely sympathetic or neutral toward the group, but that the MVD (Russia’s police force) might harass them, because the Russian police “have been bought, lock stock and barrel, by the Amers (Americans)….and they work on the side as private detectives, suckling at the breast of the American special services (на подсосе у амерских).” (Recall that this was during a period of ostensible cooperation between US and Russian law enforcement).  Silver noted, however, that a well-priced bribe can mollify even the police: he told Brooks that, if called in for questioning, “You need to resolve the question right there; the price tag will be about 10-50k,” with “k” presumably referring to thousands of rubles.

The government sponsors appear to have given the group specific wish-lists or guidance for the group’s targeting. In July 2020, group member “professor” said his paying contacts in the SVR “really want COVID-related (things) right now, (по ковиду они хотят щас очень)” likely referring to information on vaccine development or on target countries’ failed responses to the pandemic. Conti group also spied on members of the Bellingcat investigations network, apparently on FSB request.

The group’s modus operandi fits our definition of a hybrid ransomware operation; government clients piggybacked off of the crime group’s financially motivated everyday work of breaching systems. “Professor” reported in 2020 that Cozy Bears (Apt29) operatives were looking through a list of some kind. They may have been looking through a roster of entities that Conti operatives had compromised, in order to identify targets for deeper CozyBear espionage. As mentioned in Part 1 and Part 2 of the Natto Thoughts “Ransom-War” series, member “Target” planned to set up a whole office “for government topics” (под гос темы) that would go through previously stolen foreign government documents and find ones that would interest potential Russian government sponsors. This resembles how FSB officials worked with Russian cybercriminals to obtain intelligence from a 2014 hack of Yahoo, as detailed in a 2017 US indictment.

Academi Hack, 2020: Espionage assignment and possible hack-and-leak

In one incident reflected in the Conti/Trickbot leaks, group members breached a company with national security significance, then a government sponsor gave them real-time guidance on what information to search for in the victim company’s systems. Although no actual encryption or extortion is known to have occurred, the incident appears to have ended with a hack-and-leak operation. This was a July 2020 breach of US private military company and government contractor Academi (formerly Blackwater), also known as Constellis.

  • On July 15 2020: “Target” boasted to Conti boss “Stern” that Academi and its subsidiaries Triple Canopy, Olive Group Capital Ltd., and Strategic Social LLC, as well as over 30 other military related entities and the US Environmental Protection Agency, had been breached with help from the Maze group. “We (expletive) Academi for almost a year,” Target told another member. The Natto Team has not seen the Russian original of this statement, and the English translation does not clarify whether he meant that the group had worked for almost a year to obtain access to Academi systems and finally managed to do so, or that “we” had been inside Academi’s systems, messing with them, for almost a year.

  • On July 20 2020 Conti member “Professor” asked, “What do we need from Academi? Is it one of the two offices that asked for it?” likely referring to Russian intelligence services offices. Stern said “yes” and indicated that the client wanted to see correspondence, contracts, and bookkeeping information from the breached Academi systems. It was during that conversation that Professor asked whether they would get paid or would “play Pioneers,” and Stern responded, “who cares about money,” after which Professor said he had someone in a foreign-intelligence service who would pay for any interesting information.

  • On July 22 2020 Stern asked member “revers” whether they had exfiltrated data from Academi yet. Revers replied that they needed to wait a few days so the (Academi) administrators would calm down, plus the IDS was very complicated and Revers was “afraid I will fuck it up” and wanted to wait for “prof” before proceeding. 

The Academi breach is not publicly known to have ended in ransomware; the Natto Team could find no public acknowledgements from 2020 of any cyber incidents or data breaches involving Academi or any of its other names.2

However, less than two weeks after these discussions among Conti members, a large trove of data appeared on the website of US-based transparency organization DDoSecrets. On August 3, 2020 DDoSecrets advertised “268 megabytes in 115 files dated 2017 and 2020 from Constellis, a.k.a. Academi, a.k.a. Blackwater.” The entry on DDoSecrets’ website gives no clue as to who sent them the leak. However, the close timing suggests it had something to do with the Maze/Conti breach of that organization.

A possible scenario for this might be as follows: 

  • Conti breached the company with help from the Maze group; 

  • Someone from “the two offices,” likely Russian intelligence agencies, requested certain information from it but did not pay Conti; 

  • Conti did not try to force the organization to pay ransom; 

  • Instead Conti leaked the information on DdoSecrets for free.

