Internet Backbone Giant Lumen Shuns .RU

Lumen Technologies, an American company that operates one of the largest Internet backbones and carries a significant percentage of the world’s Internet traffic, said today it will stop routing traffic for organizations based in Russia. Lumen’s decision comes just days after a similar exit by backbone provider Cogent, and amid a news media crackdown in Russia that has already left millions of Russians in the dark about what is really going on with their president’s war in Ukraine.

Monroe, La. based Lumen [NYSE: LUMN] (formerly CenturyLink) initially said it would halt all new business with organizations based in Russia, leaving open the possibility of continuing to serve existing clients there. But on Tuesday the company said it could no longer justify that stance.

“Life has taken a turn in Russia and Lumen is unable to continue to operate in this market,” Lumen said in a published statement. “The business services we provide are extremely small and very limited as is our physical presence. However, we are taking steps to immediately stop business in the region.”

“We decided to disconnect the network due to increased security risk inside Russia,” the statement continues. “We have not yet experienced network disruptions but given the increasingly uncertain environment and the heightened risk of state action, we took this move to ensure the security of our and our customers’ networks, as well as the ongoing integrity of the global Internet.”

According to Internet infrastructure monitoring firm Kentik, Lumen is the top international transit provider to Russia, with customers including Russian telecom giants Rostelecom and TTK, as well as all three major mobile operators (MTS, Megafon and VEON).

“A backbone carrier disconnecting its customers in a country the size of Russia is without precedent in the history of the internet and reflects the intense global reaction that the world has had over the invasion of Ukraine,” wrote Doug Madory, Kentik’s director of Internet analysis.

It’s not clear whether any other Internet backbone providers — some of which are based outside of the United States — will follow the lead of Lumen and Cogent. But Madory notes that as economic sanctions continue to exact a toll on Russia’s economy, its own telecommunications firms may have difficulty paying foreign transit providers for service.

Ukrainian leaders petitioned the Internet Corporation for Assigned Names and Numbers (ICANN) — the nonprofit organization charged with overseeing the global domain name system — to disconnect Russia’s top-level domain (.ru) from the Internet. ICANN respectfully declined that request, but many technology giants, including Amazon, Apple and Microsoft, have moved on their own to suspend new business in the country.

Meanwhile, Russia recently cracked down on the last remaining vestiges of a free press within its borders, passing a new law that threatens up to 15 years in jail for anyone who publishes content that refers to the conflict in Ukraine as a “war” or “invasion.”

As Neil MacFarquhar writes for The New York Times, what little coverage there is on Russian television networks about the invasion does not include any footage of the devastation wrought by Russian troops on the Ukrainian citizenry. At the same time, the Russian government has blocked Facebook and partly blocked Twitter, while other platforms like TikTok have suspended services in the country.

“To spend several days watching news broadcasts on the main state channels, as well as surveying state-controlled newspapers, is to witness the extent of the Kremlin’s efforts to sanitize its war with the Orwellian term ‘special military operation’ — and to make all news coverage align with that message,” MacFarquhar wrote.

The Washington Post, which was the first to report on Cogent’s decision last week, wrote that these independent actions by private tech companies collectively “will leave Russians more dependent than ever on government propaganda that already dominates the nation’s newspapers and broadcast stations, leaving few ways to access independent sources of news at a time when the country has entered a severe political crisis.”

In a blog post titled “Why the World Must Resist Calls to Undermine the Internet,” Internet Society President Andrew Sullivan said cutting a whole population off the Internet will stop disinformation coming from that population — but it also stops the flow of truth.

“Without the Internet, the rest of the world would not know of atrocities happening in other places,” Sullivan wrote. “And without the Internet, ordinary citizens of many countries wouldn’t know what was being carried out in their name. Our best hope, however dim, is that those supporting an aggressive regime will change their support. More information can help, even as disinformation circulates. We need a better understanding of what is and is not disinformation.”

There is another — perhaps less popular — camp, which holds that isolating Russia from the rest of the Internet might be THE thing that encourages more Russians to protest the war in Ukraine, and ultimately to take back control of their own country from its autocratic and kleptocratic leaders.

Not long after Russia invaded Ukraine, I heard from an old pen-pal in Ukraine: Sergey Vovnenko, a.k.a. “Flycracker,” a.k.a the convicted Ukrainian cybercriminal who once executed a plot to have me framed for heroin possession. Vovnenko did his time in a U.S. prison, left Fly behind, and we have since buried the hatchet. He’s now hunkered down in Lviv, Ukraine, which is serving as a major artery for refugees seeking shelter outside Ukraine’s borders.

These days, Vovnenko says he is working with many sympathetic hackers to fight the Russians online. Asked what he thought about the idea of Russia being isolated from the rest of the Internet, Vovnenko said it couldn’t happen soon enough given the Russian government’s new media blitz to cast the war in a patriotic light.

“I think they should be disconnected, maybe Russian people will rebel against Putin after that,” he said.

Podcast: Cyber War Elements In The Ukrainian Conflict | Hosted by the Alperovitch Institute for Cybersecurity Studies

In a special event hosted by the Alperovitch Institute, some of cyber security’s most distinguished speakers share their thoughts on the unfolding cyberwar in the midst of the Ukrainian conflict. Aside from the DDoS attacks and website defacements, and a sense of heightened alert around the globe, there has so far been a lack of devastating attacks. Are the APTs on all sides keeping their powder dry, or is there something else going on?

With questions and contributions from Chris Krebs, JD Work, and John Scott Railton and moderated by Thomas Rid, listen to the thoughts and insights of speakers such as SentinelLabs’ Principal Threat researcher Juan Andres Guerrero-Saade, Olga Belogolova (Meta/Georgetown University), Daniel Moore (Meta/King’s College London), Gabby Roncone (Mandiant/Georgetown University), Ben Read (Mandiant/Georgetown University), Robert Lee (Dragos), Lee Foster, and Dimitri Alperovitch (Silverado Policy Accelerator).

With thanks to Sean Ainsworth for recording this event.

Click ‘play’ to listen!


The War in Ukraine and Cyber Operations by Alperovitch Institute for Cybersecurity Studies: Audio automatically transcribed by Sonix

The War in Ukraine and Cyber Operations by Alperovitch Institute for Cybersecurity Studies: this mp4 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.

Thomas Rid:
Evening, it’s 8:00 p.m. Eastern. I understand that there are a couple of people here from the UK and perhaps even further east, so welcome especially to you, because it’s very late where you are. So I’m Thomas Reed, Professor of Strategic Studies at Johns Hopkins University. I write books about technology and conflict, and we are going to talk about. Um, this big question out there, the surprise out there. Where’s the cyber war in Ukraine? This is a question that I haven’t raised, but a lot of people have raised. We’ve seen a couple of High-Profile press stories and Wall Street Journal The Economist, but really asked where like, why have we not seen a more high profile cyber attacks, computer network operations just before the conflict, just before the start of the war, at the invasion and in the early phases, especially in Ukraine, especially in that country that has seen some of the most sophisticated, the most. A costly cyber attacks in the past seven years, depending on when you start counting. So. The way this is going to run this, this space, it is, it works like this. We’re basically going to talk amongst ourselves for something like 45 minutes to an hour. We we this meaning sorry if the only thing that’s getting. Oh, so we are. When I say we, I’m referring to a group of people that are, you know, around the Alperovitch Institute at Johns Hopkins, it’s a new research institute that was that we founded and are still starting up right now on cyber security studies.
Very generously endowed by Dmitri Alperovitch, who is with us tonight, is one of the participants in this conversation. Thank you, Dimitri, for coming tonight, especially. And so moving for the next hour will be discussing four questions. First question is. Essentially, where is that cyberwar, what has happened so far in terms of actual observable computer network operations in the context of the Ukraine war? So first state of play, what’s happening? What do we know? Second question and we’ll do each one in a round amongst this group. I’ll introduce them in a moment. So the second question is, well, what may happen or version of that question, what perhaps has happened already, but we just don’t know about it yet. So what kind of cyber attacks should we actually expect in a situation like this? The third question, then, will be how do these operations, these covert digital operations or not? So covert operations, how do they fit into the wider picture of the campaign of the war? How really, how important are they? What’s their role in the bigger picture? And finally, if we have time after that, we are going to. Open for a conceptual question, what does all that mean for the future conversation about computer network operations, cyber conflict? All right. So I would introduce the speakers as they speak whenever they speak for the first time, just so you don’t have to listen through a long round of introductions.

And let’s start with that first question. What is what have we seen so far in terms of computer network operations in Ukraine and in order to tackle that question? I will just cold call on one of our speakers and why don’t I start with Danny Moore, Daniel Moore? He Danny is my former student, a PhD student, also a former Israeli IDF officer who is an extraordinary set of experience, now works at Meta, but obviously here speaks only for himself. He has a book out soon that is called offensive cyber operations, so he I couldn’t think of anybody better to be the first one to jump in here. Danny, what have we seen so far? All right.

Daniel Moore:
Hi, everyone. So what have we seen so far is actually not that much. I know that there’s a lot of noise and a high volume of attacks comparatively more than we usually see. But the vast majority of what we’ve been seeing is a combination of either denial of service attacks or or wiper operations, which I think some of my other friends here can more fully to. But as a sum total of operation, it’s quite less than we have expected. And principally, I think, one of the biggest gaps in regards to our expectations and clearly this campaign has this war has changed or tones our expectations in many ways. But on the cyber side, we a lot of us expected information dominance as an early objective for the Russian forces to tackle critical national infrastructure and communication networks. Cell networks control the narrative through this. It is conducive to what they would want to do before. And I’m admittedly quite surprised that they haven’t even attempted to do this now. But I think it’s important, and a lot of folks here would agree that what we have seen is not necessarily indicative of what there is. We do have a perspective bias, both because we’re consistently being targeted by influence operations from both sides, but also because whatever happens on the military side, we might not have visibility into. So long story short, we see a volume of things, maybe not the quality or quantity that we would have wanted and maybe not as tethered to specific military objectives as we would expect.

Thomas Rid:
Interesting. I’m sure as I look through the speakers list, I mean, especially when you come to mind because you have just spent some good chunk of time last week, I think, or earlier this, I’m losing track of time, spent some time investigating one of the pieces, one of the events, malware samples that we’ve seen earlier in the campaign. Can you can you sort of put that into a little bit of context for us and just to introduce you 100 Guerrero and many of you will know him now with SentinelOne one one of the most respected EPP hunters, I think in the wider community. So delighted to have you.

Juan Andres Guerrero-Saade (JAG-S) :
Thank you, Thomas. So, yeah, thanks everybody for joining, and we finally were able to kind of straighten out most of the speakers here. So, you know, it’s kind of an odd question for me to talk about know where is a cyber war? Have we not seen it? Because, I mean, to some extent, it’s been a more or less exciting or eventful conflict on the side of cyber. For those of us that have been really sort of knee deep in the different operations, different pieces of malware that have been coming out, I’m thinking, you know, mostly Ben Reed is here. I’m sure his team has dealt with quite a bit, Gabby as well. I see Silas in the crowd. Tom, who works with me, we’ve all been swamped with all kinds of different ops, mostly around these different pieces of wiper malware to talk about sort of the diversity of threats that we have here. And I know that recently there was a graphic that I retweeted. There are at least five or six different groups that we see active against Ukraine with a variety of different operations. Whether it’s, you know, disinfo ops, whether it’s wiper malware or hack and leak operations and, you know, phishing and so on. So to some extent, I mean, there is quite a bit of cyber activity as as enabler as a support to what’s going on.
But I think we’re also kind of in a strange period of objection where there have been so much talk of cyber war as its own thing that I think we we kind of sold ourselves on this mirage of what cyber war quote unquote would look like. And instead, what we’re seeing is sort of the disappointing reality of war, which includes cyber components but really isn’t led and sort of entirely mired in them.

So I think great, great observation from you there earlier at the top that. If we look to zoom in to more closely into the kinds of events that we’ve seen, then perhaps really what we’re looking at is that the press coverage one for one, but also perhaps the just the stress of the war itself for all people in Ukraine, including obviously incident responders has probably. Created a bit of fog of war and the cyber investigations context, and many of us have simply not had missed some of some of some of the interesting events that have happened in this context. The other person that comes to mind here, as I look at our speakers, is Rob Lee, who probably through his company. Drago’s is the CEO of Greg and an old friend of many of us here probably has some good visibility into a set of events that some of us, most of us will not have. So, Rob, what are what are you seeing?

Robert Lee:
Yeah, I think in Ukraine leading up to the conflict, there was a lot of different kind of pre-positioning kind of activity that was taking place, but of course, it never manifested in anything that we would observe. I think to many of the comments that were made in this group, whether in Chad or here tonight, I think there’s been maybe an overestimation by Russia if its capabilities and going into the conflict and not relying on certain cyber capabilities. Maybe they didn’t feel they had a need. Maybe it wasn’t a reliable option. I mean, I think, you know, I look back to my time in the military and we always the cyber folks, if you will, always wanted to present commanders with cyber options because that was our goal and it was a focus. But when you’re sitting next to somebody or you’re presenting to a general and saying, Hey, I’ve got a 70 percent chance that I can take down that integrated defense system and we need three months prep and here’s what we can do. And the pilot standing next to you says, Yeah, I can like take off right now and bomb it in two hours. And with a ninety eight percent confidence here, those commanders are generally going to go for those non cyber capabilities. So I think cyber as a tool ends up being really, really helpful pre-conflict, potentially in conflict. But I think when bombs start dropping, there’s no amount of anything that we associate with cyber that’s actually all that relevant in terms of what people are actually clearing now outside of Ukraine, there’s a lot more activity going and maybe we’ll get to that later. But we started seeing some groups that the United States government has attributed to Russia starting to target just at a high level, not anything that would say compromises and taking down systems, but starting reaching out, doing reconnaissance, kind of targeting key electric and liquid natural gas sites around the United States starting back in October. And we ended up informing the community and federal government on that then. And I think that raised a lot of concern of potential future efforts, not saying that anything is going to come to bear. But obviously it represents a concern when you see some of those capable groups starting to be real precise in the places that they’re hitting.

So bottom line, there’s maybe a lot more pre-positioning that has happened in various networks and various targets that we simply haven’t seen revealed publicly yet. And so presumably a lot more will come up come out over the next weeks and months. When you raise your hand and Dmitri as well.

Juan Andres Guerrero-Saade (JAG-S) :
Well, what we’re talking about visibility, and I think this is sort of an important near and dear point to those of us that are sort of trying to work on the threat until space trying to understand the situation. We had our clearest visibility as to what was happening in Ukraine in the weeks leading up to it in the hours leading up to the invasion. It was actually a really interesting period as we became aware of Hermetic wiper and some of these other components around, I want to say four or five p.m. Eastern Time with the invasion starting at what I want to say around midnight or two a.m. our time. And it was sort of this interesting tempo where you could see reports of the attacks increasing. But I think that was the end of having any kind of fidelity of observation and telemetry into what was going on there and sort of important to understand the medium for cyber attacks and for any kind of cyber components as being so tragically tied into internet infrastructure electricity. Just the general availability of systems and even just people on those machines to click and make mistakes and so on. I think the kind of banality of cyberwar is precisely that. You know, once bombs and bullets really come into play, the reliability of cyber goes from that 70 percent that Rob spoke of to perhaps a meager 20 or 30 percent. Let’s see if the systems are still up. Let’s see if we can even get there anymore. And that’s where it kind of all starts to fall off for us in the telemetry side.

