A Ukranian security researcher with access to the Conti ransomware group’s chat server has leaked the internal chats of the group after the group sided with Russia over the invasion of Ukraine.
The researcher hacked the gang’s internal Jabber/XMPP server and sent internal logs to multiple security researchers and journalists.
The identity of the researcher is unknown, but earlier reports in the press and on social media has suggested that the leaker was a disgruntled Conti affiliate, which appears not to be the case.
As reported by Bleeping Computer, there are 393 leaked JSON files in all, with each file including a full day’s data.
“body”:”а по трику я писал же – он уже не работает, проект прикрыли”
🛑#TrickBot does not work. The project is done.
As it is public – reported earlier 👇https://t.co/E6cLDPuPrn https://t.co/Kmf7qYDg1l
— Vitali Kremez (@VK_Intel) February 28, 2022
These files contain 60,694 messages dating from 21 January 2021 to 27 February 2022 and include information on previously undisclosed victims, bitcoin addresses, private data breach URLs and discussions regarding the gang’s actions.
After #Conti sided with Russia, their communications have seemingly been leaked by a Twitter account with the bio “fuck ru gov.” Taking political positions is not without risk for RaaS operations as some affiliates may not be pro-Russian. pic.twitter.com/yK4wPx7ReD
— Brett Callow (@BrettCallow) February 27, 2022
The disclosure comes on the heels of Conti’s aggressive message on Friday, in which the group declared its full support for President Vladimir Putin’s decision to attack Ukraine.
The Russian military invaded neighbouring Ukraine from three sides on Thursday, in the worst attack on a European state since World War II.
The Conti group warned in its message that if anyone planned a cyberattack or any war operations against Russia, the group would use all available resources to strike back against an enemy’s crucial infrastructures.
Conti ransomware group announces support for Russia, says any ‘war activity’ on Russia will result in them using their access to “strike back”. https://t.co/JIe1cqEtEw
— Kevin Beaumont (@GossiTheDog) February 25, 2022
Following the disclosure of its internal documents, the gang edited its statement to indicate that they do not ally with any government and condemn the current conflict.
Conti began its attacks in 2019 and has since been accused of ransomware attacks on a number of firms in the United States and Europe, including on the Irish Health Service and high street chain Fatface.
The revelation of its private discussions is a major setback for the group’s ransomware operation. It also demonstrates how divided the underground hacker community has become as a result of Russia’s invasion of Ukraine. Several groups have come forward to announce their support for one of the two sides, with Conti being one of these.
Last week, it emerged that the Ukrainian government had asked volunteers from the country’s hacker underground to assist in protecting vital crucial infrastructure and spy on Russian forces.
The Anonymous hacker collective has declared its support for Western allies, stating that it would solely attack Russian operations.
On Thursday, Anonymous claimed on Twitter that it had taken down multiple websites affiliated with the Russian government.
Among them was RT, a state-run news outlet that reported confirmed it was target of a distributed denial-of-service (DDoS) attack.
Anonymous’ actions came hours after Yegor Aushev, co-founder of a Kyiv-based cybersecurity firm, told Reuters that a top Ukrainian Defence Ministry official had requested him to issue a call for help within the hacker community. The Defence Ministry, according to Aushev, is looking for both offensive and defensive cyber actors.
On Friday, Anonymous claimed to have successfully breached and published the database of the Russian Ministry of Defence website, as well as uploading private data of the Russian MoD.
The tweet was later removed because it “violated Twitter Rules,” according to the social media site.
Ghost Security, commonly known as GhostSec, is another hacker group that has allegedly disclosed its support for Ukraine. The group is said to be a branch of Anonymous.
Meanwhile, Ukraine continues to be targeted with DDoS attacks, phishing attempts and malware.
According to CERT-UA, military members are being sent phishing messages in a campaign that is being run by the officials from the Belarus Ministry of Defence.
Internet service remains patchy across the country, with Netblocks reporting disruptions in various cities.