Connect with us

Hi, what are you looking for?

Politics

‘I can fight with a keyboard’: How one Ukrainian IT specialist exposed a notorious Russian ransomware gang

The thousands of internal documents and communications include evidence that appears to suggest Conti operatives have contacts within the Russian government, including the FSB intelligence service. That supports a longstanding US allegation that Moscow has colluded with cybercriminals for strategic advantage.

The Ukrainian computer specialist behind the leak spoke exclusively to CNN and described his motivation for seeking revenge after Conti operatives published a statement in support of the Russian government immediately after the invasion of Ukraine. He also described his desperate efforts to track down loved ones in Ukraine in recent weeks.

To protect his identity, CNN agreed to refer to him by a pseudonym: Danylo.

“I cannot shoot anything, but I can fight with a keyboard and mouse,” Danylo told CNN.

The trove of data Danylo leaked in late February illustrates why cybersecurity has been such a fraught issue in US-Russia relations. It includes cryptocurrency accounts the Conti hackers used to allegedly reap millions of dollars in ransom payments, their discussions of how to extort US companies and their apparent targeting of a journalist investigating the poisoning of Kremlin critic Alexey Navalny.

But it also shows how hard it can be to disable ransomware operations. Despite Danylo unmasking their operations, the hackers continue to announce new victim organizations.

Danylo, who has worked as a cybersecurity researcher for years and studied the underground cybercriminal economy in Europe, is just one vigilante in a shadow war that has emerged between hackers and cybersecurity executives who have pledged support for the Ukrainian and Russian governments as the biggest land war in Europe since World War II drags on.

But by disrupting a group as notorious as Conti, Danylo has gained more attention than others. The FBI, Danylo said, contacted him after he began to leak the Conti files, asking him to stop leaking.

The FBI declined to comment.

Firefighters work to extinguish a fire at a warehouse after it was hit by Russian shelling on March 28, 2022 in Kharkiv, Ukraine.

CNN corroborated Danylo’s claim that he was the leaker by reviewing evidence that he had access to the Twitter account that was publishing the Conti data, as well as a website that Danylo and another person, who was granted anonymity for their protection, were using to share data contained in the leaks.

Danylo hasn’t spoken with the media about his motives — until now. He did so while navigating a war-ravaged country he had only recently returned to and could hardly recognize.

“It’s my country,” he said in a phone interview. “If they [the Ukrainian government] provide me weapons, OK, I’ll go fight. But I’m better at typing.”

Digital retribution

Danylo claims that he first gained access to computer systems used by what would become the Conti syndicate in 2016. Though he declined to explain in detail how he did this, independent security experts have verified to CNN the dataset belongs to the hackers. (Conti is both the name of malicious software and the cybercriminal syndicate that uses it. The group is also affiliated with TrickBot, another hacking tool used in numerous ransomware attacks.)

“Sometimes they make mistakes,” Danylo said, referring to ransomware groups. “You need to catch them when they make a mistake. I just was in the right place at the right time. I was monitoring them.”

For years, Danylo said, he quietly lurked on the hackers’ computer servers and would pass along information on the group’s operations to European law enforcement officials.

Conti ransomware has been rampant in the last two years, with the hackers claiming numerous victims a week.

In September 2020, the hackers claimed to have stolen case files from a district court in Louisiana. In March 2021, Conti ransomware was used in a hack that hobbled the computer networks of Ireland’s $25 billion public health system, disrupting a maternity ward in Dublin.

The dark work was lucrative: hackers using the Conti ransomware received at least $25.5 million in ransom payments in the span of just four months in 2021, according to Elliptic, a firm that tracks cryptocurrency transactions.

Collapsed building is seen as civilians are evacuated along humanitarian corridors from the Ukrainian city of Mariupol under the control of Russian military and pro-Russian separatists, on March 26, 2022.

But something snapped in Danylo on February 25, 2022, when Conti operatives published a statement pledging their “full support” for the Russian government as it attacked Ukraine.

A Russian airstrike had landed not far from a family member’s house. The cybersecurity researcher grew up in Ukraine when it was part of the Soviet Union. He didn’t want to see it slip back into Russian hands.

Conti members tried to walk their statement back, claiming they weren’t supporting any government, but Danylo had heard enough.

Asked again why he dumped the Conti data, Danylo said with a laugh: “To prove that they are motherf**kers.” He was exhausted from a long day navigating military checkpoints in Ukraine, on the hunt for cigarettes and looking to the sky for signs of the next air raid.

Contacted by the FBI

Conti is exactly the type of prolific ransomware group that President Joe Biden last year exhorted Russian President Vladimir Putin to bring to heel amid a spate of attacks on US critical infrastructure.

The Kremlin appeared to dangle the prospect of collaborating with the US to combat cybercrime this January, when the Russian FSB intelligence agency announced the arrest of multiple accused cybercriminals. But the chances of bilateral cooperation on cybercrime have dimmed following the Russian invasion of Ukraine, which has killed more than 1,000 civilians, according to the United Nations, and made Putin an international pariah.
Civilians trapped in Mariupol city under Russian attacks, are evacuated in groups under the control of pro-Russian separatists, through other cities, in Mariupol, Ukraine on March 20, 2022.

After he started leaking the data, Danylo said, an FBI special agent contacted him and asked him to stop. Exposing Conti infrastructure could, in theory, make it more difficult for the FBI to track the group because it might set up new computer systems.

Danylo has stopped leaking for now. But he says he still has access to some Conti computer systems.