Thomas Rid:
Yeah, great points, Dmitry. You also raised your hand and then Ben.

Dmitri Alperovitch:
Yeah, I think it’s important to kind of put things in perspective here that one of the things that cyber is just fantastic at right is the ability to cause damage to the ability to do disruption, the ability to do cohesion in that gray zone between peace and war, where you have conflict between states, but they’re not quite at the kinetic stage and you’re trying to keep things below that level of threshold of actually engaging in a war, but still nevertheless impact economic pain, impact paying politically and so forth through interference campaigns. Once the bombs actually start flying, as some of the folks have said, cyber becomes much less useful. It may still be useful at a tactical level, and what I did expect before the war is that we might see very specific attacks on the communications infrastructure, and we certainly saw some and we can talk about that later, but not to the extent that I expected, in part because I did not expect the Russians to be so bad at having secure communications between their own units that they ended up relying on Ukrainian communication systems, including their cell phone communications, to actually keep in touch with each other. And as a result, them taking down the Ukrainian communications networks became much less interesting and appealing. But the other thing that I thought that they might do is is target the mobilization databases, and I think that we need to appreciate just how badly the assumptions have been on the part of the Russians about this whole war that it is very clear now in terms of their initial actions in the first couple of days of conflict that they really thought that they could just roll into Kiev with a company of armored vehicles and the Ukrainians would surrender that there would be no resistance, that the Ukrainian armed forces would just dissipate. So they really didn’t plan on cyber or much of anything else. For that matter. Very little air power, for example, was used in those initial days, E.W., et cetera. And that makes sense when you start thinking about it in that context that they thought this would be fast and quick and they didn’t need to use a whole lot of disruption or destruction in cyberspace or otherwise to achieve their objectives. And the other thing that I think is also becoming very clear is how few people in the Russian government and even the Russian military actually knew about this invasion. It turns out that the U.S. intelligence community and frankly, the rest of the world that has been paying attention to the warnings coming from the Biden administration knew much more about the invasion plans and what Russia was going to do than the Russian military. Much of the Russian military. The secrecy and the paranoia cannot be underestimated in terms of the impact that this had on the whole campaign that the Russians have waged here. The logistics problems that they’ve had, the communications problems and the cyber. So it wouldn’t surprise me in the least if they actually didn’t even tell the cyber guys that the invasion was going to take place until the very last minute when the orders went out because of the secrecy that Putin insisted upon, in part because I think he was very paranoid with all the disclosures that the U.S. intelligence community was making about his plans for false flag operations and so forth.

Thomas Rid:
Yeah, you’re making you’re raising a fascinating question there, obviously, about the coordination of different parts of the Russian security establishment or even just within the military establishment in terms of when to and what exactly would be launched on the 24th of February there. And by the way, before we, I just want to make a moderate comment. As the moderator, I just quickly zoomed, scrolled down and saw that there are so many extremely, I mean, so many friends, but also just extremely impressive individuals from this wider community in this space right now. So if you would like to come in and say something and you’re not speaker, I personally was occasionally invited to become a speaker when I was like, not ready because I was doing something that would have been inappropriate to speak it within while I was doing that. Like, you know, taking kids down and the if you want to speak, just hit a request. I won’t request you without you requesting first. But I would like to send a note that we’re an open, informal space here. Danny had your hand up.

Daniel Moore:
Yeah, I just wanted to add that I know we’re pretty thirsty community in the sense that we keep looking for something to instruct us on what cyber operations during conflict are supposed to look like. And now that we we haven’t seen it here. We’re sort of scrambling to redefine the space. So yes, there’s a lot to learn from here.But I also want to caution that this might not be the most representative of the potential of what we could be seeing, both at the outset of war time and during both on the strategic side and on the tactical side. There is certainly a lot of potential to target military networks and critical infrastructure and to facilitate early objectives through these means. And I agree with Dmitri that at a certain point, it becomes more tactical than strategic ones for deep into into wartime. But yeah, I would also caution not to overindex on what we’re seeing here is truly representative.

Thomas Rid:
I think this is a fundamentally important point to not jump to conclusions, to larger conclusions based on the state of the information that we currently have. I will just point out many of some of you here have discussed this already in privately with with with us today. But just a six about six hours or earlier today, the story broke that Viasat, the European network satellite internet service provider, was likely breached in preparation of of what looks like perhaps a command and control counter command and control operation, because apparently the Ukrainian military was a user of Viasat services, and the time of that breach was the time of the attack allegedly was 5:00 a.m. local time in Central Europe on the 24th. So that appears to have been some form of cooperation and coordination. Ben, you had your hand up and then one.

Ben Read:
Yeah, thanks. Exciting to be here. And like everybody speaking on behalf of myself and not necessarily my employer, but I want to both sort of support a lot of the sort of echoes of the Dimitrius said. In terms of that, not nothing seems to have been super well integrated in terms of the weather was sort of counter suppression of enemy air defenses or sort of other stuff. So it’s not entirely surprising that cyber doesn’t stand out there as kind of like having all of the heavy hitter sort of things moving in sync. So I think that’s an important point to remember when we’re when making a judgment that on sort of capabilities is that we haven’t seen them in general, but I do kind of want to also at the same time, speak to what we have seen because I do think it is not. It’s certainly not nothing. I mean, there have been three waves of at least three waves of wiper attacks against entities sort of in Ukraine and sort of along with them, dos website to basements. Again, not not the sort of like sexy stuff, but but still notable. And I do think that the impact of those is unknown. I mean, the Ukrainian government’s been able to get their message out primarily through Facebook and Twitter. And that’s a whole separate conversation.But we don’t have necessarily full insight into how much disruption actually happen from those. And at the same time, you’ve also seen sort of from Facebook’s blog post, a sort of disrupted operation trying to compromise Ukrainian service members Facebook accounts and post videos of Ukrainian soldiers surrendering from Ghostwriter. So there is a bunch going on and it is not super well planned out or super well integrated with the sort of full plan, but that kind of fits. Cyber doesn’t. There’s not sort of like as we kind of see and there’s not some kind of magical folks doing cyber who know everything and are omniscient. It kind of tracks with the rest of it. But I do think it’s important to remember that a number of things have happened and we don’t know. And obviously, that devices have stuff still out there as well. But but just about there and there has been things that happened in the certainly where we’re not over yet. And again, things are last thing. This is all there has been sort of continued and we’ll get to this later. But in terms of outside activity outside of Ukraine, there has been sort of a continued high tempo of sort of espionage operations trying to get perspective on what European capitals want to do and things like that.So there’s definitely a lot of Russian cyber going on.

Thomas Rid:
And Ben, when you say espionage operation, you mean in in a way that appears to be timed around the conflict or just your run of the mill regular activity.

Ben Read:
It’s been a consistent volume of it for the last six, 12 years or whatever, but certainly in the last couple of months, certainly significant operations against European ministers, foreign affairs, et cetera. But I mean nothing out of the normal, but it’s normally a high, high tempo there.

Thomas Rid:
Great. So thank you. Three. Hands up there’s John Scott Railton from the Citizen Lab, then Juan and Chris Krebs. John, let me jump in before before John does.

Juan Andres Guerrero-Saade (JAG-S) :
Just to piggyback on Ben’s point, there has been quite a bit of stuff going on. There are some different subsets that we would want to split up and, you know, at the risk of maybe nerding out a little too much on on the front of the, you know, threat intel stuff that we’re seeing. But you know, you’ve got stuff happening in Belarus that I think is quite interesting. I mean, Ben and Gabby have done amazing work on on Ghostwriter or I want to say eleven point fifty one, but I’m not good with your numbers. That in itself has been sort of fascinating and sort of watching this disinfo ops side of the house’s collection side of the house that the Russians seem to be involved in. And at the same time, seeing a bit of pushback on the part of the Russian and cyber partisans sort of affecting the train system a couple of times now and trying to kind of put up some kind of a front in Belarus on the part of the Russian groups that we’re seeing. I do think that it’s worth noting that it isn’t business as usual for Russian cyber.

Thomas Rid:
We’re not seeing Turlock and APT28 and Nobelium and these sort of sets that we’ve gotten used to and that we’re very familiar with to some extent, there is some level of preparation in that we are seeing entirely new components being dropped by groups that we have yet to be able to characterize. So to some extent, there was some level of preparation, but it’s more on the, you know, novel cyber side of the house of not having everything sort of defanged by the fact that we’re familiar with them. It’s just, you know, it’s not overwhelming and it’s novelty, but it is effective in what it’s been done. Yeah, great. Great point. Before John, just quickly, before John, you come in. I just wanted to quickly welcome many more listeners here in this room. We are growing fast. This is an event by the Alperovitch Institute at Johns Hopkins University. We are discussing where the cyber war in Ukraine and the war in Ukraine, where is whether the cutting edge cyber operations that we’ve seen so far? What may we see next? And what does it all mean for this bigger conversation? John Scott Railton from the Citizen Lab is next.

Ben Read:
Hi, everyone, it’s great to be here. What an amazing group of people to from my perspective, I feel like the Viasat thing is a bit of an indicator of what’s to come. If we look back at other conflicts where there have been large areas that are sort of like low internet connectivity where Russia is part of a war. I think that maybe this moves us towards the next steps conversation. There’s going to be a lot of focus on targeting the ways that Ukrainians are getting connected and staying connected, and then also trying to peek in and to sort of intelligence collection both broad stroke but also like tactical stuff of their activities. What’s interesting about the Viasat case is that I think early on people thought maybe this is some kind of satellite jamming, but it actually looks like update supply chain poisoning, which is really interesting. And it seems to have affected lots of terminals, lots of like user ground terminals in countries around Ukraine as well. Obviously, there’s no attribution at this point in. Viasat is like basically not saying anything publicly, but it’s an incredibly interesting situation. I’d also flag today. I’m sorry, Tom, did you

Thomas Rid:
Say actually, I just want to ask you, you may have seen the Spiegel covered the story with a really interesting piece. They, the German government seems to think, perhaps in contrast to what you just said. I’m curious how you make sense of that. They appear to think that some of the some of the outside Ukraine effects wind turbines, for example, were collateral effects.

Ben Read:
Yes, that seems that seems absolutely right. I’m sorry if it sounded like I was saying something different that this is all in fact collateral. And it’s it’s interesting because in general, like in the conflicts where there has been like jamming against satellites and in many cases, what jamming looks like is actually a ground station blasting something up at the satellite to make it hard for the satellite to do its communication business and find find signals on the ground. There’s collateral effect. So one sort of historic example now is that back in 2011, there were parts of Libya that were under opposition control and Gadhafi wanted to shut their connectivity down. A lot of them are using Syria. And so he did a fairly extensive jamming effort focused at the particular spot beam that was on Libya and wound up having collateral effects throughout the region. Here, this is something totally different. They seem to be focused on the update systems for these like KOB and satellites that Viasat uses and supplies terminals for in Ukraine. But in the end, it looks like they’ve had this collateral effect, too. So Germans and French and others are sort of like. Leaving their systems turned off in the hopes that by the time the update process, which takes a while, gets done. Whatever the update is, that’s that’s being poisoned has been removed.

Thomas Rid:
Yeah, fascinating for me. One of the fascinating questions of that case is whether we would have learned of the compromise relatively early, as we have without the collateral effects, because some of them may have prompted investigators to look more closely.

Ben Read:
Oh yeah. And just to build on that, I think there’s there’s talk. So today I want to say Elon Musk and Starlink is a conversation. We could have at some point said that there was some selected jamming of Starlink terminals or communications somehow in Ukraine, and I just don’t know what what he’s referring to yet. But as a general rule of thumb, if there is satellite communications jamming happening, it almost always is going to have collateral effects. And so you’ll likely hear about it from lots of places and so sporadic statements about satellite jamming unless it’s like something very close to the user in the terminal, you’re going to hear a lot about because it’s going to affect lots of different parts of like Sakata and critical infrastructure, which rely on those systems from fixed terminals.

Thomas Rid:
Fascinating. Chris Krebs, you had your hand up.

Chris Krebs:
Tom, thanks for having me on, and thanks for pulling us this spaces together. So I think a couple kind of observations off the off the top end. So there are a number of folks out there in the community that have been anticipating scenario development, war gaming. And Dimitri obviously has been at the forefront of saying, Hey, here’s what I think is going to happen. And this has been going on for several months anticipating this and perhaps in some. Some respects kind of like stretching the boundaries of what the establishment Actually thought, what was practical or possible, but nonetheless, when when the Russians went in a couple of weeks ago, it was like, Oh, well, you know, they were, they were they were kind of right all along. But but I feel like right now we’re we may be in a different space, right? I think a lot of the assumptions built in up front were that a the Russians were well coordinated and integrated. You’ve already talked about the Dmitri talked about that just just a few minutes ago. And so when we think about like, why haven’t we seen these things, I’m not sure that’s the right question, necessarily. It’s more about what did they try? Was it effective and how to align with their objectives? I think there’s a second question we have to start asking right about now. There’s a lot of the kind of the anticipatory questions and planning were more about thinking that the Russians were going to win this one and win it going away. And now we’re in a really interesting position where the Ukrainians are doing quite well. In fact, on the battlefield, they’re doing even better politically. A number of folks I see Renee dresses on, she had a great thread this morning about kind of what’s happening in the information ecosystem. And Tom Thomas, you’ve talked about this as well, but we anticipated a series of actions from the Russians. We’ve all talked about that we’ve prepared clients and and other folks. But I feel like the outcomes might be a little bit different now. And so we may be in a little bit different space in terms of what the Russians might do and how as the the economic sanctions or ratcheting up pressure on the domestic economy there may become economic necessity. So I think that’s the real challenge is kind of looking around the corner of what’s happening next, given we may be in completely brand new space and the mythology of the Russian cyber cyberattack capability may not be a what we thought it was or built, you know, put in a position to be successful. And we have a completely different set of political outcomes in front of us. And so that’s I think the real challenge here is how do we how do we anticipate, how do we talk about this in a responsible, reasonable way to make sure that we’re preparing, whether it’s again, you know, clients, government officials, the general public for what may be next?

Thomas Rid:
Absolutely. And you mentioned Rene Diretta and I just want to send a signal again out to anybody who’s listening. She’s obviously listening as well that you’re welcome to request speaker role if you feel like it. I don’t want to be too aggressive and request speakers without asking them first, but please do a request if you’d like to come in. And John had his hand up John Scott Railton.

