This is the work of volunteers for refugees in Hungary 3:19
Washington (CNN) --
As Russian artillery began raining down on his homeland last month, a Ukrainian cybersecurity researcher decided to fight back the best way he knew how: by sabotaging one of Russia's most infamous ransomware gangs.
Four days after the Russian invasion, the researcher began publishing the largest leak of files and data from Conti, a syndicate of Russian and Eastern European cybercriminals wanted by the FBI for carrying out attacks on hundreds of American organizations and causing millions in losses. .
ANALYSIS |
Russia claims its troops are reorganizing.
An increase in attacks in eastern Ukraine could be expected
The thousands of documents and internal communications include evidence that appears to suggest that Conti's agents have contacts with the Russian government, including the FSB intelligence service.
This supports a long-standing US charge that Moscow has conspired with cybercriminals to gain strategic advantage.
The Ukrainian computer scientist behind the leak spoke exclusively to CNN and described his motivation to seek revenge after Conti operatives published a statement of support for the Russian government immediately after the invasion of Ukraine began.
He also described his desperate efforts to locate his loved ones in Ukraine in recent weeks.
To protect his identity, CNN has agreed to refer to him by a pseudonym: Danylo.
"I can't shoot anything, but I can fight with a keyboard and mouse," Danylo told CNN.
advertising
Service members of the pro-Russian troops drive armored vehicles in front of local residents during the Ukraine-Russia conflict in the besieged southern port city of Mariupol, Ukraine March 24, 2022.
The data set that Danylo leaked in late February illustrates why cybersecurity has been such a tense topic in US-Russian relations.
It includes the cryptocurrency accounts Conti hackers used to allegedly extract millions of dollars in ransom payments, their discussions of extorting US companies, and their apparent targeting of a journalist investigating the poisoning of Kremlin critic Alexey Navalny.
But it also shows how difficult it can be to disable ransomware operations.
Despite the fact that Danylo unmasked his operations, the hackers keep announcing new victims.
Have you been affected by a "ransomware" attack?
This is what you should do
Danylo, who has worked as a cybersecurity researcher for years and has studied the underground economy of cybercriminals in Europe, is just a vigilante in a shadow war that has erupted between hackers and cybersecurity executives who have promised to support the hackers. governments from both sides of the conflict as the biggest ground war in Europe since World War II drags on.
But by taking down a group as notorious as Conti, Danylo has garnered more attention than others.
According to Danylo, the FBI contacted him after he began leaking the Conti files, asking him to stop.
The FBI declined to comment.
Firefighters work to extinguish a warehouse fire after it was hit by Russian shelling on March 28, 2022 in Kharkiv, Ukraine.
CNN corroborated Danylo's claim that he was the leaker by reviewing evidence that he had access to the Twitter account that posted Conti's data, as well as a website that Danylo and another person, who was granted the anonymity for their protection, they used to share the data contained in the leaks.
Danylo has not spoken to the media about her motives until now.
He did it while cruising through a war-torn country that he had just returned to and could barely recognize.
"It's my country," he said in a telephone interview.
"If they [Ukrainian government] provide me with weapons, fine, I'll go fight. But I'm better at typing."
digital revenge
Danylo claims that he first gained access to the computer systems used by what would become the Conti union in 2016.
Although he did not want to explain in detail how he did it, independent security experts have verified to CNN that the data set belongs to the hackers.
(Conti is both the name of the malware and the cybercriminal syndicate that uses it. The group is also affiliated with TrickBot, another hacking tool used in numerous ransomware attacks.)
"Sometimes they make mistakes," Danylo said, referring to the ransomware groups.
"You have to catch them when they mess up. I was in the right place at the right time. I was watching them."
For years, Danylo said, he stalked cybercriminals' servers and passed information about the group's operations to European law enforcement.
Conti ransomware has been rampant for the past two years, with hackers claiming numerous victims every week.
In September 2020, cybercriminals claimed to have stolen case files from a district court in Louisiana.
In March 2021, the Conti ransomware was used in a hack that affected the computer networks of Ireland's public health system, costing $25 billion, disrupting operations at a maternity ward in Dublin.
The dark work was lucrative: Hackers using the Conti ransomware received at least $25.5 million in ransom payments in just four months in 2021, according to Elliptic, a firm that tracks cryptocurrency transactions.
This photo shows a collapsed building as civilians are evacuated along humanitarian corridors in the Ukrainian city of Mariupol under the control of the Russian military and pro-Russian separatists, on March 26, 2022.
But something broke in Danylo on February 25, 2022, when Conti's agents released a statement pledging their "full support" to the Russian government in its attack on Ukraine.
A Russian airstrike had landed not far from the home of a family member.
The cybersecurity researcher grew up in Ukraine when it was part of the Soviet Union.
He did not want to see it fall back into Russian hands.
Conti members tried to retract their statement, stating that they did not support any government, but Danylo had heard enough.
Asked again why he leaked the Conti data, Danylo said with a laugh: "To show that they are sons of bitches."
He was exhausted after a long day touring military checkpoints in Ukraine, hunting for cigarettes and looking up at the sky for signs of the next airstrike.
Contacted by the FBI
Conti is exactly the kind of prolific ransomware group that President Joe Biden last year urged Russian President Vladimir Putin to crack down on amid a wave of attacks on critical US infrastructure.
