How does the world famous Russian hacker group operate?

A series of leaked documents detailing the size, leadership and activities of the notorious hacker group nicknamed Conti, and their most valuable asset – the ransomware source code used by the group.

Shmuel Gihon, a researcher at cyber-risk assessment firm Cyberint, said Conti has been around since 2020 and quickly became one of the largest ransomware organizations in the world. The group is estimated to have around 350 members and has generated about $2.7 billion in profits over the past two years alone.

According to the FBI’s Internet Crime Report 2021, Conti’s ransomware is among the top three variants targeting critical US infrastructure. “Conti frequently targets critical manufacturing, financial institutions, food, and agriculture,” the FBI said.

Gihon commented that Conti was the most successful ransomware group in the world until leaked internal documents, starting from 28/2. Cyberint considers this to be an act of retaliation because Conti expressed support for Russia’s military campaign in Ukraine. At that time, the ContiLeaks account appeared on Twitter, posting thousands of internal messages of the group. This account has direct messaging turned off and cannot be contacted by the owner, who claims to be “a security researcher”.

Gihon thinks the leak has had a huge impact on the cybersecurity community, with most of his colleagues around the world spending weeks poring over the documents.

Traditional organization

Conti operates completely underground and has no contact with the media. However, documents posted online show that they are organized and operated like a regular tech company.

Lotem Finkelstein, Check Point Research’s director of threat assessment, said Conti has a clear management structure, with separate finance and human resources departments, in which team leaders report directly to superior. There is some evidence that the organization has a research and development department, as well as a business building.

“We think this is a huge organization, with many real-life offices and abundant resources, capable of cooperating with Russian intelligence,” Finkelstein said.

The Russian Embassy in the UK declined to comment. Moscow generally denies links to hacker groups and cyber attacks against Western nations.

Typical employee of the month

Check Point Research found that Conti has regular paid employees, some of which are paid in Bitcoin, a performance appraisal system and regular training opportunities. They also staff expert negotiators with 0.5-1% commission for successful extortion transactions.

The hacker group also has a job referral program, which rewards those who recruit staff for the company, along with a bonus of half a month’s salary for “typical employee of the month”. Conti fines people who don’t meet work quotas.

The employees use fake information to protect their identities. Conti leaders promise high salaries, interesting work and the possibility of career growth, but with that comes the risk of losing their job if they do not meet the requirements of the task and often have to work overtime.

Recruitment process

Conti hires people from legitimate sources such as recruitment agencies, combined with criminal networks. “This process is very important because the rate of quit and burnout is very high for low-level employees,” commented Brian Krebs, a well-known cybersecurity expert in the US.

Some people aren’t even computer experts, as Conti hires call centers. They will impersonate famous businesses and try to scam victims over the phone.

Many employees do not know the nature of Conti

“We have evidence that not all Conti employees know they are working in a cybercrime group. These people think they are working in an advertising business, instead of the world famous ransomware group. “, Finkelstein said.

The messages show that Conti’s manager lied to the job candidate. “Everything is anonymous here, main job is developing software for penetration testers,” one message read.

One Conti executive explained that programmers don’t know the size of the organization because each person only works on one module of the software, instead of knowing the entire program. If someone discovers the nature of Conti, they will be offered a raise in order to continue working.

Hard to completely disappear

Conti is said to have had many signs of instability from before. An organizational leader disappeared during January, while many employees owed their salaries. A few days before the leak at the end of February, an internal message said there were many arrests of corporate members and no money to pay salaries. “I will have to ask everyone to take a few months off work,” the message read.

However, Conti is still active in moderation and may rise again in the future. This group has experienced many challenges, including the disabled Trickbot malware case in 2021.

According to The RecordThe Russian-Ukrainian conflict has long caused divisions in the cybercriminal underworld. While Conti is pro-Russia, Anonymous is in the opposition, and another notorious group, LockBit, is neutral. Russian and Ukrainian hackers used to work together, but now relations have become strained.

Diep Anh (according to CNBC)