Ben Read:
Just to totally put a giant highlighter through what Chris just said. I was looking back at a case study I wrote for the Libyan Civil War and remembering how in the first weeks there were so many periods where everyone thought they knew what the state of play was and then something big changed. Power went out, internet went out and everything changed. And I just I can’t stress enough that I’m sure that that Chris is right and that in a week we’re going to be having an entirely different conversation.

Thomas Rid:
Hmm. Rob, I think you wanted to come in and couldn’t find the hand up button.

Robert Lee:
Oh, that was a that was a general comment, but I will. Sorry, taking our signal chatting online? No, but look, it’s just not necessarily commenting on that. I think that the folks commenting on the fact that we may not be seeing all the things that are actually happening, I think that’s very fair. But again, we do know these groups are capable if we’re talking specifically on cyber. Not only are these groups capable, what we do know as a matter of fact that there are some of them that are currently developing offensive capabilities against things like industrial control system environments. It’s just it’s inherently escalatory. And so I think in Ukraine is a perfectly good bounding in the conversation. What happens next outside of Ukraine, especially in NATO and U.S. and allied countries? That’s that, to me, is the most interesting piece of this, but I know we’re probably going to have that conversation later, but there is a lot more happening than I think people are realizing. And if you’re going to impact infrastructure and if you’re going to have cyber operations like you don’t do that on the day of the conflict, you do that months ahead of the conflict. And so that’s where from a cyber perspective, I think a lot of the focus should be. Yeah, but let’s let’s that’s a great comment there. Let’s try to focus on that question. What could happen next? What may have already happened? We just don’t know about it yet.

Thomas Rid:
What’s the kind of computer network operation attack that we, we we should expect in a situation like this? And how would you assume escalation looks like? I think, Jade, you had your hand up and then one.

JD Work:
Hey, folks. Great to be here tonight with you all. I definitely did want to foot stomp much of the activities that will be seen in the current phases that perhaps have not been observed to date because of collection limitations or telemetry limitations, but also the things that will be used as this begins to escalate, particularly as the global reaction likely far exceeds the Kremlin’s pre-war calculus. They almost certainly did not anticipate what is effectively a developing economic blockade of the country on multiple levels. They’ve lost access to cloud services, they’ve lost access to aviation services, they’ve lost to the global financial system and a variety of critical ways. Initially, the warnings from a lot of folks were focused on this idea of symmetric retaliation. The initial I’m always skeptical of pure symmetry because the adversary sees things in very different ways. But as we begin to look at the manner in which they react next, it’s the things that are most critical to their survival. I mean, the seizure of aviation capabilities is incredibly important nationally. And if they can’t maintain engines, if they can’t maintain systems, they’re highly likely to drive espionage activity, but also potentially retaliatory activity to try to find a point in which countries are unwilling to continue further action. And insofar as many of the sanctions activities are actually a thing of private decision where private entities cannot accept that counterparty risk with firms and other entities operating in what is basically a revisionist regime that those companies are subject to pain points in a way that state policy is not. So I think we’re entering a period of incredibly heightened risk for a lot of private entities that are reacting not in considerably on their own accord in response to the general tenor and response to the uncertainty of the environment, but very much subject also to retaliation as a result of that. I’ll also say there’s a tremendous amount of pain points that are happening in these internecine developments. I mean, whatever credence you want to give to the reporting around the initial attempts at seizure of key Ukrainian government assets in on the twenty fourth. And the idea that there were perhaps competing mercenary groups and competing factional sponsorship. We know, for example, from other commercial reporting that there have been penetrations of different private sector, different private military companies operating out of Russia, potentially responding to different factional pressures. And the idea that this espionage was used to shape or effects, it used to shape how successful those missions were or were not even as the overall initial seizure campaign was failing. It’s just this fascinating dynamic that hasn’t really been surfaced. I think.

JD Work:
Thanks, JD, for your input there. Dmitri wanted to jump in, I think.

Dmitri Alperovitch:
Yeah, Thomas, I want to get back to what John brought up about satellites because I do think that’s a really interesting part of the conversation here. And that’s where we’re seeing a lot of things happening because we’re seeing some degraded communications on the Ukrainian side in Kiev and Kharkiv. Mobile service seems to be really sketchy. So a lot more people are relying on satellites and we have data on here who is one of the foremost experts on RF. And I know, Rob, you’re seeing some GPS jamming in Ukraine as well, which could potentially affect Starlink. Right? So maybe jump in here with your views.

Thomas Rid:
Yes. So I mean, there’s a lot of satellite communication protocols out there, which is probably one of the most ubiquitous ones that a lot of modern technology relies on. So GPS isn’t just used for positioning on the ground, which is something that is like a tactical advantage to knock out. But also, there’s a lot of timing synchronization that Gps is used for. So jamming GPS could actually be an attack on the telecommunication infrastructure because LTE base stations use GPS to essentially discipline their local oscillators and their clocks. So it might be more than just like a simple sort of like location in jamming that’s going on, and it could be a larger sort of like Attack against the Infrastructure, including telecommunications. And, for example, even ATMs use GPS timing to timestamp transactions. Excellent. When you say, Rob, if I may just follow up on Dimitri’s question, what kind of can you say a little more about the kind of GPS jamming that you, that you that we have observed that you may have observed? Yeah. So just recently, Hawkeye 360 published effectively some research on what they noticed. So Hawkeye 360 is a RF surveillance company that pretty much has satellites up in space so they can listen to things that occur on the ground, and they’ve noticed and picked up quite a bit of interference around the GPS L1 band. So pretty much there are jammers on the ground, probably close to the border of or like the former border of where the conflict was, where Russian troops might have actually wound up jamming GPS to to their advantage. So from the ground jamming GPS for other things that are on the ground, so pretty much swapping out the signal coming from the satellites.

Thomas Rid:
Hmm. So, so of of all the activity that we’ve seen so far. And let’s let’s think creatively about the kind of targeting activity that may come next. When does it get really interesting? What’s the most effective type of operation that we’ve seen so far? I’m curious what you would you say, whether anybody wants to jump in on this question?

Juan Andres Guerrero-Saade (JAG-S) :
Well, effective towards what I mean, and not to turn the question back against you, Thomas, But I think we are the title of even the space, I think speaks to some confused expectations that we seem to have regarding what the potential role of cyber could be in a conflict. And the conversation tends to go right back to something like not Petya, right? Where it’s the kind of attack that just cascaded everywhere had this amazing amount of spillover. It was incredibly costly. And I think folks expected something sort of breathtaking that way. And its absence seems to be what causes folks to think, you know, well, where is the great cyber war that we were expecting? I think to some extent. That expectation of sort of novelty and outsized effects is drowning out things like what Rob was just speaking about, where we see tactical wins or at least attempts at sort of tactical effects being undertaken in very specific settings. Including mediums like the Viasat modems that got bricked, I mean, I think you’re right, that had it not been something that spilled over into effects in Germany, we may not have heard about this at all. I mean, I had only heard about it in that context. And originally, of course, folks assumed, Oh, this is some kind of play at increasing energy dependence and whatnot. I think that gives the attackers way more credit in that in this particular case, I think they’re they’re they’re trying to get their tactical wins. And every once in a while, the interconnected nature of the internet just sort of slaps us in the face in ways that we hadn’t expected.

Thomas Rid:
Yeah, I mean, it’s also worth just pointing out what probably is obvious to most people here. And that is that the. Ukrainian armed forces are currently obviously in an existential war, so they are most likely not going to reveal that they have become the victim of a successful attack against their C2 infrastructure that they would probably trying to deal with it, but certainly not or perhaps not try to make that public for obvious reasons. So that, of course, is another reason why, you know why I think you’re right. One that we have very low visibility here. And of course, I think I mean, for sure, like many here, would agree that the expectations of the whole notion of cyber war are completely misguided in some context, and certainly here.

Dmitri Alperovitch:
Well, I want to plug your book, Thomas, that you wrote over 10 years ago that cyber war will not take place. And I think the events of the last 10 days have certainly proven your rights so far on that point. But I do want to sort of pivot the discussion a little bit towards what’s next. You know, I’ve been very public with a few predictions in the last couple of months. One of them was, of course, the invasion itself. But the other one was that in response to severe sanctions, which we’re now seeing quite unprecedented, not even the sanctions themselves, but just the complete disconnecting of Russia from the global economy through, in many cases, voluntary measures by Western companies to pull out to break contracts with Russia and so forth that the Russian was not going to take that lying down and it’s going to retaliate against the West, including in cyberspace. Of course, we have not yet seen anything significant in that front, but I do think that we’re in the sort of phony war stage of the conflict when it comes to Russia vis a vis the West and particularly the cyber retaliation. They’re obviously quite busy right now prosecuting a war in Ukraine. I don’t think that they’re interested in further escalating the fight and having a cyber tit for tat with the West until they get Ukraine more under control. But I think as soon as they start accomplishing their more military objectives on the ground in Ukraine, they may revert back to looking at the West. And how do we how do they target us and put pressure on us, including trying to split the Europeans from the alliance that we’ve established to confront Russia? I expect that there might be targeted. They might be targeting energy infrastructure in Europe. They might even target in the US as well. They might go after financial infrastructure, sort of as direct retaliation for sanctions, but curious what everyone else is thinking amongst this group of really August experts.

Thomas Rid:
Danny Moore had his hand up for a while and then Scott.

Daniel Moore:
So there’s a couple of things I would expect and we might not necessarily see them, but I think there’s the capability for them. One is there’s still a whole military tactical dimension that pairs nicely along with electronic warfare. I mean, if we think about the military equipment that’s in operation in Ukraine, a lot of it traces its roots to Russia or Russian technology. So there’s certainly the potential there for targeting. And they had enough time to do research and possession, although what would work on the tactical level. But aside from that, more on the strategic side, I expect we may see what I can only call operational abominations, essentially operations that try to achieve some kind of effect or create noise. And that could be either against just some set of organizations or even a infrastructure target. And then it wildly either overshoots or undershoot its intended objectives. That would be probably the most consistent piece of behaviour that I would see from these threat actors that are often technically highly complicated and successful, but then operationally incur some kind of failure at some point in their operational lifecycle. So the problem with this is that I’m actually less concerned about intentional targeting of foreign critical national infrastructure. But I certainly think that there’s a lot of potential for collateral as a result of the temple picking up and operations not having their intended effects. So I have a lot of concern for what this could mean for both Ukraine and targets out of Ukraine. And I actually think that the vice attack is a great example of this because there was no real operational need for them to infect or impact targets outside of Ukraine or at least Ukraine and its allies, especially if they controlled patching cycle where they could through command control, choose where they’re distributing their compromised patches. They either don’t care at the operational level or are incapable of executing this successfully. There’s a lot of previous evidence of this from former operations, whether that’s the Ukrainian energy grid or even Petya. And I’m concerned about what that means for the continuation of the conflict we had. Thank you, Rob, for this. We had who will fits in best one, Rob or John?

Dmitri Alperovitch:
I think we had Rob than John than one.

Robert Lee:
Right. Yeah. Just in terms of future activity, I think there’s and I appreciate Daniel talking about kind of the electrical system side of it. We were talking casually about this where if you impact GPS, I don’t think most normal folks would immediately understand the impact of an electric system. And you generally can’t run an electric system without the accurate timing of GPS. So there’s a lot of potential for collateral. But I do think people kind of get on either side of this of either cyber is useless and it’s never going to be impactful or, oh my God, somebody sent a phishing email to the power company. We’re all going to die. It’s like both extremes of that tend to be pretty ridiculous. But when you’re looking into U.S. and NATO aligned countries and we look at some of the targeting that we’ve seen on some of these companies, especially critical infrastructure, there are not truly many sites that are really fundamentally critical and everything critical infrastructure not being wrong. Everybody’s important, everyone’s unique snowflake. But you’re talking about very critical sites and we tend to be pretty fragile. And that’s where there are a couple sites. I can think of literally a handful that if you were to take down two or three of them, we can’t deploy troops in South China Sea or we can’t actually export fuel out of the country. There’s just very large focus on a couple of sites. And what we’ve seen is enough to be alarming, but without kind of getting to the extreme of it. What I’ll note is it’s unlikely we should expect to see attacks actually destroying infrastructure. Kind of what Dimitri was talking about the beginning and the grey zone discussion. We would expect to see cyber as a tool of shaping behavior and saying, Hey, please stay out of this conflict. So could we see a small term disruption as a signal of, hey, we could do more? I think that’s very realistic. Should we expect to see multiple portions of the electric system go down with key transmission and pieces of equipment getting destroyed and month long outages? No, no, of course not. Not outside of a true exchange of conflict. But those small time disruptions can have an oversized impact on the populace, and I’ll kind of sum it up here to say, you know, everyone freaks out about industrial attacks. And the reality is a lot of our infrastructure providers have put a large focus on stability, reliability, safety. And so of course, these attacks are possible and probably more so than people realize. But the idea that we’re all going to die off of an hour long power outage is ridiculous, but you could really scale that out with misinformation and similar to where a population of folks in any country could be very resistant to going further in any conflict, expecting that the art of the possible is now everything. Yeah. So, Rob, you made great comment, especially about the scaling out by using other tactics that are sort of adjacent to CND and seeing a narrowly defined and I just want to just want to briefly open our perspective.

Thomas Rid:
And just by observing that many of you will have seen the significant leak of names that the Ukrainian Pravda published of Russian mainly motorized rifle unit names tens of thousands, if not more than 100000 names of individual Russian soldiers with or personnel with full name, address, phone number or passport number date of birth. It was a pretty, pretty extraordinary leak. And of course, the leak highlights this question Where does it come from? Was it a hack and leak? Was it a seguinte collection and leak? Was it perhaps a leaker and then leaked? Meaning did somebody volunteer this information? And I say this to highlight that many cyber operations and there’s a long history of those may not appear as cyber operations because ultimately what we see of them is a leak. And leaks are obviously harder to attribute than actual breaches because they don’t provide the same types of artifacts and IOCs in forensics. But maybe this is a good moment to and I’ve seen one John and Jade with their hands up, but maybe this is a good moment to call on to bring in. Run Coney and also Lee Foster, who work in Derby works with ban on hunting, on investigating, if I’m not mistaken, mainly Russian operations and actors, and Lee has a unique perspective as somebody who is also covering the disinformation. I owe information operations side of the house. So to both of you, Gabby and Lee, what are you seeing that we haven’t touched based on yet? And what are you expecting? Maybe Gabby first?