The choice of a transparency organization like DDoSecrets points to the political motivation of the operation. Such a public leak was irreversible, so the hackers were apparently not expecting to receive ransom from Academi. Rather, the leak might be expected to undermine the reputation of this controversial3 US military contractor and facilitate further espionage against it by both social activists, investigators, and state-linked people in any country. This brings wider publicity for the ransomware actors, greater risk for the victims of their activity, and national security threats. Ransomware actors Snatch and Clop (Cl0p) would subsequently share stolen date with DDoSecrets.4

This incident overlaps with the phenomenon of state-aligned ransomware actors posing as idealistic hacktivists. The Natto Team and other analysts have explored this overlap between ransomware and pseudo-hacktivism in the past few years. The Academi incident suggests this ransomware/hacktivist overlap began at least by 2020. 

Subscribe now

In Part 3 of the Ransom-War series we pointed to 2016-2017 as the year when Russia’s GRU military intelligence agency spoke of using ransomware to bring down entire countries and experimented with its own pseudo-ransomware attacks on Ukraine. 2017 also appears to be the year when the FSB began experimenting with coopting real ransomware criminals as opposed to fake personas.

Evil Corp (a.k.a. TA505) is a Russian criminal group that developed malware strains including Locky, Dridex, WastedLocker, Hades, SocGholish (FakeUpdate), BitPaymer and others. In 2019 the US Justice Department indicted its leader, Maksim Yakubets (a.k.a. “aqua”), and other group members. The US Treasury Department sanctioned Yakubets and said that he had worked for the FSB since at least 2017 and that, as of April 2018, he had applied for FSB certification to deal with state secrets. Treasury said, “Yakubets was tasked to work on projects for the Russian state, to include acquiring confidential documents through cyber-enabled means and conducting cyber-enabled operations on its behalf.” A reporter for an independent Russian news source also found evidence of Evil Corp as a contractor for the FSB: “One of my sources, who is an ex-FSB officer, told me that he personally tried to enlist some of the guys from Evil Corp to do some work for him.” It may be no coincidence that EvilCorp’s ransomware-as-a-service operation launched in 2017.  

Videos posted on Twitter by the UK’s National Crime Agency on December 5 2019 show the group’s lavish lifestyle

Russian law enforcement had known about Yakubets’ criminal work for many years. Back in 2009 or 2010, Russian FSB agents themselves revealed his identity to the US FBI, according to former FBI agents who worked on the case (minute 23:33 of their podcast), but the FSB did not bring him to justice. Instead, they hired him. This is consistent with Russian intelligence services’ practice of bringing criminals into the station for “prophylactic chats,” telling cybercriminals that the FBI is after them and pressuring them to work for the FSB instead. (The changing motivations and relationships between Russian and US law enforcement are a story in themselves, discussed in “Ransom-War” Part 4b and elsewhere). The FBI would publicly identify “aqua” as Yakubets in 2019.

Yakubets and EvilCorp have not only contractual ties with the FSB but family ties as well. In that same fateful year of 2017, in a lavish wedding, Yakubets married the daughter of a retired FSB official named Eduard Bendersky. Bendersky is a top member of the Vympel Association of Former FSB Spetsnaz Officers. That is the group that recruited contract killer Vadim Krasikov for the famous 2019 assassination of former Chechen insurgent Zelimkhan Khangoshvili in Berlin; Bendersky himself reportedly supervised that operation. Russian President Vladimir Putin apparently valued assassin Krasikov highly; after Germany imprisoned Krasikov, Putin’s representatives engaged in nearly two years of tortuous negotiations over a prisoner swap, eventually agreeing to release numerous dissidents held in Russian prisons in return for Krasikov’s release.  

Personal attraction aside, Yakubets’ marriage to Bendersky’s daughter would have advantages for both sides. Yakubets gained a protector, of the kind discussed in Natto Thoughts posting Ransom-War Part 4a. For his part, Bendersky – who appears to have a line of business in coopting criminals for FSB tasks – gained leverage over FSB. The lavish wedding likely bolstered their street cred in their respective communities.

Connection with SVR-Linked Threat Group APT29: The SilverFish Operation 

Evidence on the specifics of Evil Corp’s work for Russian intelligence services was unearthed in 2021 by cybersecurity researchers at Prodaft, Truesec and Analyst1, who studied the 2020 SolarWinds supply-chain espionage operation, which the US and UK governments have attributed to the SVR, and which Mandiant explicitly linked to SVR-linked threat group APT29 (a.k.a. Cozy Bear). These analysts raise the possibility that Evil Corp and the Conti group may indeed be integral parts of the APT29 operation. 

On March 17 2021 Prodaft reported on a “global cyber-espionage campaign, which has strong ties with the SolarWinds attack, the EvilCorp, and the Trickbot group” and which affected at least 4720 targets. Prodaft refers to this “extremely well-organized cyber-espionage group” as “SilverFish” but refrains from attributing Silverfish activity to APT29 or any one group. The campaign they describe continued in several waves well into 2021, even after the SolarWinds campaign came to public knowledge in December 2020. 

