• United States



CSO contributor

Leaked hacker logs show weaknesses of Russia’s cyber proxy ecosystem

Mar 29, 20227 mins

Recently leaked documents from the Conti cybercriminal gang provide clues to how Western governments and CISOs can better combat Russian proxy threat actors.

Binary Russian flag
Credit: LPETTET / Getty Images

For nearly four decades, states have used proxy actors to conduct cyber operations. In doing so, they profit from diverse low-intensity efforts that harass, subvert and burgle foreign competitors, often shaping favorable conditions without risking escalation. Using proxies, from mercenary groups to criminal elements and so-called “patriotic hackers,” creates a degree of plausible deniability for states and can bring other benefits as well. In some cases, for instance, criminal organizations have better access to job-specific coding talent or hacking infrastructure than the state, thus saving the state from having to commit resources to develop new capacity.

But not all proxies are created equal. So demonstrates recently leaked chat logs of pro-Russia hacker group Conti, an outfit that apparently not only presents itself as a legitimate company to its staff but also clearly straddles a line familiar to most corporations between political preference and business interests.

How Conti and other criminal groups benefit Russia

Conti is perhaps the most famous and well-to-do ransomware gang in the world. In just the past year, the group raked in more than $180 million from victims that they extorted. Their victims came from all parts of Western industry and even the public sector. Conti’s tools were sophisticated, and their “customer service” infrastructure, used to help victims pay them efficiently, was excellent. A major attack in 2021 on Irish healthcare systems that has cost the country about €100 million in recovery costs is testimony to such capabilities. Yet, the prospects of the group seem to have changed in recent weeks as Vladimir Putin’s war against Ukraine caused a split among employees.

Conti is one of many criminal outfits that have long benefited from Russia’s permissive attitude toward such enterprise. The general rule of thumb in Russia is simple: Don’t misbehave in Russian IP space and you won’t be bothered. This setup benefits Russian national interests – as well as the interests of oligarchs tied to Putin’s regime. Criminal outfits like Conti are disruptive forces in the world outside Russia and political elites often take a cut of what’s earned.

Just as often, hacker groups and malware developers are hired to help subvert the Western-led world order in more politically relevant fashion, too. Some help spreading disinformation. Others steal intellectual property and private data from valuable targets. Yet others help compromise infrastructure in countries like the United States and Canada, either directly under the instruction of state security forces or indirectly as providers of the tools or infrastructure used.

Leaked documents reveal Conti operations, political schisms

A series of documents leaked from Conti’s internal file management and company chat accounts has illustrated much about how the organization operates. Importantly, leaked files show how the blended criminal-political identity of the group has led to a schism among its employee base and the need to suspend many activities, at least for the time being.

In the wake of Russia’s invasion of Ukraine, Conti’s website was updated with a message of full support for the Russian government. At the time, this move was seen as almost unusual by many Western cybersecurity analysts since the site has only previously been used to list names of Conti victims. This seems likely to be a result of the fealty politics that govern the permissive operational landscape within which Conti works inside Russia.

Sometime later, this website message changed. In its second iteration, the message more broadly supported Russian grievances but generally walked back from full throated support of the Kremlin alongside an offer to attack Russia’s foreign adversaries. 

This change in stance almost certainly emerges from the fact that Conti’s employee base contained individuals ardently opposed to Putin’s invasion. One Ukrainian researcher who had infiltrated Conti, in particular, has been responsible for much of the leaked information now being pored over by Western analysts. A Twitter account, @ContiLeaks, started publishing information exactly a week after the start of the invasion, providing unprecedented insight into gang operations.

Many leaked chat logs show much of what you might expect of a gang like Conti, or other ransomware-as-a-service (RaaS) outfits like Ryuk or REvil, in terms of hacker culture. There is anti-semitic discussion of Ukrainian leader Volodymyr Zelenskyy, misogyny galore, and unusual obsessions with pieces of popular Western culture like well-known security commentator Brian Krebs. Perhaps of most immediate surprise to many analysts has been the unusually professional manner in which the gang appears to consider itself a legitimate company, replete with boilerplate job advertisement language and (really rather good) onboarding material.

Conti is “temporarily neutralized”

The political reality of the group’s operations is there to be viewed as well, at least if one can interpret the hacker slang and jargon in many of the leaked Jabber threads. On the one hand, group members began to feel the pinch of Western sanctions quickly after the February 21 invasion, complaining about lack of access to American goods (particularly technology) and doubling down in many cases on conspiracy theories Putin has articulated about Ukrainian atrocities and links to neo-Nazism.

On the other hand, there has been clear confusion over the about-turn of the organization’s statement and the radio silence of company boss, Stern. This confusion was addressed recently in an all-employees announcement in which a deputy asks members to take a couple of months’ vacation so that Conti can deal with the fallout of the invasion and reposition itself to build a revenue flow back up.

These logs reinforce a basic idea that the cyber proxy environment of criminal organizations big and small in Russian-influenced territories is conditioned and responsive to the same culture of loyalty that seems to have already created some challenges within the Russian government in past weeks. Conti’s attempt to do some crowd control by moderating their statement of support may have been a double-edged sword for the outfit and, particularly, it’s boss. After all, at least a few outraged employees clearly continued to be unsatisfied with the group’s stance and the about-face is hardly the kind of signaling to be preferred by the Kremlin.

Add to this the context that cybercriminals’ close connections to the Russian state likely flow largely through the intelligence community, which itself is undergoing something of a purge in response to intelligence missteps at the outset of the invasion of Ukraine, and we have a situation where a valuable Russian cyber proxy has been temporarily neutralized by dint of its blended political and operational imperatives.

Opportunities to better defend against Russian cyber proxies

What does this mean for Western efforts to better combat cyber proxies like Conti? For one, this development suggests that there are likely opportunities to threaten the economic interests of specific criminal operations by forcing tension around the loyalty relationship that underlies their permission to operate in safe IP space. Tying sanctions of individual oligarchs and businessmen thought to be linked to RaaS and other cybercriminal activities in response to even limited evidence of Conti (or REvil or Ryuk, etc.) activity could force a shift in how such sophisticated irritants of Western society operate. This might be particularly the case given the manner in which such outfits seem to operate as a kind of cartel.

Data on hiring practices and patterns found in these leaks also provide a robust blueprint for future efforts to infiltrate and disassemble such operations. Training and onboarding information scooped by insiders should be a must-read for those across the West concerned with building out better cyber hygiene and infrastructure protection best practices.

More important than any other takeaway, however, should be the broad recognition that the blended political and business identities of proxies like Conti make them uniquely weak. In particular, being embedded in the idiosyncratic fabric of Russia’s corrupt kleptocratic political environment makes such actors susceptible to non-cyber countermeasures like those suggested above. Absent some change in the relationship between Putin’s regime and Russia’s substantial criminal elements, this weakness is only likely to get more pronounced as the country’s relationship with both the Internet and the global economy enters a new, more secluded phase.