The United States warns companies to prepare for Russian cyberattacks.
This is how they can do it
The Kremlin appeared to hint at collaborating with the United States in the fight against cybercrime this January, when the Russian intelligence agency FSB announced the arrest of several accused cybercriminals.
But the chances for bilateral cooperation on cybercrime have dwindled after Russia's invasion of Ukraine, which has killed more than 1,000 civilians, according to the United Nations, and made Putin an international pariah.
Civilians trapped in the city of Mariupol under Russian attacks, are evacuated in groups under the control of pro-Russian separatists, through other cities, Mariupol, Ukraine, on March 20, 2022.
After he started leaking the data, Danylo said, an FBI special agent contacted him and asked him to stop.
Exposing Conti's infrastructure could, in theory, make it difficult for the FBI to monitor the group as it could create new systems.
Danylo stopped leaking information, for now.
But he says that he still has access to some Conti systems.
At least one law enforcement official who spoke to CNN would have preferred Danylo to have kept that access covert, rather than alerting the ransomware syndicate to his presence by leaking the data.
"Publishing information like [the leaker] did is reckless," a US official told CNN.
"Working cooperatively with law enforcement can have a more substantial and lasting impact in disrupting the operations of groups like Conti."
However, John Fokker, a former Dutch police cybercrime investigator, said the leak could be really useful for police officers who go after cybercriminals.
"Yes, the infrastructure may become stale. However, the amount of data provided in the leaks makes me confident that law enforcement has obtained the information they need to draft charges against key individuals," said Fokker, who works closely with law enforcement. European security forces as head of cyber investigations at security company Trellix.
A catalog of crimes
The Conti leaks are a startling catalog of the alleged misdeeds of a multimillion-dollar criminal enterprise.
CNN evaluated and translated the original documents that Danylo shared with the world via Twitter.
The communications show Conti members, each with an alias in chat logs, discussing the wisdom of extorting small American businesses, apparently refraining from attacking Russian targets, and taking an interest in a journalist writing about Alexey Navalny, Russian opposition figure who was jailed and poisoned.
In April 2021, Conti members "mango" and "johnyboy77" discussed plans to access files belonging to a journalist for the investigative outlet Bellingcat, which had published a joint investigation with CNN in December 2020 into the alleged role of Russia's FSB intelligence agency in the poisoning of Navalny.
He helped rebuild Kyiv after World War II.
Now she had to run away
"Brother, don't forget about Navalny, I pointed it out to the boss, he is waiting for the details," mango wrote to johnyboy77 in Russian.
It is not clear who is "the boss" in this exchange.
But Christo Grozev, Bellingcat's top Russian researcher, tweeted that the leaked chat corroborated an anonymous tip Bellingcat received that "a global cybercrime group acting on behalf of the FSB has hacked one of its collaborators."
Conti operatives refer in their chats to Liteyny Avenue in St. Petersburg, which is home to local FSB offices, according to Kimberly Goody, director of cybercrime analysis at security firm Mandiant.
"Generally speaking, it would not be relatively surprising to learn that an operation as extensive as this would not be leveraged in some way as an asset [by the Russian government] at any given time," Goody told CNN.
A Ukrainian serviceman stands in the rubble after a shelling in a residential area of Kyiv, Ukraine, on March 18.
The Russian embassy in Washington did not respond to a request for comment.
The Russian government has long denied accusations that it turns a blind eye to cybercrime.
There also appears to be a correlation between the Conti leaks and public warnings from US cybersecurity officials, suggesting that federal authorities have been watching the group closely.
On October 26, 2020, as US hospitals continued to reel from coronavirus cases, a Conti member with the alias Troy wrote to another member in Russian: "Fuck the clinics in USA this week... There will be panic. 428 hospitals."
Two days later, the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about ransomware attacks on hospitals, many of which used a piece of malicious software that the leaked documents link to Conti operatives.
It was unclear what specific intelligence prompted the federal warning about the hospitals, but the timing was surprising.
"It's my job"
Cyber attacks have played a secondary role in the war in Ukraine.
The White House accused the Russian military intelligence agency GRU of taking down key Ukrainian government websites before the invasion.
(A charge the Kremlin denies.)
US officials are also investigating the hack of a satellite network serving parts of Ukraine, which occurred as the Russian invasion began, as a possible Russian state-sponsored hack, CNN previously reported.
For its part, the Ukrainian government has encouraged an "IT army" of volunteer hackers in Ukraine and abroad to conduct cyberattacks against Russian organizations.
In Ukrainian free-for-all cyberspace, fighters like Danylo engage on their own terms.
An aerial view of the completely destroyed shopping mall after a Russian bombardment in Kyiv, Ukraine, on March 21, 2022.
When asked how he has been in recent days, Danylo's responses have been consistent: "I'm still alive."
Watching homes and schools turn to rubble has drained the vigor from her voice.
Danylo recalled, in the early days of the war, going into a bunker during a bombing raid with his laptop and working on Conti's files.
Another person in the bunker was puzzled because he was focused on his computer in the middle of the bombardment.
"What the hell are you doing?" Danylo remembered him saying.
Danylo laughed nervously as he told the story.
"It's my job," he told CNN.
"[I do it] because I can."
After weeks of living through the war, Danylo told CNN that this week he safely left Ukraine with his laptop.
War in Ukraine Ransomware