At least one law enforcement official who spoke to CNN would have preferred that Danylo had maintained that covert access, rather than alert the ransomware syndicate to his presence by leaking the data.

“Publicly releasing information like [the leaker did] is reckless,” a US law enforcement official told CNN. “Working cooperatively with law enforcement can achieve a more substantial and lasting impact in disrupting the operations of groups like Conti.”

But John Fokker, a former cybercrime investigator with the Dutch police, said the leak could actually be useful to cops chasing cyber crooks.

“Yes, infrastructure can be burned. However, the amount of data provided in the leaks make me confident that law enforcement got the information they need to write indictments on key individuals,” said Fokker, who works closely with European law enforcement as head of cyber investigations at security firm Trellix.

A catalog of misdeeds

The Conti leaks are a startling catalog of the alleged misdeeds of a multimillion-dollar criminal enterprise.

CNN evaluated and translated the original cache of documents that Danylo shared with the world via Twitter.

The communications show Conti members, each going by aliases in the chat logs, discussing the wisdom of extorting US small businesses, seemingly refraining from hacking Russian targets, and taking an interest in a journalist writing about Navalny, the Russian opposition figure who has been jailed and poisoned.

In April 2021, Conti members “mango” and “johnyboy77” discussed plans to access files belonging to a journalist for investigative outlet Bellingcat, which had published a joint investigation with CNN in December 2020 on the alleged role of the Russia’s FSB intelligence agency in the poisoning of Navalny.
“Bro, don’t forget about Navalny, I flagged it to the boss — he’s waiting for details,” mango wrote to johnyboy77 in Russian.
It’s unclear who “the boss” is in this exchange. But Christo Grozev, Bellingcat’s lead Russian investigator, tweeted that the leaked chat corroborated an anonymous tip that Bellingcat received stating that a “‘global cyber crime group acting on an FSB order has hacked one of your contributors.'”

Conti operatives refer in their chats to Liteyny Avenue in St. Petersburg, which happens to be home to local FSB offices, according to Kimberly Goody, director of cyber crime analysis at security firm Mandiant.

“Generally speaking, it would be relatively unsurprising to learn that an operation as extensive as this would not in some way be leveraged as an asset [by the Russian government] at a point in time,” Goody told CNN.

A Ukrainian serviceman stands among debris after shelling in a residential area in Kyiv, Ukraine on March 18.

The Russian Embassy in Washington did not respond to a request for comment. The Russian government has long denied accusations that it turns a blind eye to cybercrime.

There also appears to be a correlation between the Conti leaks and public warnings from US cybersecurity officials, suggesting that federal authorities have been closely watching the group.

On October 26, 2020, as US hospitals continued to reel from coronavirus cases, a Conti member with the alias Troy wrote to another member in Russian: “F**k clinics in the USA this week … There will be panic. 428 hospitals.”

Two days later the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) issued a dire warning about ransomware attacks on hospitals, many of which used a piece of malicious software that the leaked documents tie to Conti operatives. It was unclear what specific intelligence prompted the federal warning about the hospitals, but the timing was striking.

‘It’s my work’

Cyberattacks have played a supporting role in the war in Ukraine. The White House has accused the Russian GRU military intelligence agency of knocking key Ukrainian government websites offline prior to the invasion. (A charge the Kremlin denies.) US officials are also investigating a hack of a satellite network serving parts of Ukraine, which occurred as the Russian invasion began, as a potential Russian state-sponsored hack, CNN previously reported.

For its part, the Ukrainian government has encouraged an “IT army” of volunteer hackers in Ukraine and abroad to conduct cyberattacks on Russian organizations.

In the free-for-all that is Ukrainian cyberspace, combatants like Danylo engage on their own terms.

An aerial view of the completely destroyed shopping mall after a Russian shelling in Kyiv, Ukraine on March 21, 2022.

Asked how he’s been in recent days, Danylo’s replies have been consistent: “Still alive.”

Seeing houses and schools turn to rubble has drained the vigor from his voice.

Danylo recalled, in the early days of the war, going into a bunker during a bombing raid, with his laptop, and working on the Conti files. Another person in the bunker was mystified that he was focused on his computer amid the shelling.

“What the f**k are you doing?” Danylo recalled the person asking him.

Danylo laughed nervously as he told the story. “It’s my work,” he told CNN. “[I do it] because I can.”
After weeks of living the war, Danylo told CNN he slipped safely out of Ukraine with his laptop this week.

Click to comment

Leave a Reply

Your email address will not be published.

You May Also Like

Politics

“Before coming out here, we had a long discussion with law enforcement at all levels,” said Abbott at a press conference on Wednesday. “I...

Politics

The President said last week during a trip to Buffalo, New York, after a mass shooting took place at a grocery store there that...

Politics

In a four-page order, the court found that a lower court “properly rejected appellants’ arguments that the subpoenas issued by the OAG should be...

Politics

“Cain killed Abel and that’s a problem that we have. What we need to do is look into how we can stop those things....

Politics

The committee subpoenaed Perry and Biggs along with House Minority Leader Kevin McCarthy, Reps. Mo Brooks of Alabama and Jim Jordan of Ohio earlier...

Politics

“I don’t take my platform lightly. I’m not perfect, I’m human. I have things that I walk through. That’s why I feel like people...

Politics

“America would not exist without the heroism of the young adults who fought and died in our revolutionary arm,” wrote Judge Ryan Nelson, who...

Politics

The NRA is the highly politicized body that spent decades radicalizing the GOP on guns and tearing down moderate firearm laws, resulting in a...