Gabby Roncone:
Hey, yeah, so I think Ben covered when he spoke earlier, sort of what we’ve been seeing, but something I’d like to touch on is your is your question about sort of what we’re going to see next. And so going back to what we have been seeing right, we’ve been seeing the variety of different wipers, the dos and the defacement. And I don’t know if this is betraying the younger, but you know, like when I see Dustin defacement, I think that’s so 20 tons, right? Like these as as I think JAG said, are not novel tactics that they’re using in order to shape this environment right now. And so kind of where I am sort of struggling and I would sort of pose this question also to the group and people who are tuning in is like, what is the threshold for the high sophistication cyber attacks to be deployed? So if they do exist and I’m I’m sure that they do. I mean, even a couple of weeks ago, right, we saw I think it was. The U.K. and CSC post a blog on Cyclops Blink, which is San Worm’s newest BPM filter malware, which is again pretty, pretty novel and interesting. And obviously, even though that doesn’t or may not have a direct connection to this conflict, it’s sort of implies that those tools are available and ready to be used and have gone through the development cycles needed to be deployed at various points. And so given that the Russian forces are sort of wearing thin and the Ukrainian forces are doing great right now, at least according to the messaging that that I’m seeing, where do these elevated cyberattacks come into play? And I don’t I don’t really have an answer to that question because I think I personally would have expected these more high. Novel High Destructive Cyberattacks to be happening sort of now, but we haven’t seen that, so that’s sort of my take, and I definitely like to open up to the group if that sort of sparks any thoughts.

Thomas Rid:
Fantastic. Let’s let’s bring in Lee, the foster your former colleague to see what he’s thinking, what you’re thinking, Lee about the Io disinfo developments in this space. I know it’s extremely fast moving, very chaotic, very hard to attribute, obviously, and to understand what is done by whom. So this is a tough question that I’m throwing at you here.

Robert Lee:
Yeah. Thanks, Thomas. You kind of hit it at a strategic level, right on the head, right? To state the obvious, the information space right now around the conflict is a huge mess, and it’s going to take a long time to kind of untangle everything and get to attribution behind specific incidents. And that’s reflective, I think, just of the complexity of the the information environment. I mean, if you think about it simply from a kind of state actor standpoint, you’ve got, you know, Russia needs to kind of now justify its actions. Domestically, it’s cracking down on its kind of domestic information space, which perhaps it wasn’t anticipating needing to do so prior to the conflict. It’s trying to push messaging out to the Ukrainian populace, Ukrainian military to try and get them to not resist. And obviously, there’s a whole messaging dynamic targeting the rest of the world. And if we bring this around to the discussions of where does this go next, I can see attempts to try to weaken support for any united western or global response to the invasion. Similar to what we’ve seen in many other contexts, right? Trying to undermine kind of the domestic political environment within those countries, whether it be in the US or elsewhere in Europe and so on, to try and defend, disincentivize any kind of united front for that. We also know from prior to the invasion, the US government, European governments kind of announced this kind of Russian false flag plot to kind of justify an incursion. We now see, obviously that that wasn’t kind of required in order for Putin to make this this calculation. I think there’s an interesting research question there for somebody in terms of what was the knock-on effect of that early kind of exposure of that operation. But I don’t think the kind of motivation behind it is necessarily going away. Right. I think given the problems Russia is facing in the information space from this, I think that that need to kind of provide a justification remains. And so one thing I would anticipate here is to what extent does Russia try to use incidents on the ground, you know, kind of violence in Ukraine and repurpose kind of video So on incident reports to post fact justify the incursion. Yeah, that’s a fantastic point there. Also, the one thing that I just I’m just so stunned by and I think must be true for many in this space here is that the amount of creativity that we see on the iOS side, the memes and the artwork, even the creativity of what really looks like. A form of active measure, sometimes that is coming out of this conflict, and I’m phrasing it deliberately, vaguely because many of it doesn’t appear to be produced by any Ukrainian actor, but by supporters from the outside, and it’s just filtering into the conflict and shaping our views in ways that I think we’re not prepared to fully understand. I just caution that more broadly. Sorry. I was just going to say of caution that more broadly, right, there’s you know, there’s a lot of external actors that are kind of picking up on the on the developments in Ukraine to further their own particular narratives and so on. And that aligns with things we see kind of, you know, accusations from the QAnon community around how, you know, Russia is seeking to destroy US bioweapons labs in Ukraine. It’s an age old kind of narrative that’s spun out about Ukraine. But there’s no evidence of kind of Russia pushing that right. It’s coming from domestic groups elsewhere. Yeah. Great point. I still see hands up. But Olga Balog, lover, just joined as a speaker. We had to. This is a bit of a buggy app. It appears we had to first remove you as a speaker in order to be able to get you in. So Olga, did you want to come in on the disinfo? I o or something else?

JD Work:
Yes. Yeah, that’s exactly. You know, I think I wanted to talk a little bit about what I think has been really interesting here. A lot of us studying influence operations think a lot about the covert side of influence operations, deceptive manipulative campaigns, fake accounts, all types of things that we’ve seen before. But what’s interesting here in this particular conflict that we’ve seen both from the Russian and Ukrainian side, there’s a lot of overt influence. And I think that’s been sort of jarring for for those that are watching because they’re expecting something else. And and what they’re seeing sort of from the very, very beginning is the use of overt channels, including state controlled media outlets on the part of Russian threat actors and and in particular, using these channels to signal what exactly the Russian government is trying to do. And I think what’s interesting as well is a lot of us focus on foreign influence operations, but I think we we forget that a lot of what Russia is trying to do is signal to its own domestic audiences and in particular in this conflict to justify actions ahead of invasion. But also, you know, to continue to sort of delude people about what is actually happening on the ground. And I think in that particular piece, you know, watching what’s happening in terms of the closing of the information environment that’s continuing to happen over the last couple of days in Russia domestically is particularly concerning and including the closing and shutdown of certain, you know, the remaining independent media outlets like Echo Moskvy and Novaya Gazeta. You know, it’s really concerning because the Russian domestic population is increasingly becoming isolated in the information environment in this conflict, and so much of what the Russian government is interested in doing is targeting them, not us.

Thomas Rid:
Yeah, those are great points, and I just want to like add on a personal note, I’ve had a number of conversations with. Acquaintances and colleagues in Russia over the past few days, and it’s truly, truly on a personal level, it’s really heartbreaking what’s happening inside Russia? So many people fleeing the country and and of course, all eyes are on Ukraine first and foremost, for obvious reasons. But but the tragic tragedies that we’ve seen playing out on sort of personal and family levels in Russia, you know, shouldn’t be underestimated here. Just as on a human level, I felt it’s important to make that comment, John. And then.

Ben Read:
It’s interesting this point about what’s happening in Russia when I think back to the last couple of conflicts where Russia has done hacking, one of the things that is a perennial target is civil society, and that includes diaspora groups that are volunteering and bringing resources in, but also any of the homologues of the Ukrainian government working in NATO and U.S. governments are likely to be targeted. Some of that, surely, to create, hack and leak branded products. But I think after what we’ve seen in the last few days in Russia, just the number of people who are leaving as well and the changing roles of civil society there. I have to assume that we’re going to see a lot more targeting of organizations in the U.S. and in Europe that do work with Russian colleagues and with Russian civil societies. Similarly, a big thing that happened during the Syrian conflict was a lot of targeting of aid organizations and other people who are coordinating humanitarian aid and movement. And I think as we’re having these conversations about the bigger strategic things that are going on, it may be a while before we really understand the scope and scale of account compromises and malware operations that are targeting these different people spread out around the world in order to create things that Russia thinks may really in some sense, either for domestic or international audience, enable them to change the realities or the perceptions, but are that are going on? Certainly, we saw that thinking back to Syria about things like the use of chemical weapons, you know, they’re sort of red lines. Russia had been, you know, observing certain atrocities by the Assad regime and help them cover for it. And now that Russia itself may be responsible for some of those atrocities. I have to imagine something similar will happen here to.

Thomas Rid:
Hmm. Very sobering comment there, but of course, very plausible at the same time that we will see some more domestic targeting in Russia, which obviously there’s been a lot already over the past decade, as we’ve seen in some of the I remember just an anecdote that the famous bitterly leaked at GRU created because they forgot to set those accounts on private. That’s the one that had the Podesta link in there also contained a good amount of internal Russian political targets that were rather eyebrow raising, shall we say, to those who have seen the data.

Ben Read:
Yeah. And remember just to just to build on that, remember what we called the tainted leaks case that we investigated a good while ago, which was also discovered through a combination of things like shortness, where Russia actually was hacking civil society in the U.S. and U.K. and elsewhere in order to get material that they would then modify and manipulate for a domestic audience to try to diminish the credibility of Navalny by suggesting that he was getting foreign funding. So I think more of that surely to come.

Thomas Rid:
Yeah, yeah, yeah. Planting of evidence is next. I suspect JD. In that light, I would also say, particularly as the global de facto blockade begins to bite heavily in the elite, this is going to be incredibly important to sustain and control internal tensions develop. We’ve already spoken about the domestic political impacts of high casualties that are being reported, and we don’t know the truth on the ground of these casualty figures, but it certainly looks bad for the Russian forces previously in the 2014 period and associated years. There was extensive targeting of several of the opposition groups within Russia that were involved with soldiers, mothers type movements. These have been particularly prominent in the nineteen eighties and having a very unique cultural resonance that was considered a serious domestic internal opposition threat. That same level of targeting of international conflict monitors, including folks like Bellingcat, has been previously documented. Interestingly enough, this brings up the other line of to back to Gabby’s point on what are the exclusive capabilities that have been developed in-house by these very high tier teams? And then what are the capabilities being used for rapid capabilities, generation or prompt effects where the adversary knows they’re going to be burned and are using them effectively, deliberately de novo because they’re not being valued very highly or held in reserve? And the extent to which the leverage of criminal groups, as we’ve seen in the Conti leaks, for example, really is a sobering moment, not least of which because in the weeks leading up to the invasion itself, we saw a series of targeting which had, let’s say, strategically ambiguous dual use implications, the targeting of multiple ports, the targeting of oil and gas infrastructure by ransomware.

Thomas Rid:
Again, there’s a strong criminal motivation factor in many of those targets, but the potential to leverage those targets, particularly the ill advised statements about Conti that they apparently tried to walk back. But as we see the group’s factionalized, as we see these dynamics play out. We also saw targeting of a U.S. defense industrial base player that provides truck transport logistics to the NATO forward deployed presence, which is itself an interesting moment because it’s not a terribly profitable business to be hitting. Again, all the pre-war estimates suggest a red line was the provision of lethal aid and then direct involvement in the conflict. Well, we have extensive lethal aid being provided. To what extent that Red Line has already been crossed worries me. I just I just would like to comment. For the record, the record meaning also that this sadly event is not recorded because some of us messed up the settings on the back end. But the real challenge of moderating this event is actually the signal group of the speakers here, because that’s what the content is just flying past me because I can’t pay attention. The thing that I owe Gabby had her hand up. And also, I wanted to call on Ben Reid, who is one of our speakers but hasn’t spoken yet. So Gabby and then Ben, you are also a team.

Gabby Roncone:
Hey. Yeah, so I just wanted to sort of jump off that point. One of the really interesting things that I found about what we’ve seen so far with Ukraine targeting and that I think was briefly brought up before. I can’t remember by who, but one of the groups that that we’ve been tracking and we’ve been tracking them since I think January Twenty Twenty One is a group that we track is UNC. Twenty five to eighty nine. I know everyone loves the numbers and can remember all of them. Trust me, I can’t always remember the right numbers too. So it’s OK. But I’m twenty five. Eighty nine is a group that. And we mentioned this in our recent our recent blog on sort of what we expect for what we expect for Russian cyber activity with this conflict. I think it was written by Ryan Holland, James Sadowski from Mandiant, but they are a group that has co-opted criminal tools actually to do espionage sort of across the board, but also my again, super low confidence. But like be potentially related to some of the stuff that’s that’s been going on the destructive stuff in Ukraine. And so this is a this is a huge shift because, you know, we’re used to seeing the sand worms of the world right, doing their thing in the destructive realm, the temp isotopes. And in this case, we have this group that is using pretty easily detected criminal malware that they that they can get from wherever they want and end deploying that, at least in their early stages. And so again, like that’s that’s sort of all I the mystery about this group continues to to sound me, but their potential linkage with with destructive attacks makes them noteworthy. And again, going back to the sophistication level, they’re right. They might not be sand worm level and they might not be super sophisticated, but that doesn’t mean that they they won’t have any impact. And so, yeah, definitely a group to keep an eye on and a shift in Russian act tpz that I am personally very, very interested in.

Thomas Rid:
So I have. Thank you, Gabi. Ben, would you would you like to jump in as well?

Ben Read:
Sure. So, I mean, you get me some great analysis from her. The thing that I wanted to touch on and I had children waking up, so I had to drop off the apologies if I missed somebody else covering this. But the thing I wanted to touch on is sort of one of the things sort of my impression has been that. The Russian, like the ideal Russian scenario, is that the West kind of stays out of this. This is an internal problem. This is one people sort of that line. And so it’s just it’s none of the concern of sort of NATO or things like that. So that I think to me explains some of the Russian government doesn’t want them to get involved. So there’s not a reason to do too much sort of operational preparation of the environment or sort of like pre-positioning of stuff. Obviously, that’s been going on for a long time. The stuff Rob touched on, but the. But that but there’s there’s good explanations for why that there was not that much sort of of that prior previously or sort of teed up. And as we all know, those kind of spectacular operations take a while to set up. But as was mentioned by JD, sort of like, has that red line been crossed? And I think the U.S. is a obviously where I’m sitting, it’s where a lot of us are sitting, who aren’t up really, really late. But Europe is taking a very central role here in this and sort of rhetorically leading the way on a lot of this. So that’s really where I would be concerned because that is a place that has historically shrugged a little bit more in reaction to Russian aggression. So will that change be met with a similar kind of counter escalation?

Thomas Rid:
Yeah, fascinating point you’re raising there. I do think a lot of people in Europe have come around to basically become a lot more hawkish on Russia. But also the question that you’re raising is do they have the instant response, forensic investigation infrastructure in place in the private sector? You know, I’m excluding the U.K. here for a moment that actually would allow them to put, put there to actually deliver on those on there and actually detect what’s really going on and take action. Juan and than Dmitri, your hands up.

Juan Andres Guerrero-Saade (JAG-S) :
So I mean, there have been so many great points, and I think we’ve been kind of swerving in a lot of different directions, but something that I heard Jade bring up and I’m really glad Jade’s on the call. I think so many things have happened. Sorry, so many things have happened that it’s easy to get lost in what are just a series of absolutely amazing events that I hope we can all take good time to to appreciate and do a postmortem on when it isn’t such a horrible conflict that we’re sort of watching unfold day to day, but one that I really don’t want to just brush under the rug is this change of our insights into Conti and TrickBot? I mean, ransomware has been this horrible plague on us, everyone in the West over the past couple of years. And it’s, you know, it’s become a part of everyone’s, I mean, normal folks. People that don’t live by monitor light are very well aware of ransomware and concerned about it, and it has sort of become this strange justification for the cybersecurity industry. And looking at it in the context of Russian operations, there was always this plausible deniability. There was this notion of sort of this cutout, this relationship where we thought, Well, you know, to what extent is the Russian government involved? To what extent are they simply being allowed to operate without having any kind of concerns or difficulties from the government? Versus to what extent are they being coordinated by the Russian government? And with with the Conti leaks, we have this fantastic bit of insight into how Conti was being in some ways tasked at least partially tasked by the FSB or by the Russian government. And I’m just wondering if we can finally kind of cross the Rubicon of just looking at at least a couple of these ransomware groups and treating them entirely as part of these sort of official Russian forces? Can we can we essentially just take that bold step of no longer looking at them as somehow having a degree of separation from the Russian government?