Prodaft went “behind enemy lines” in a SilverFish command and control (C&C) server. They found that SilverFish heavily targeted the US and focused on critical infrastructure entities, mostly in government, defense-related industries or energy but not “universities, small companies or systems which they consider worthless.” Prodaft also discovered links between EvilCorp, the Conti/Trickbot group, and SilverFish: “the same servers were also used by EvilCorp (aka TA505) which modified the TrickBot infrastructure for the purpose of a large scale cyber espionage campaign.” Prodaft argued that SilverFish consisted of “multiple groups with different motives” and used tools and infrastructure “that had been previously attributed to different groups and campaigns such as Trickbot, EvilCorp, SolarWinds, WastedLocker, DarkHydrus, and many more.” 

Prodaft found that SilverFish actors operated during regular weekday working hours and in a hierarchical and compartmentalized environment. 

SilverFish uses a team based workflow model and a triage system similar to modern project management applications like Jira. Whenever a new victim is infected, it is assigned to the current ‘Active Team’ which is pre-selected by the administrator. Each team on the C&C server can only see the victims assigned to them…

During our investigation, we found four different teams (namely 301, 302, 303, 304) who were actively exploiting the victims’ devices. These teams cycle frequently almost every day or every two days…the C&C source code…statically contains nicknames and ID numbers of 14 people who most likely work under the supervision of 4 different teams.

Stockholm-based cybersecurity company Truesec dug deeper into SilverFish’s connection with ransomware group EvilCorp, which Prodaft’s public report had briefly mentioned. According to Truesec, in an October 2020 operation, Evil Corp attackers used a drive-by compromise (in which a target visits a compromised legitimate website and unwittingly downloads malware) to gain access to a major corporation. The EvilCorp actors established “complete control of the victim machine” within hours, suggesting that they “must have been continuously monitoring their C2 servers for new victims and immediately begun manual operations after they were alerted to a new victim.” The threat actors waited a week to do internal reconnaissance and uninstall security software. Then they spent nearly three more weeks gathering data and deleting cloud-based backups before deploying Evil Corp’s Wasted Locker ransomware. The victim company later received an email from a government cyber defense organization, implying that the attack on their system had was associated with the SilverFish espionage operation that Prodaft had described.

Truesec confirms similarities between the EvilCorp attack and the SilverFish operation. For example, Truesec notes, Prodaft reported that SilverFish “had teams of hackers working shifts, day and night. This certainly fits with our findings regarding the Wasted Locker attack in October. Only a group working continuously in shifts would be capable of reacting this fast to the successful drive-by attack.” The SilverFish actor apparently used existing infrastructure from the October 2020 EvilCorp attacks in order to “save as much as possible of the access obtained by the SolarWinds breach” after the breach came to public knowledge in December 2020.

Regarding EvilCorp, Truesec hypothesized:

Despite still deploying ransomware in attacks, the group no longer appears enticed by financial gain and, unlike other ransomware operators out there, does little to compel victims into paying the ransom…It is possible that the entire Wasted Locker/Hades ransomware campaigns have been run as just a ‘maskirovka’, the Russian word for deception, to hide a cyber espionage campaign…. 

….Perhaps Evil Corp has now morphed into a mercenary espionage organization controlled by Russian Intelligence but hiding behind the façade of a cybercrime ring, blurring the lines between crime and espionage. If so, it would likely mean that this group uses the ransom money paid by victims to finance their espionage operations.

Following up on this report, Jon DiMaggio for Analyst1 hypothesized that, while it is possible that SilverFish was a separate group of actors who reused EvilCorp’s infrastructure, it is more likely that “Yakubets (and in turn EvilCorp) is or supports the SilverFish espionage group.” He assesses that the mysterious SilverFish group was in fact Cozy Bear itself, that in the SolarWinds operation “the FSB worked in conjunction with the SVR5 on a joint mission to compromise the United States government,” and that EvilCorp helped. “This demonstrates not only how Russian intelligence organizations work together, but also how Russia uses ransomware gangs to advance their offensive cyber capabilities against foreign targets.”

If DiMaggio’s interpretation is correct and SilverFish itself is Cozy Bear (APT29), this opens up the possibility that APT29 regularly draws on the services of cybercriminal groups such as EvilCorp and Conti/Trickbot – or even that these groups are among the teams that Prodaft identified (Team 301, Team 302 etc.) as part of the SilverFish hierarchy. This is consistent with the US Treasury Department’s finding that, as of 2017, “Yakubets was tasked to work on projects for the Russian state, to include acquiring confidential documents through cyber-enabled means and conducting cyber-enabled operations on its behalf.”  