Dmitri Alperovitch:
Well, I think I think that’s really complicated one, because you have members of this group says we’re now seeing who are from non-Russian countries, Russian speaking but non-Russian. So Ukrainian members most likely had an effect on splitting Conti and outing all their members and internal chat communications. And that’s probably true of many members. We know that their members from Kazakhstan, from Belarus and other places. So yes, individual members may be working, maybe even under control of certain members of the intelligence services, but I don’t think you can extend that to the whole group. And we can see now why. Let me just jump back for a second to the disinfo space because it really needs to be said very explicitly. The Ukrainians are just absolutely kicking Russians, but it’s not on the ground, but certainly in information warfare space the way that they’re able to leverage what they discover on the ground. It’s like cell phones of fallen soldiers or captured soldiers and then outing that very rapidly, sometimes within hours, both on social media and sometimes even in official channels like the famous speech by the Ukrainian ambassador to the U.N., where he read the text messages between a fallen soldier from Russia and his mother. And obviously, we have seen the in some cases, I’m not afraid to use the word propaganda that the Ukrainians are putting out about their successes on the battlefield, particularly this famous fighter pilot that’s nicknamed the ghost of Kiev that has single handedly at this point, I believe, has shot down twenty one Russian planes. If he keeps going, he’ll single handedly destroy the entire Russian Air Force. If you if you believe the Ukrainian figures here. But in response to that, you are actually seeing the Russians get really concerned. They are appreciating that they’re losing this information battle and as a result, you’re seeing them actually admit directly that they’re doing targeting of the Ukrainian information warfare units through artillery and airstrikes because they appreciate the damage that it is doing to them. From a morale perspective, because a lot of this information is certainly seeping through to Russia on Telegram channels and the like. And obviously globally as well. But I wanted to go back to John because John has incredible amount of information, having dealt with people like dissidents and journalists who have worked in challenging environments. We may very well have people from Ukraine joining us. Right now tonight in this chat on Twitter space. John, do you have any advice for people of how they should be thinking about secure comms if you’re on the ground in the zone of conflict right now?

John Scott Railton:
Yeah, don’t don’t trust your life to somebody tweet about OPSEC. You know, it’s it’s interesting. I was just as you were Dmitri making this this point about the information war and who’s winning. I saw like the first tweet published by Russia, the first video published by Russia that had footage of captured Ukrainian military vehicles. And I feel like Russia is almost certainly learning and watching what works for Ukraine and will mirror it in general for folks who are at very high risk. Given the nature of this risk, it’s like impossible to give good advice quickly and glibly. And so instead, what we usually encourage people is to get in touch with somebody who has expertise. If you’re in touch with an organization that has it, staff talk to them, have them reach out to somebody, et cetera, et cetera. What I remember from many conflicts before is there’s so much excitement in the early days, especially about like new exotic, untested technologies. Everybody who has like some app that they’ve been thinking about for secure messaging and suddenly saying, Man, we really need to push this into the conflict. And that’s almost always the wrong answer. And I look at this as something that may last for weeks and months, and people have to be around for a while. And for that to happen, they need advice systematically. So I can’t really give good advice that I that I’m confident with beyond the boring use two factor authentication on everything. And the one reason why that’s really relevant right now is we saw Mehta and others talking about Ghostwriter, focusing on taking over accounts of people in Ukraine and potentially using those accounts to push out disinformation. I think that particular threat is almost certainly going to continue and we’re going to see more like it. So account security is a big deal, but for the rest of it? Talk to an expert.

Thomas Rid:
Excellent question, Dimitri, on making this space helpful for people who would like to have to protect themselves and thanks John, for the response and that spirit and I do have Danny and Leigh on the list, but in that spirit, I would just like to throw up a question myself. And that is. That if this conflict, which at this stage is still a possibility to put it diplomatically, if this conflict ends up with a protracted or with a with an insurgency phase where you have a Ukrainian insurgency against some form of Russian occupation. Of course, we can’t speculate about how that may look like or not, but I think it’s not unlikely that this insurgency will be very special in the sense that it will be the first insurgency in the history of insurgencies. I know this is a big statement, but I think it’s true that certainly the first insurgency in the 21st century that will be supported by two intelligence or by multiple intelligence superpowers that the United States and other Five Eyes countries, especially the UK. That has never happened before. Because remember, the Five Eyes were busy being the insurgents for the past 20 years, and they’re now in a position to put some of the lessons that they learned trying to go after militants to work, helping militants to protect themselves and to succeed against another well-equipped intelligence establishment that I think is is uncharted terrain and really quite sobering, but also fascinating to think about what the possibilities are there. So what could how could an insurgency be supported remotely, so to speak? Not just remotely, but obviously also remotely through some of the tools that we’ve been we’ve been discussing tonight. That, I think is a fascinating question that, of course, we can only speculate about right now, but it’s a fascinating one. Let me get back to Danny and Lee Downing and Lee.

Daniel Moore:
So actually, my comment touches on what you’re asking because as much as we want cyber to matter and it does to some degree, I think we can all agree that the much more significant aspect here is the influence campaign waged on both sides, essentially the war over defining a compelling narrative. And this is one of those areas where it’s so surprising that Russia failed to show up. It’s embedded so deeply and for so long into their doctrine, and they invest quite a lot in trying to preemptively shape the political landscape that they want, in part to either shorten conflict or even avoid it altogether. And the fact that they were not able to do so well at the outset of the conflict here is huge. So as as this devolves potentially into insurgency and counterinsurgency, it’s. It’s going to be incredibly important that this insurgency projects an image of success, of hitting targets of exacting a toll of again shaping the narrative in a way that Russia has no chance of eking out a victory in a protracted conflict. So. And this is something that certainly Western intelligence agencies and the Ukrainians themselves can do a lot to help prop up, both by continuing to record all of these things and share them and providing them avenues to do so. Amplifying them wherever that’s possible and working to counter Russian narratives as well. And I think a lot of what we’ve seen the expenditure of Western intelligence assets simply to call out the bluffs on some of the Russian narratives is a good example of this, and I would like to see a continuation of those efforts. But in essence, as have been so far, so it shall continue to be that cyber is going to play second fiddle to the influence side.

Thomas Rid:
So very helpful comment, actually, especially from you. I will, I will add. Let’s bring in Lee. You had your hand up for a while and then I’d love to open get. I’m getting some direct messages from people in the audience. I’d love to open to a few audience questions as well. So but first, Lee?

Lee Foster:
Yeah, I think my my comment is actually a question kind of threads into what you, Danny and Dmitri just talked about Thomas at the beginning of the talk. You kind of highlighted this question about what does this all mean for the future of the cyber conflict? But I kind of extrapolate on that and talk about the info space in the way that the Donald just did. Dmitri pointed out the huge successes the Ukraine has had by the rapid release of information and so on. And I brought up earlier this evening kind of the Western intelligence community’s kind of early exposure of a planned Russian false flag to justify the incursion. And one thing I do wonder about is to what extent is what’s playing out here fundamentally change the nature of how kind of actors look at releasing information based on the perceived successes that there’s been in the conflict so far in terms of rapid release of information. But I believe that as kind of an open ended question for people to input on. Thank you, Lee. Before we open, Dmitri is doing a space tomorrow, so plug it.

Dmitri Alperovitch:
Yeah, thank you, Thomas. So same time tomorrow, eight o’clock, I’ll be doing a Twitter space focus on the military dimensions of this conflict with two military experts on Russia’s military, in particular Michael Kaufman and Rob Lee. Not not the probably the expert we have with us tonight, but the Rob League, the Russian military expert. Like me, they both have been convinced for the last three months or so that Russia was going to invade. Unfortunately, we were all proven wrong, and we’ll talk about how the campaign is going from the Russian perspective, how the Ukrainian defense is holding up and what we can expect next on the kinetic level to complement the cyber discussion. So thanks. Thanks for allowing me to plug in Thomas, of course.

Thomas Rid:
Pleasure and see. I see this space, by the way, should be absolutely fantastic. The people that Dmitry invited. I mean, I personally can’t wait to to listen in. Pyotr, you wanted to Pyotr ISIS alumni and you can introduce yourself. You wanted to say something. Yes.

Thank you very much, Thomas. Appreciate you inviting me up. It’s it’s great honor to be here. And Dmitry, I’ve listened to you a few times in Clubhouse, but Justin never came to me to ask you a question. So a pleasure to engage with you as well. No, I just. Cybersecurity isn’t my main area of international relations. I mainly look at great power politics and grand strategy, but obviously with the international relations element and the trans nationality of the way that things are going, I’m surprised by the lack of usage of the cyber security cyber attacks thus far from the Russians. I must admit. And given the growing connections that they have with China, I’m just curious if there were to be a potential campaign if we want to call it like that with China over Taiwan. What lessons could we take from this situation at the moment in terms of the build up that Russia has done, the usage of sort of Belarus and other pariah states to undertake sort of cybernetic attacks? How can we better prepare ourselves in the future for sort of these things and potentially maybe deter them because I think cyber security is something that lacks a coordinated central. Revised framework, the UN, for example, where I do most of my work is is very behind the times in terms of we don’t. There isn’t a framework in place to help combat against cyber attacks and these sorts of things. So just I know that’s a very sort of open ended question, but I’m just curious to have your your takes on that and how we can sort of work on this going forward because this is surely going to will galvanize other countries with their interests elsewhere. But thanks a lot. Thank you for this question. I think Ben Reed, you have your hand up.

Ben Read:
Sure. So there’s I’m neither China nor Russia expert, so I don’t want to get too far down the rabbit hole on the comparison. But one thing where I think it’s not worth drawing too much is that especially over the past five years or so, we’ve seen a much more centralized control over Chinese cyber capabilities where they’re they’re well coordinated. They have their talking points. They’re sort of they’re quitted both with each other and both with and with national goals. So I would because so much of this has been surprising in terms of the lack of coordination with cyber. I don’t think we should read too much into that being impossible. And especially given how closely China has centralized that command is and how well sort of political control it seems to be under. I think we would expect would expect really the opposite with them that they wouldn’t sort of do this. I mean, there’s leadership dynamics. There’s all kinds of complicating things, but I really don’t. I think this may be more sui generis genesis or power. If you say that in terms of the lack of use of cyber versus what you might see, especially from China.

Thomas Rid:
Umm, thank you, Ben. Let me just moderating on this app is actually not straightforward. And do we have another audience question, and we just see requests from one request just disappeared? Juan, you had your hand up as well. Uh, yeah, so perhaps on the tail end of Ben’s point, I do think that there’s there’s an element here that we should consider about the amount of preparation that did go into this on the cyber side of things. I mean, I think we’re we’re talking about this massive there have been no preparation and there was no activity where I think what we’re seeing is actually quite different, right? Whether if we can see the Viasat hack as a credible. Case and something that was done by the Russians, presumably that in itself would have taken some groundwork. It would have taken some preparation, the sets of wipers that we’re seeing this new tool kits that have been pulled out precisely for these operations in Ukraine involve a certain amount of preparation and a certain amount of coordination in that we’re not seeing them trip over other established Russian groups as far as we know.

Dmitri Alperovitch:
Yet although one, this could be something that was sitting on the shelf, particularly the VSV hack. It’s always useful to have updates. Can break satellite modems that you can just pull off the shelf when ready. Sure.

Juan Andres Guerrero-Saade (JAG-S) :
No, I’m sure. I’m sure to some extent that, you know, it’s not like they just invented everything for this in particular. But to some extent, there’s enough coordination, enough preparation in all of this to not watch, let’s say, a twenty eight get burned because one of these groups, one of these new groups that are involved in in Ukraine, decided to fake or mess up a wiper somewhere like there’s a certain amount of this that I think is in itself sort of noteworthy in that the TTP have changed. The techniques have changed precisely for this campaign and something that I want to at least, you know, I feel bad. I feel uncomfortable giving the Russians credit under, you know, any of the current circumstances. But there is something to be said about how these new wipers are built in, that they avoid having anything to do with self spreading mechanisms. They’re not. They’re not not. They’re not only not not Petya, they’re not like bad rabbit. They’re not in any way really being used in a way that’s supposed to sort of maximize access and have potential spillover. And I wonder to what extent that is kind of a lessons learned from not Petya or an attempt not to inflame sort of external actors or external targets and victims in all of this, or if we just got lucky. So excellent points, I would add another point that anybody who is, by the way, doing one of these spaces, I mean, just brace yourself for like a massive flow of information in terms of private messages.

Thomas Rid:
At the same time, it is is not easy. Great comment from Joe Cox. He is suggesting we should also mention the Joseph Cox should also mention the decentralised activity that that is happening. The anonymous declaring, quote unquote cyber war on Russia. And and of course, a similar similar observation that decentralized activities is sort of probably more significant than centralized activity is playing out on the on the inflow of information operations side of the of the game here. We’ve now been going for a little more than 90 minutes and I think it’s Saturday evening. Some people are getting tired. So I I think we should probably think about bringing this space to a close. And this is my first. I’ve been deeply impressed by the quality of the conversation, by the quality of the audience here, especially. So thank you for joining. And of course, thanks especially to all the speakers tonight that made this possible on a Saturday evening, really much appreciated. And I think let’s let’s do this again at some point. I like the informality of it all. Thank you for putting this together. It’s been pretty great. Thanks so much. Thanks. Thanks. I really appreciate this clubhouse. Thanks, Thomas. Appreciate it. Now, turns out you cannot talk at the same time. Ok, guys, take care, right? Thanks again, folks, talk to you all soon. Yes, indeed. And.

Sonix is the world’s most advanced automated transcription, translation, and subtitling platform. Fast, accurate, and affordable.

Automatically convert your mp4 files to text (txt file), Microsoft Word (docx file), and SubRip Subtitle (srt file) in minutes.

Sonix has many features that you’d love including transcribe multiple languages, collaboration tools, world-class support, share transcripts, and easily transcribe your Zoom meetings. Try Sonix for free today.

(function(s,o,n,i,x) {
if(s[n])return;s[n]=true;
var j=o.createElement(‘script’);j.type=’text/javascript’,j.async=true,j.src=i,o.head.appendChild(j);
var css=o.createElement(“link”);css.type=”text/css”,css.rel=”stylesheet”,css.href=x,o.head.appendChild(css)
})(window,document, “__sonix”,”https://sonix.ai/widget.js”,”https://sonix.ai/widget.css”);

Ukraine Crisis Resource Center
Get 90 days of SentinelOne Singularity access free of charge.

Conti Ransomware Group Diaries, Part IV: Cryptocrime

Three stories here last week pored over several years’ worth of internal chat records stolen from the Conti ransomware group, the most profitable ransomware gang in operation today. The candid messages revealed how Conti evaded law enforcement and intelligence agencies, what it was like on a typical day at the Conti office, and how Conti secured the digital weaponry used in their attacks. This final post on the Conti conversations explores different schemes that Conti pursued to invest in and steal cryptocurrencies.

When you’re perhaps the most successful ransomware group around — Conti made $180 million last year in extortion payments, well more than any other crime group, according to Chainalysis — you tend to have a lot digital currency like Bitcoin.

This wealth allowed Conti to do things that regular investors couldn’t — such as moving the price of cryptocurrencies in one direction or the other. Or building a cryptocurrency platform and seeding it with loads of ill-gotten crypto from phantom investors.

One Conti top manager — aptly-named “Stern” because he incessantly needled Conti underlings to complete their assigned tasks — was obsessed with the idea of creating his own crypto scheme for cross-platform blockchain applications.

“I’m addicted right now, I’m interested in trading, defi, blockchain, new projects,” Stern told “Bloodrush” on Nov. 3, 2021. “Big companies have too many secrets that they hold on to, thinking that this is their main value, these patents and data.”

In a discussion thread that spanned many months in Conti’s internal chat room, Stern said the plan was to create their own crypto universe.

“Like Netherium, Polkadot and Binance smart chain, etc.,” Stern wrote. “Does anyone know more about this? Study the above systems, code, principles of work. To build our own, where it will already be possible to plug in NFT, DEFI, DEX and all the new trends that are and will be. For others to create their own coins, exchanges and projects on our system.”

It appears that Stern has been paying multiple developers to pursue the notion of building a peer-to-peer (P2P) based system for “smart contracts” — programs stored on a blockchain that run whenever predetermined conditions are met.

It’s unclear under what context the Conti gang was interested in smart contracts, but the idea of a ransomware group insisting on payments via smart contracts is not entirely new. In 2020, researchers from Athens University School of Information Sciences and Technology in Greece showed (PDF) how ransomware-as-a-service offerings might one day be executed through smart contracts.

Before that, Jeffrey Ladish, an information security consultant based in Oakland, Calif., penned a two-part analysis on why smart contracts will make ransomware more profitable.

“By using a smart contract, an operator can trustlessly sell their victims a decryption key for money,” Ladish wrote. “That is, a victim can send some money to a smart contract with a guarantee that they will either receive the decryption key to their data or get their money back. The victim does not have to trust the person who hacked their computer because they can verify that the smart contract will fairly handle the exchange.”

The Conti employee “Van” appears to have taken the lead on the P2P crypto platform, which he said was being developed using the Rust programming language.

“I am trying to make a p2p network in Rust,” Van told a co-worker “Demon” on Feb. 19, 2022. “I’m sorting it out and have already started writing code.”

“It’s cool you like Rust,” Demon replied. “I think it will help us with smart contracts.”

Stern apparently believed in his crypto dreams so much that he sponsored a $100,000 article writing contest on the Russian language cybercrime forum Exploit, asking interested applicants to put forth various ideas for crypto platforms. Such contests are an easy way to buy intellectual property for ongoing projects, and they’re also effective recruiting tools for cybercriminal organizations.

“Cryptocurrency article contest! [100.000$],” wrote mid-level Conti manager “Mango,” to boss Stern, copying the title of the post on the Exploit forum. “What the hell are you doing there…”

A few days later Mango reports to Stern that he has “prepared everything for both the social network and articles for crypto contests.”

DISTRIBUTED DENIAL OF DISCORD?

On June 6, 2021, Conti underling “Begemot” pitched Stern on a scheme to rip off a bunch of people mining virtual currencies, by launching distributed denial-of-service (DDoS) attacks against a cryptocurrency mining pool.

“We find young forks on exchanges (those that can be mined), analyze their infrastructure,” Begemot wrote.

Begemot continues:

“Where are the servers, nodes, capitalization, etc. Find a place where crypto holders communicate (discord, etc. ). Let’s find out the IP of the node. Most likely it will be IPv6. We start ddosing. We fly into the chat that we found earlier and write that there are problems, the crypt is not displayed, operations are not carried out (because the crypt depends on mining, there will really be problems ). Holders start to get nervous and withdraw the main balance. Crypto falls in price. We buy at a low price. We release ddos. Crypto grows again. We gain. Or a variant of a letter to the creators about the possibility of a ransom if they want the ddos ​​to end. From the main problem points, this is the implementation of Ipv6 DDoS.”

Stern replies that this is an excellent idea, and asks Begemet to explain how to identify the IP address of the target.

SQUID GAMES

It appears Conti was involved in “SQUID,” a new cryptocurrency which turned out to be a giant social media scam that netted the fraudsters millions of dollars. On Oct. 31, 2021, Conti member “Ghost” sent a message to his colleagues that a big “pump” moneymaking scheme would be kicking off in 24 hours. In crypto-based pump-and-dump scams, the conspirators use misleading information to inflate the price of a currency, after which they sell it at a profit.

“The big day has arrived,” Ghost wrote. “24 hours remaining until the biggest pump signal of all time! The target this time will be around 400% gains possibly even more. We will be targeting 100 million $ volume. With the bull market being in full effect and volumes being high, the odds of reaching 400% profit will be very high once again. We will do everything in our power to make sure we reach this target, if you have missed our previous big successful pumps, this is also the one you will not want to miss. A massive pump is about to begin in only 24 hours, be prepared.”

Ghost’s message doesn’t mention which crypto platform would be targeted by the scam. But the timing aligns with a pump-and-dump executed against the SQUID cryptocurrency (supposedly inspired by the popular South Korean Netflix series). SQUID was first offered to investors on Oct. 20, 2021.

The now-defunct website for the cryptocurrency scam SQUID.

As Gizmodo first reported on Nov. 1, 2021, just prior to the scam SQUID was trading at just one cent, but in less than a week its price had jumped to over $2,856.

Gizmodo referred to the scam as a “rug pull,” which happens when the promoter of a digital token draws in buyers, stops trading activity and makes off with the money raised from sales. SQUID’s developers made off with an estimated $3.38 million (£2.48m).

“The SQUID crypto coin was launched just last week and included plenty of red flags, including a three-week old website filled with bizarre spelling and grammatical errors,” Gizmodo’s Matt Novak wrote. “The website, hosted at SquidGame.cash, has disappeared, along with every other social media presence set up by the scammers.”

The Good, the Bad and the Ugly in Cybersecurity – Week 9

The Good

This week, it was announced that a joint effort between the French Border Police and the Spanish National Police, along with Europol, resulted in taking down an operation centered around counterfeit documents used, among other things, for human trafficking.

Forged identity documents are very big sellers on the Dark Web. Counterfeit documents available for purchase on the darknet include passports, birth certificates, drivers licenses, vehicle registration documents and other official identity cards.

While fake IDs can be used for a variety of nefarious purposes, the gang busted in this joint European law enforcement operation were said to be heavily involved in both human and drug trafficking, as well as property crimes. According to Europol, the organized crime group also charged upwards of €8000 per person for migrant smuggling operations.

Law enforcement agencies tracked distribution of forged ID documents across several jurisdictions, including France, Germany, Georgia, Italy, Lithuania, and Spain.

In the operation, seventeen suspects were arrested, six houses searched and a variety of electronic equipment seized. Police also recovered an unspecified amount of cash, as well as payment cards, counterfeit and genuine ID documents, and work permits. According to Europol, the gang’s network has been entirely dismantled and they have established multiple links between this case and other ongoing investigations.

The Bad

The Russian invasion of Ukraine has caused a significant rise in activity from Hacktivist groups, including website hacking and massive DDoS attacks aimed at Ukrainian entities. Researchers this week provided a fascinating look into one such threat actor and its connections across several countries, from Brazil to Sweden to Russia.

The self-styled “theMx0nday” group (The Monday Group) are based in Brazil and, the researchers claim, conduct operations in support of Russia. Most of their attacks are conducted through a Swedish ISP, Njalla, run by Pirate Bay co-founder, Peter Sunde, according to the researchers. They suggest that “theMx0nday” group may be using Njalla as a VPN exit node, although they haven’t ruled out the possibility that the attackers may have hacked another Njalla customer’s server or simply be Njalla customers themselves.

Aside from conducting massive DDoS campaigns against Ukrainian targets, the report says the Brazilian-based threat actor defaced multiple edu.ua (Ukrainian education) websites last week as Russia mounted its first incursions into Ukraine.

Prior to Russia’s military operation against Ukraine, the Monday group had primarily focused its attacks on Brazilian websites. Precisely what motivated it to support Russia’s invasion of Ukraine is at this time unknown, though it could be as simple as DDoS for hire. Since the story went viral, the group’s self-proclaimed “founder” deleted a tweet stating the hackers supported Russia’s invasion of Ukraine, claiming it was all for “the lulz”.

The Ugly

This week, a number of IoT vulnerabilities specific to healthcare have emerged, prompting CISA to release advisories in relation to two of them and researchers to call on healthcare providers to take medical device security more seriously in light of others.

Automated medication dispensing systems help clinicians to dispense medications to patients at the right time. Alas, it turns out that multiple products made by one vendor in use worldwide contain hard-coded credentials that can allow threat actors access to protected health information on the devices’ underlying file system. CISA reports that the vulnerabilities, CVE-2022-22766, CVE-2022-22765, have low-attack complexity.

While implementing hard-coded credentials in IoT or any internet-facing devices is fraught with dangers, credit goes to the device manufacturer who self-reported these issues upon discovery and is working to strengthen credential management in future devices. Meanwhile, mitigation steps can be found in CISAs advisories noted above.

In other health-related vulnerability news, researchers this week discovered that over 75% of 200,000 network-connected “smart” infusion pumps suffer from multiple vulnerabilities, previously reported and patched against various CVEs between 2016 and 2020. Infusion pumps and “Smart IV drips” serve to administer fluids and medication to patients through a controlled and programmable flow.

The vulnerabilities make it possible for attackers to gain access to sensitive information, but more worryingly in some cases unauthenticated users could send network traffic in a certain pattern that may cause the pump to become unresponsive or operate in unexpected ways.

Researchers have urged health providers to identify at-risk devices and to retire or repair them to avoid putting patients’ lives or sensitive information at risk.

Conti Ransomware Group Diaries, Part III: Weaponry

Part I of this series examined newly-leaked internal chats from the Conti ransomware group, and how the crime gang dealt with its own internal breaches. Part II explored what it’s like to be an employee of Conti’s sprawling organization. Today’s Part III looks at how Conti abused popular commercial security services to undermine the security of their targets, as well as how the team’s leaders strategized for the upper hand in ransom negotiations with victims.

Conti is by far the most aggressive and profitable ransomware group in operation today. Image: Chainalysis

Conti is by far the most successful ransomware group in operation today, routinely pulling in multi-million dollar payments from victim organizations. That’s because more than perhaps any other ransomware outfit, Conti has chosen to focus its considerable staff and talents on targeting companies with more than $100 million in annual revenues.

As it happens, Conti itself recently joined the $100 million club. According to the latest Crypto Crime Report (PDF) published by virtual currency tracking firm Chainalysis, Conti generated at least $180 million in revenue last year.

On Feb. 27, a Ukrainian cybersecurity researcher who is currently in Ukraine leaked almost two years’ worth of internal chat records from Conti, which had just posted a press release to its victim shaming blog saying it fully supported Russia’s invasion of his country. Conti warned it would use its cyber prowess to strike back at anyone who interfered in the conflict.

The leaked chats show that the Conti group — which fluctuated in size from 65 to more than 100 employees — budgeted several thousand dollars each month to pay for a slew of security and antivirus tools. Conti sought out these tools both for continuous testing (to see how many products detected their malware as bad), but also for their own internal security.

A chat between Conti upper manager “Reshaev” and subordinate “Pin” on Aug. 8, 2021 shows Reshaev ordering Pin to quietly check on the activity of the Conti network administrators once a week — to ensure they’re not doing anything to undermine the integrity or security of the group’s operation. Reshaev tells Pin to install endpoint detection and response (EDR) tools on every administrator’s computer.

“Check admins’ activity on servers each week,” Reshaev said. “Install EDR on every computer (for example, Sentinel, Cylance, CrowdStrike); set up more complex storage system; protect LSAS dump on all computers; have only 1 active accounts; install latest security updates; install firewall on all network.”

Conti managers were hyper aware that their employees handled incredibly sensitive and invaluable data stolen from companies, information that would sell like hotcakes on the underground cybercrime forums. But in a company run by crooks, trust doesn’t come easily.

“You check on me all the time, don’t you trust me?,” asked mid-level Conti member “Bio” of “Tramp” (a.k.a. “Trump“), a top Conti overlord. Bio was handling a large bitcoin transfer from a victim ransom payment, and Bio detected that Trump was monitoring him.

“When that kind of money and people from the street come in who have never seen that kind of money, how can you trust them 1,000%?” Trump replied. “I’ve been working here for more than 15 years and haven’t seen anything else.”

OSINT

Conti also budgeted heavily for what it called “OSINT,” or open-source intelligence tools. For example, it subscribed to numerous services that can help determine who or what is behind a specific Internet Protocol (IP) address, or whether a given IP is tied to a known virtual private networking (VPN) service. On an average day, Conti had access to tens of thousands of hacked PCs, and these services helped the gang focus solely on infected systems thought to be situated within large corporate networks.

Conti’s OSINT activities also involved abusing commercial services that could help the group gain the upper hand in ransom negotiations with victims. Conti often set its ransom demands as a percentage of a victim’s annual revenues, and the gang was known to harass board members of and investors in companies that refused to engage or negotiate.

In October 2021, Conti underling “Bloodrush” told his manager “Bentley” that the group urgently needed to purchase subscriptions to Crunchbase Pro and Zoominfo, noting that the services provide detailed information on millions of companies, such as how much insurance a company maintains; their latest earnings estimates; and contact information of executive officers and board members.

In a months-long project last year, Conti invested $60,000 in acquiring a valid license to Cobalt Strike, a commercial network penetration testing and reconnaissance tool that is sold only to vetted partners. But stolen or ill-gotten “Coba” licenses are frequently abused by cybercriminal gangs to help lay the groundwork for the installation of ransomware on a victim network. It appears $30,000 of that investment went to cover the actual cost of a Cobalt Strike license, while the other half was paid to a legitimate company that secretly purchased the license on Conti’s behalf.

Likewise, Conti’s Human Resources Department budgeted thousands of dollars each month toward employer subscriptions to numerous job-hunting websites, where Conti HR employees would sift through resumes for potential hires. In a note to Conti taskmaster “Stern” explaining the group’s paid access on one employment platform, Conti HR employee “Salamandra” says their workers have already viewed 25-30 percent of all relevant CVs available on the platform.

“About 25% of resumes will be free for you, as they are already opened by other managers of our company some CVs are already open for you, over time their number will be 30-35%,” Salamandra wrote. “Out of 10 CVs, approximately 3 will already be available.”

Another organizational unit within Conti with its own budget allocations — called the “Reversers” — was responsible for finding and exploiting new security vulnerabilities in widely used hardware, software and cloud-based services. On July 7, 2021, Stern ordered reverser “Kaktus” to start focusing the department’s attention on Windows 11, Microsoft’s newest operating system.