The Conti/Trickbot modus operandi, discussed above, can also be incorporated into the image of Conti/Trickbot as a contract team under the APT29 umbrella. A plausible scenario might be something like this: Conti member “Professor” or “Stern” speaks with his contact in the SVR or FSB, who gives him guidance on what to look for in the group’s already-compromised victim servers. The SVR or FSB contact would enter that assignment into the “ticketing” system Prodaft described, crediting it to Conti’s team. “Professor” or “Stern” would go back and assign the task to team members.

If such a hypothetical scenario is correct, this would imply a different model for how APT29 is structured. Under this scenario, these criminal groups, likely working on contract, would spend at least some of their time carrying out assigned “tickets” or tasks as integral parts of the hierarchical and well-organized espionage operation that Prodaft outlined. (APT29 may have changed contractors since then, after Conti disbanded and EvilCorp actors have had to evade sanctions pressure). On Healey’s spectrum of state responsibility, such a relationship would probably qualify as “state-integrated.”

This is very different from the common image of APT29 as consisting solely of full-time employees of the SVR and/or FSB. This type of arrangement resembles the emerging picture of Chinese group APT41 as drawing on the services of financially motivated companies such as i-SOON, as the Natto Team has discussed previously.

Thanks for reading Natto Thoughts! Subscribe for free to receive new posts and support the Natto Team’s work.

1

The group’s data has become public in numerous overlapping leaks. These include documents from summer and fall 2020, which Wired analyzed in an early-February 2022 report (Inside Trickbot, Russia’s Notorious Ransomware Gang | WIRED); a leak dated August 5 2021 by user “m1Geelka” (CONTI Ransomware Group); data from Conti servers that the cybersecurity company Prodaft obtained in 2021 (CONTI Ransomware Group); the famous “Conti-Leaks” made public soon after Russia’s full-scale invasion of Ukraine, and the “Trickbot leaks” that followed a few weeks later Trickbot in Light of Trickleaks Data). The Natto Team is unaware of any discrepancies between the various leaks that would indicate tampering.

2

Media reports merely mention a 2014 spearphishing campaign by Russia’s GRU military hackers targeting Academi employees.

3

Activists were particularly interested in Blackwater at the time, amid ongoing court cases about the deaths of civilians in Iraq in 2007. Hacktivist Phineas Fisher had issued a manifesto in November 2019, calling on fellow hacktivists to breach organizations such as Blackwater. In July 2020, a report on Blackwater chief Erik Prince, based on the so-called “Bahamas Leaks,” appeared on the website of US-based investigations collective Unicorn Riot.

4

DDoSecrets characterizes itself as a nonpolitical “transparency collective” dedicated only to making secret information available to the public. Indeed, they have published leaked data from a variety of countries, suggesting they do not prefer one country over another. DDoSecrets administrator Emma Best makes some effort to vets the material for obvious disinformation and also restricts access to some sensitive data, making it available only to people Emma Best considers to be bona fide researchers. In addition, Emma Best warns users to watch for “malware, ulterior motives and altered or implanted data, or false flags/fake personas” in the leaks they publicize. 

Despite these public-spirited gestures, however, DDoSecrets runs the risk of encouraging ransomware actors. On January 6 2021 they published data that threat actors using Russian ransomware families Snatch and Cl0p (Cl0p) had stolen from ten Western companies. They justified this by saying the data had already been released by the hackers and that wider distribution of it would be in the public interest. However, by publishing this material and making it available to DDoSecrets’ readership — people who self-identify as social-justice activists – this brings wider publicity for the ransomware actors, greater risk for the victims of their activity, and national security threats.

This is because the Snatch and Cl0p ransomware actors might themselves have been doing favors for the Russian government. The Snatch team, for example, has stolen national security-related data from US and German government contractors in the past, and it sometimes gives away data for free, suggesting its motives are less financial than political.

Note: On August 12 2024, 404 Media reported that DDoSecrets had been cofounded by Thomas White, who served five years in a US prison for running the Silk Road 2.0 online drug marketplace and for possessing child pornography. DDoSecrets promptly issued a statement saying “Thomas White exited DDoSecrets in April 2019 and has not been involved with the project since” and that Emma Best had been unaware of his exploitative activities until that time.

5

Recall that APT29 aka the “CozyBears” used to be attributed to the FSB before January 2018, when Dutch journalist Huib Modderkolk, citing Dutch intelligence service AIVD, attributed Cozy Bear activity to Russia’s SVR. The Estonian intelligence service attributes CozyBear activity to both the SVR and the FSB. DiMaggio’s observation that Yakubets has ties with the FSB but that EvilCorp has ties with SilverFish/SVR lends weight to the idea that APT29 works for both of those agencies.

Article Link: Ransom-War In Real Time, Case Study 1: Conti, EvilCorp and Cozy Bear

You May Also Like

More From Author