“Win11 is coming out soon, we should be ready for this and start studying it,” Stern said. “The beta is already online, you can officially download and work.”

BY HOOK OR BY CROOK

The chats from the Conti organization include numerous internal deliberations over how much different ransomware victims should be made to pay. And on this front, Conti appears to have sought assistance from multiple third parties.

Milwaukee-based cyber intelligence firm Hold Security this week posted a screenshot on Twitter of a conversation in which one Conti member claims to have a journalist on their payroll who can be hired to write articles that put pressure on victim companies to pay a ransom demand.

“There is a journalist who will help intimidate them for 5 percent of the payout,” wrote Conti member “Alarm,” on March 30, 2021.

The Conti team also had decent working relationships with multiple people who worked at companies that helped ransomware victims navigate paying an extortion demand in virtual currency. One friendly negotiator even had his own nickname within the group — “The Spaniard” — who according to Conti mid-level manager Mango is a Romanian man who works for a large ransomware recovery firm in Canada.

“We have a partner here in the same panel who has been working with this negotiator for a long time, like you can quickly negotiate,” Trump says to Bio on Dec. 12, 2021, in regards to their ransomware negotiations with LeMans Corp., a large Wisconsin-based distributor of powersports equipment [LeMans declined to comment for this story].

Trump soon after posts a response from their negotiator friend:

“They are willing to pay $1KK [$1 million] quickly. Need decryptors. The board is willing to go to a maximum of $1KK, which is what I provided to you. Hopefully, they will understand. The company revenue is under $100KK [$100 million]. This is not a large organization. Let me know what you can do. But if you have information about their cyber insurance and maybe they have a lot of money in their account, I need a bank payout, then I can bargain. I’ll be online by 21-00 Moscow time. For now, take a look at the documents and see if there is insurance and bank statements.”

In a different ransom discussion, the negotiator urges Conti to reconsider such a hefty demand.

“My client only has a max of $200,000 to pay and only wants the data,” the negotiator wrote on Oct. 7, 2021. “See what you can do or this deal will not happen.”

Many organizations now hold cyber insurance to cover the losses associated with a ransomware attack. The logs indicate Conti was ambivalent about working with these victims. For one thing, the insurers seemed to limit their ability to demand astronomical ransom amounts. On the other hand, insured victims usually paid out, with a minimum of hassle or protracted back-and-forth negotiations.

“They are insured for cyber risks, so what are we waiting for?” asks Conti upper manager “Revers,” in a conversation on Sept. 14, 2021.

“There will be trades with the insurance company?” asks Conti employee “Grant.”

“That’s not how it works,” Revers replied. “They have a coverage budget. We just take it and that’s it.”

Conti was an early adopter of the ransomware best practice of “double extortion,” which involves charging the victim two separate ransom demands: One in exchange for a digital key needed to unlock infected systems, and another to secure a promise that any stolen data will not be published or sold, and will be destroyed. Indeed, some variation of the message “need decryptors, deletion logs” can be seen throughout the chats following the gang’s receipt of payment from a victim.

Conti victims were directed to a page on the dark web that included a countdown timer. Victims who failed to negotiate a payment before the timer expired could expect to see their internal data automatically published on Conti’s victim shaming blog.

The beauty of the double extortion approach is that even when victims refuse to pay for a decryption key — perhaps because they’re confident they can restore systems from backups — they might still pay to keep the breach quiet.

“Hello [victim company redacted],” the gang wrote in January 2022. “We are Conti Group. We want to inform that your company local network have been hacked and encrypted. We downloaded from your network more than 180GB of sensitive data. – Shared HR – Shared_Accounting – Corporate Debt – Departments. You can see your page in the our blog here [dark web link]. Your page is hidden. But it will be published if you do not go to the negotiations.”

“We came to an agreement before the New Year,” Conti member “Skippy” wrote later in a message to the victim company. “You got a lot of time, more than enough to find any sum and fulfill your part of this agreement. However, you now ask for additional time, additional proofs, etc. Seems like you are preparing to break the agreement and flee, or just to decrease the sum. Moreover, it is a very strange request and explanation. A lot of companies pay such amounts without any problems. So, our answer: We are waiting for the above mentioned sum until 5 February. We keep our words. If we see no payment and you continue to add any conditions, we begin to upload data. That is all.”

And a reputation for keeping their word is what makes groups like Conti so feared. But some may come to question the group’s competence, and whether it may now be too risky to work with them.

On Mar. 3, a new Twitter account called “Trickbotleaks” began posting the names, photos and personal information of what the account claimed were top Trickbot administrators, including information on many of the Conti nicknames mentioned throughout this story. The Trickbotleaks Twitter account was suspended less than 24 hours later.

On Mar. 2, the Twitter account that originally leaked the Conti chat (a.k.a. “jabber”) records posted fresh logs from the Conti chat room, proving the infiltrator still had access and that Conti hadn’t figured out how they’d been had.

“Ukraine will rise!,” the account tweeted. “Fresh jabber logs.”

There may yet be at least one more piece in this series. Look here next week for a story about some of Conti’s more interesting extracurricular moneymaking and investment schemes.

Conti Ransomware Group Diaries, Part II: The Office

Earlier this week, a Ukrainian security researcher leaked almost two years’ worth of internal chat logs from Conti, one of the more rapacious and ruthless ransomware gangs in operation today. Tuesday’s story examined how Conti dealt with its own internal breaches and attacks from private security firms and governments. In Part II of this series we’ll explore what it’s like to work for Conti, as described by the Conti employees themselves.

The Conti group’s chats reveal a great deal about its internal structure and hierarchy. Conti maintains many of the same business units as a legitimate, small- to medium-sized enterprise, including a Human Resources department that is in charge of constantly interviewing potential new hires.

Other Conti departments with their own distinct budgets, staff schedules, and senior leadership include:

Coders: Programmers hired to write malicious code, integrate disparate technologies
Testers: Workers in charge of testing Conti malware against security tools and obfuscating it
Administrators: Workers tasked with setting up, tearing down servers, other attack infrastructure
Reverse Engineers: Those who can disassemble computer code, study it, find vulnerabilities or weaknesses
Penetration Testers/Hackers: Those on the front lines battling against corporate security teams to steal data, and plant ransomware.

Conti appears to have contracted out much of its spamming operations, or at least there was no mention of “Spammers” as direct employees. Conti’s leaders seem to have set strict budgets for each of its organizational units, although it occasionally borrowed funds allocated for one department to address the pressing cashflow needs of another.

A great many of the more revealing chats concerning Conti’s structure are between “Mango” — a mid-level Conti manager to whom many other Conti employees report each day — and “Stern,” a sort of cantankerous taskmaster who can be seen constantly needling the staff for reports on their work.

In July 2021, Mango told Stern that the group was placing ads on several Russian-language cybercrime forums to hire more workers. “The salary is $2k in the announcement, but there are a lot of comments that we are recruiting galley slaves,” Mango wrote. “Of course, we dispute that and say those who work and bring results can earn more, but there are examples of coders who work normally and earn $5-$10k salary.”

The Conti chats show the gang primarily kept tabs on the victim bots infected with their malware via both the Trickbot and Emotet crimeware-as-a-service platforms, and that it employed dozens of people to continuously test, maintain and expand this infrastructure 24 hours a day, 7 days a week.

Conti members referred to Emotet as “Booz” or “Buza,” and it is evident from reading these chat logs that Buza had its own stable of more than 50 coders, and likely much of the same organizational structure as Conti.

According to Mango, as of July 18, 2021 the Conti gang employed 62 people, mostly low-level malware coders and software testers. However, Conti’s employee roster appears to have fluctuated wildly from one month to the next. For example, on multiple occasions the organization was forced to fire many employees as a security precaution in the wake of its own internal security breaches.

In May 2021, Stern told Mango he wanted his underlings to hire 100 more “encoders” to work with the group’s malware before the bulk of the gang returns from their summer vacations in Crimea. Most of these new hires, Stern says, will join the penetration testing/hacking teams headed by Conti leaders “Hof” and “Reverse.” Both Hof and Reverse appear to have direct access to the Emotet crimeware platform.

Trying to accurately gauge the size of the Conti organization is problematic, in part because cybersecurity experts have long held that Conti is merely a rebrand of another ransomware strain and affiliate program known as Ryuk. First spotted in 2018, Ryuk was just as ruthless and mercenary as Conti, and the FBI says that in the first year of its operation Ryuk earned more than $61 million in ransom payouts.

“Conti is a Targeted version of Ryuk, which comes from Trickbot and Emotet which we’ve been monitoring for some time,” researchers at Palo Alto Networks wrote about Ryuk last year. “A heavy focus was put on hospital systems, likely due to the necessity for uptime, as these systems were overwhelmed with handling the ongoing COVID-19 pandemic. We observed initial Ryuk ransom requests ranging from US$600,000 to $10 million across multiple industries.”

On May 14, 2021, Ireland’s Health Service Executive (HSE) suffered a major ransomware attack at the hands of Conti. The attack would disrupt services at several Irish hospitals, and resulted in the near complete shutdown of the HSE’s national and local networks, forcing the cancellation of many outpatient clinics and healthcare services. It took the HSE until Sept. 21, 2021 to fully restore all of its systems from the attack, at an estimated cost of more than $600 million.

It remains unclear from reading these chats how many of Conti’s staff understood how much of the organization’s operations overlapped with that of Ryuk. Lawrence Abrams at Bleeping Computer pointed to an October 2020 Conti chat in which the Emotet representative “Buza” posts a link to a security firm’s analysis of Ryuk’s return.

Professor,” the nickname chosen by one of Conti’s most senior generals, replies that indeed Ryuk’s tools, techniques and procedures are nearly identical to Conti’s.

“adf.bat — this is my fucking batch file,” Professor writes, evidently surprised at having read the analysis and spotting his own code being re-used in high-profile ransomware attacks by Ryuk.

“Feels like [the] same managers were running both Ryuk and Conti, with a slow migration to Conti in June 2020,” Abrams wrote on Twitter. “However, based on chats, some affiliates didn’t know that Ryuk and Conti were run by the same people.”

ATTRITION

Each Conti employee was assigned a specific 5-day workweek, and employee schedules were staggered so that some number of staff was always on hand 24/7 to address technical problems with the botnet, or to respond to ransom negotiations initiated by a victim organization.

Like countless other organizations, Conti made its payroll on the 1st and 15th of each month, albeit in the form of Bitcoin deposits. Most employees were paid $1,000 to $2,000 monthly.

However, many employees used the Conti chat room to vent about working days on end without sleep or breaks, while upper managers ignored their repeated requests for time off.

Indeed, the logs indicate that Conti struggled to maintain a steady number of programmers, testers and administrators in the face of mostly grueling and repetitive work that didn’t pay very well (particularly in relation to the earnings of the group’s top leadership). What’s more, some of the group’s top members were openly being approached to work for competing ransomware organizations, and the overall morale of the group seemed to fluctuate between paydays.

Perhaps unsurprisingly, the turnover, attrition and burnout rate was quite high for low-level Conti employees, meaning the group was forced to constantly recruit new talent.

“Our work is generally not difficult, but monotonous, doing the same thing every day,” wrote “Bentley,” the nickname chosen by the key Conti employee apparently in charge of “crypting” the group’s malware — ensuring that it goes undetected by all or at least most antivirus products on the market.

Bentley was addressing a new Conti hire — “Idgo” — telling him about his daily duties.

“Basically, this involves launching files and checking them according to the algorithm,” Bentley explains to Idgo. “Poll communication with the encoder to receive files and send reports to him. Also communication with the cryptor to send the tested assembly to the crypt. Then testing the crypt. If jambs appear at this stage , then sending reports to the cryptor and working with him. And as a result – the issuance of the finished crypt to the partner.”

Bentley cautioned that this testing of their malware had to be repeated approximately every four hours to ensure that any new malware detection capability added to Windows Defender — the built-in antivirus and security service in Windows — won’t interfere with their code.

“Approximately every 4 hours, a new update of Defender databases is released,” Bentley told Idgo. “You need to work for 8 hours before 20-21 Moscow time. And career advancement is possible.” Idgo agrees, noting that he’d started working for Conti a year earlier, as a code tester.

OBSERVATIONS

The logs show the Conti gang is exceedingly good at quickly finding many potential new ransomware victims, and the records include many internal debates within Conti leadership over how much certain victim companies should be forced to pay. They also show with terrifying precision how adeptly a large, organized cybercrime group can pivot from a single compromised PC to completely owning a Fortune 500 company.

As a well-staffed “big game” killing machine, Conti is perhaps unparalleled among ransomware groups. But the internal chat logs show this group is in serious need of some workflow management and tracking tools. That’s because time and time again, the Conti gang lost control over countless bots — all potential sources of ransom revenue that will help pay employee salaries for months — because of a simple oversight or mistake.

Peppered throughout the leaked Conti chats — roughly several times each week — are pleadings from various personnel in charge of maintaining the sprawling and constantly changing digital assets that support the group’s ransomware operation. These messages invariably relate to past-due invoices for multiple virtual servers, domain registrations and other cloud-based resources.

On Mar. 1, 2021, a low-level Conti employee named “Carter” says the bitcoin fund used to pay for VPN subscriptions, antivirus product licenses, new servers and domain registrations is short $1,240 in Bitcoin.

“Hello, we’re out of bitcoins, four new servers, three vpn subscriptions and 22 renewals are out,” Carter wrote on Nov. 24, 2021. “Two weeks ahead of renewals for $960 in bitcoin 0.017. Please send some bitcoins to this wallet, thanks.”

As part of the research for this series, KrebsOnSecurity spent many hours reading each day of Conti’s chat logs going back to September 2020. I wish I could get many of those hours back: Much of the conversations are mind-numbingly boring chit-chat and shop talk. But overall, I came away with the impression that Conti is a highly effective — if also remarkably inefficient — cybercriminal organization.

Some of Conti’s disorganized nature is probably endemic in the cybercrime industry, which is of course made up of criminals who are likely accustomed to a less regimented lifestyle. But make no mistake: As ransomware collectives like Conti continue to increase payouts from victim organizations, there will be increasing pressure on these groups to tighten up their operations and work more efficiently, professionally and profitably.

Stay tuned for Part III in this series, which will look at how Conti secured access to the cyber weaponry needed to subvert the security of their targets, as well as how the team’s leaders approached ransom negotiations with their victims.

Kids’ folding beach chair – a summer day staple!

Kids folding beach chair is perfect for a day at the beach. It’s easy to carry and set up and comfortable for kids to sit in. The chair is made of durable materials that can stand up to the elements, and it’s easy to clean up when it’s time to go home.

Kids will love having their own chair to relax in at the beach, and parents will appreciate how easy it is to set up and to take down.

When the weather starts to warm up, the prices for beach gear go up. Be prepared and get your chairs, umbrellas, and toys now while they are still reasonable. The summer season will be here before you know it!

Best kids’ folding beach chairs

Are you looking for the perfect chair for your little one to relax in at the beach? Check out our top picks for the best kids’ folding beach chairs! All of those are available on Amazon, so you can get them shipped to your home in no time.

Rio Beach Kid’s 5-Position Lay Flat Backpack Folding Beach Chair

The Rio Beach Kid’s 5-Position Lay Flat Backpack Folding Beach Chair is an excellent option for kids who want their chair at the beach. The chair is made of durable materials that can stand up to the elements, and it’s easy to clean up when it’s time to go home.

The backpack style makes it easy to carry the chair to and from the beach, and it can be set up in just a few seconds. The lightweight, rust-proof aluminum construction only weighs 6.1 lbs. Combined with convenient adjustable shoulder straps make, this kids’ beach chair is perfect for carrying.

The chair is also comfortable for kids to sit in, with five different positions to choose from. And, when it’s time to go home, the chair can be quickly folded up and stored away in the storage bag.

Nice C Low Beach Camping Folding Chair

The Nice C Low Beach Camping Folding Chair is an excellent option for parents who want a low chair for their child to sit in at the beach.

The low kids’ beach chair is designed with a breathing and cooling mesh fabric that allows air to pass while sitting. There are arm cushions on the metal arms to allow your child to rest their arms in comfort.

With an easy-to-reach cup holder, your child can hold their drink while enjoying the sun. This beach chair is also lightweight and folds up easily for carrying to and from your destination. You can take this chair with you anywhere: beach, park, camping, hiking, etc.

Homevative Kids Folding Backpack Beach Chair

Kids’ beach chair made deluxe! The Homevative Kids Folding Backpack Beach Chair is great for kids to relax at the beach. It even comes with a pillow!

Padded backpack straps make it easy and comfortable to carry the chair to and from your destination. The lightweight design makes it easy to carry, and the chair can be quickly folded up for storage. This kids beach chair folds flat and compactly, so it does not take much space.

This kids folding beach chair is very convenient: it comes with a drinks holder and a storage pocket in the back for your child’s belongings. There is plenty of room there – you can take towels and books with you. The pocket also zips up securely.

Contoured comfort arms with pinch-resistant reclining adjustment will make your child feel relaxed at the beach. This chair is made of a sturdy, high-quality, and durable fabric and metal. It’s the perfect choice for parents who want their children to have a comfortable beach experience!

Quik Shade Folding Canopy Shade Camp Chair for Kids

The Quik Shade Folding Canopy Shade Camp Chair for Kids is perfect for kids who want to relax in the shade at the beach. This chair has a built-in canopy that provides shade from the sun, and it can be quickly unfolded and set up in seconds. The canopy lowers and tilts easily to provide customized shade for your child.

Another accessory is a cup holder, perfect for keeping your child’s drink within reach. The chair is also lightweight and easy to carry, with backpack straps that make it comfortable to transport. The chair can be quickly folded up for storage, and it takes up very little space. This is the perfect kids’ beach chair for days when the sun is too intense or when you need a break from the heat.

Made of water-resistant materials, this chair is perfect for outdoor use. It’s also easy to clean – just wipe it down with a damp cloth.

Melissa & Doug Sunny Patch Flex Octopus Folding Beach Chair For Kids

The Melissa & Doug Sunny Patch Flex Octopus Folding Beach Chair for Kids is a colorful and fun option for younger kids. This chair is designed with a comfortable, contoured seat and an octopus-themed fabric.

The chair is lightweight and easy to fold up, making it easy to transport and store. It also comes with a handy storage bag. The Melissa & Doug Sunny Patch Flex Octopus Folding Beach Chair for Kids features an easy-to-reach cup holder, perfect for keeping your child’s drink within reach. With smooth plastic foot pads to protect floors, it’s suitable for use indoors or out.

Kids furniture by Melissa & Doug is always top-notch and durable, made of high-quality materials. This kid’s folding beach chair is no different!

What to look for in a great kids beach chair

When looking for kids folding beach chair, there are a few things you need to keep in mind.

  • Comfort
  • Accessories
  • Sturdy frame
  • Easy storage
  • Convenience
  • Weight

Comfortable kids beach chair

Comfort is key when it comes to kids’ beach chairs. With the comfort, a padded seat helps like nothing else. You’ll want a chair that is soft and has a lot of padding, especially if your child is going to be spending a lot of time in it.

Look for a chair with a reclining option, so your child can relax in style. Many chairs also have a canopy or sunshade to protect them from the sun.

Accessories

Accessories are always a bonus, and kids folding beach chair is no exception. Many chairs come with pockets for storage, so your child can keep their sunscreen, phone, and other essentials close at hand.

Some chairs come with cup holders and built-in speakers, so your child can listen to music or watch a movie while they relax. Umbrellas and canopies can also be attached to some chairs to provide additional shade from the sun.

A chair with all the bells and whistles is an excellent investment for a day at the beach.

Sturdy frame

Beach chairs take a beating from the sun and sand, so you’ll want one that has a sturdy frame. Look for a chair made of heavy-duty materials that can stand up to the elements.

Chairs with a fold-out design are usually more sturdy than those that have to be carried. If you’re looking for a lightweight chair, make sure it’s still made of durable materials.

A sturdy frame is essential for any beach chair, especially for kids. You’ll want a chair that can hold up to being dragged around and sat on without wobbling or collapsing.

Easy storage

Storage is another important factor to consider when choosing kids folding beach chair. If you’re not going to be using the chair often, you’ll want one that can be easily stored away.

Chairs with a fold-out design are usually the easiest to store, as they can be folded up and put away in a closet or storage container. Some chairs even come with their carrying case, making them easy to take with you on trips.

If storage is a concern, be sure to factor in choosing kids folding beach chairs.

Convenience

Convenience is critical when it comes to kids’ beach chairs. You’ll want a chair that is easy to set up and take down without much fuss.

Some chairs can be set up in just a few seconds, while others may take a little longer. It’s important to find one that is easy for you to use, so you can focus on enjoying your day at the beach.

Similarly, you’ll want a chair that is easy to clean up when you need it. Most chairs can be wiped down or hosed off, so there’s no need to worry about sand and saltwater ruining them.

Weight

Chairs that are easy to transport are a must, especially if you have a lot of gear to carry. Look for a lightweight chair, so you can easily carry it from the car to the beach.

Many chairs come with their own carrying case or strap, making them even easier to transport. If you’re looking for a lightweight chair that is still made of durable materials, be sure to check the weight before you buy.

The post Kids’ folding beach chair – a summer day staple! appeared first on Comfy Bummy.

Conti Ransomware Group Diaries, Part I: Evasion

A Ukrainian security researcher this week leaked several years of internal chat logs and other sensitive data tied to Conti, an aggressive and ruthless Russian cybercrime group that focuses on deploying its ransomware to companies with more than $100 million in annual revenue. The chat logs offer a fascinating glimpse into the challenges of running a sprawling criminal enterprise with more than 100 salaried employees. The records also provide insight into how Conti has dealt with its own internal breaches and attacks from private security firms and foreign governments.

Conti’s threatening message this week regarding international interference in Ukraine.

Conti makes international news headlines each week when it publishes to its dark web blog new information stolen from ransomware victims who refuse to pay an extortion demand. In response to Russia’s invasion of Ukraine, Conti published a statement announcing its “full support.”

“If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use all our possible resources to strike back at the critical infrastructures of an enemy,” the Conti blog post read.

On Sunday, Feb. 27, a new Twitter account “Contileaks” posted links to an archive of chat messages taken from Conti’s private communications infrastructure, dating from January 29, 2021 to the present day. Shouting “Glory for Ukraine,” the Contileaks account has since published additional Conti employee conversations from June 22, 2020 to Nov. 16, 2020.

The Contileaks account did not respond to requests for comment. But Alex Holden, the Ukrainian-born founder of the Milwaukee-based cyber intelligence firm Hold Security, said the person who leaked the information is not a former Conti affiliate — as many on Twitter have assumed. Rather, he said, the leaker is a Ukrainian security researcher who has chosen to stay in his country and fight.

“The person releasing this is a Ukrainian and a patriot,” Holden said. “He’s seeing that Conti is supporting Russia in its invasion of Ukraine, and this is his way to stop them in his mind at least.”

GAP #1

The temporal gaps in these chat records roughly correspond to times when Conti’s IT infrastructure was dismantled and/or infiltrated by security researchers, private companies, law enforcement, and national intelligence agencies. The holes in the chat logs also match up with periods of relative quiescence from the group, as it sought to re-establish its network of infected systems and dismiss its low-level staff as a security precaution.

On Sept. 22, 2020, the U.S. National Security Agency (NSA) began a weeks-long operation in which it seized control over the Trickbot botnet, a malware crime machine that has infected millions of computers and is often used to spread ransomware. Conti is one of several cybercrime groups that has regularly used Trickbot to deploy malware.

Once in control over Trickbot, the NSA’s hackers sent all infected systems a command telling them to disconnect themselves from the Internet servers the Trickbot overlords used to control compromised Microsoft Windows computers. On top of that, the NSA stuffed millions of bogus records about new victims into the Trickbot database.

News of the Trickbot compromise was first published here on Oct. 2, 2020, but the leaked Conti chats show that the group’s core leadership detected something was seriously wrong with their crime machine just a few hours after the initial compromise of Trickbot’s infrastructure on Sept. 22.

“The one who made this garbage did it very well,” wrote “Hof,” the handle chosen by a top Conti leader, commenting on the Trickbot malware implant that was supplied by the NSA and quickly spread to the rest of the botnet. “He knew how the bot works, i.e. he probably saw the source code, or reversed it. Plus, he somehow encrypted the config, i.e. he had an encoder and a private key, plus uploaded it all to the admin panel. It’s just some kind of sabotage.”

“Moreover, the bots have been flooded with such a config that they will simply work idle,” Hof explained to his team on Sept. 23, 2020. Hof noted that the intruder even kneecapped Trickbot’s built-in failsafe recovery mechanism. Trickbot was configured so that if none of the botnet’s control servers were reachable, the bots could still be recaptured and controlled by registering a pre-computed domain name on EmerDNS, a decentralized domain name system based on the Emercoin virtual currency.

“After a while they will download a new config via emercoin, but they will not be able to apply this config, because this saboteur has uploaded the config with the maximum number, and the bot is checking that the new config should be larger than the old one,” Hof wrote. “Sorry, but this is fucked up. I don’t know how to get them back.”

It would take the Conti gang several weeks to rebuild its malware infrastructure, and infect tens of thousands of new Microsoft Windows systems. By late October 2020, Conti’s network of infected systems had grown to include 428 medical facilities throughout the United States. The gang’s leaders saw an opportunity to create widespread panic — if not also chaos — by deploying their ransomware simultaneously to hundreds of American healthcare organizations already struggling amid a worldwide pandemic.

“Fuck the clinics in the USA this week,” wrote Conti manager “Target” on Oct. 26, 2020. “There will be panic. 428 hospitals.”

On October 28, the FBI and the U.S. Department of Homeland Security hastily assembled a conference call with healthcare industry executives warning about an “imminent cybercrime threat to U.S. hospitals and healthcare providers.”

Follow-up reporting confirmed that at least a dozen healthcare organizations were hit with ransomware that week, but the carnage apparently was not much worse than a typical week in the healthcare sector. One information security leader in the healthcare industry told KrebsOnSecurity at the time that it wasn’t uncommon for the industry to see at least one hospital or health care facility hit with ransomware each day.

GAP #2

The more recent gap in the Conti chat logs corresponds to a Jan. 26, 2021 international law enforcement operation to seize control of Emotet, a prolific malware strain and cybercrime-as-a-service platform that was used heavily by Conti. Following the Emotet takedown, the Conti group once again reorganized, with everyone forced to pick new nicknames and passwords.

The logs show Conti made a special effort to help one of its older members — Alla Witte — a 55-year-old Latvian woman arrested last year on suspicion of working as a programmer for the Trickbot group. The chat records indicate Witte became something of a maternal figure for many of Conti’s younger personnel, and after her arrest Conti’s leadership began scheming a way to pay for her legal defense.

Alla Witte’s personal website — allawitte[.]nl — circa October 2018.

“They gave me a lawyer, they said the best one, plus excellent connections, he knows the investigator, he knows the judge, he is a federal lawyer there, licensed, etc., etc.,” wrote “Mango” — a mid-level manager within Conti — to “Stern,” a much higher-up Conti taskmaster who frequently asked various units of the gang for updates on their daily assignments.

Stern agreed that this was the best course of action, but it’s unclear if it was successfully carried out. Also, the entire scheme may not have been as altruistic as it seemed: Mango suggested that paying Witte’s attorney fees might also give the group inside access to information about the government’s ongoing investigation of Trickbot.

“Let’s try to find a way to her lawyer right now and offer him to directly sell the data bypassing her,” Mango suggests to Stern on June 23, 2021.

The FBI has been investigating Trickbot for years, and it is clear that at some point the U.S. government shared information with the Russians about the hackers they suspected were behind Trickbot. It is also clear from reading these logs that the Russians did little with this information until October 2021, when Conti’s top generals began receiving tips from their Russian law enforcement sources that the investigation was being rekindled.

“Our old case was resumed,” wrote the Conti member “Kagas” in a message to Stern on Oct. 6, 2021. “The investigator said why it was resumed: The Americans officially requested information about Russian hackers, not only about us, but in general who was caught around the country. Actually, they are interested in the Trickbot, and some other viruses. Next Tuesday, the investigator called us for a conversation, but for now, it’s like [we’re being called on as] witnesses. That way if the case is suspended, they can’t interrogate us in any way, and, in fact, because of this, they resumed it. We have already contacted our lawyers.”

Incredibly, another Conti member pipes into the discussion and says the group has been assured that the investigation will go nowhere from the Russian side, and that the entire inquiry from local investigators would be closed by mid-November 2021.

It appears Russian investigators were more interested in going after a top Conti competitor — REvil, an equally ruthless Russian ransomware group that likewise mainly targeted large organizations that could pay large ransom demands.

On Jan. 14, 2022, the Russian government announced the arrest of 14 people accused of working for REvil. The Russian Federal Security Service (FSB) said the actions were taken in response to a request from U.S. officials, but many experts believe the crackdown was part of a cynical ploy to assuage (or distract) public concerns over Russian President Vladimir Putin’s bellicose actions in the weeks before his invasion of Ukraine.

The leaked Conti messages show that TrickBot was effectively shut down earlier this month. As Catalin Cimpanu at The Record points out, the messages also contain copious ransom negotiations and payments from companies that had not disclosed a breach or ransomware incident (and indeed had paid Conti to ensure their silence). In addition, there are hundreds of bitcoin addresses in these chats that will no doubt prove useful to law enforcement organizations seeking to track the group’s profits.

This is the first of several stories about the inner workings of Conti, based on the leaked chat records. Part II will be told through the private messages exchanged by Conti employees working in different operational units, and it explores some of the more unique and persistent challenges facing large-scale cybercriminal organizations today.