Welcome to The Cybersecurity 202! I, for one, am disheartened that this 17-pound monster was disqualified as the world's largest potato.
The leak is providing a clearer portrait than ever before of the cybercriminals that have run roughshod over U.S. institutions.
And it's showing how Russia’s invasion of Ukraine has divided the criminal gangs that lock up victim computers and demand payments to unlock them, given it was orchestrated by a Ukraine sympathizer with access to Conti's internal chats and business records
The leak came after Conti's leaders pledged allegiance to the Russian invaders. Conti leaders later tried to make a more neutral statement on the invasion but the damage had been done.
Here are 11 big takeaways.
1. Ransomware hacking can be pretty boring work
The most common reaction to the chats has been how utterly banal the daily trudge of ransomware hacking can be — much like any desk job. Paychecks come out twice per month and work is divvied up by middle managers, some of whom get testy when subordinates slack off or disappear offline for hours at a time.
Hackers go by one-word handles in the chats rather than their real names. But many of their comments would be right at home in a typical office Slack channel.
“Many of the conversations are dull, daily chatter,” Matt Burgess reported in one deep dive for Wired. “Members tell others they have caught Covid-19; they have issues with connectivity … and they bond with conversations about their partners or exes. The water cooler conversations are a stark contrast to Conti’s dark work.”
2. The pay’s not great on the lower rungs
The rank-and-file Conti hackers earned about $1,500 to $2,000 per month and didn’t get a share of the big ransoms.
That’s not a bad salary in many former Soviet states. But it’s nothing like the top ranks of criminal hackers who have developed a reputation for conspicuous displays of wealth, flashing stacks of cash, driving Lamborghinis and playing with tiger cubs.
3. But at the top levels, cybercrime definitely pays
The research group Chainalysis estimated Conti’s 2021 revenue as around $180 million — a figure that’s almost certainly low because it’s based only on publicly reported ransomware attacks and many go unreported. Based on data from the leaks, BreachQuest estimated the gang pays about $6 million for salaries and other expenses — just a fraction of its revenue.
“What would be the venture capital valuation of a Silicon Valley startup with global reach, annual revenue of $180 million, almost triple-digit year-over-year growth and an annual burn rate of $6 million?” Shaun Waterman asks in another deep dive for ReadMe.
4. Conti made some efforts to avoid the most inhumane hacks
Conti has publicly claimed that it avoids attacking critical infrastructure, such as hospitals, energy firms and airports that could have the highest human cost. That claim was treated dubiously given that Conti ransomware was used in a brutal attack on the Irish health-care system last year that cost $600 million to recover from.
Yet it does appear that managers routinely urged subordinates against targeting hospitals. One manager even chewed out a subordinate who didn’t follow the rule, saying the subordinate was ruining the gang’s reputation and warning “everyone constantly complains about you and gets angry,” per Wired.
5. But there’s truly no honor among thieves
In one chat reported by ReadMe, a middle manager asks a hacker who used the handle Stern and who appears to be “the big boss” of the operation, several times if he authorized an attack on a hospital carried out by a hacker using the handle Dollar. Stern ultimately replies cryptically, “I usually don’t approve locks.”
“Several hours later [Stern] sent Dollar an encrypted note. Dollar responded with a series of numbers and sums apparently calculating a 20 percent share of something,” Shaun reports.
6. Russian sympathizers in the gang bought into Putin’s lies
“The Russian hackers openly repeated Putin’s falsehoods as fact, such as that Ukraine is run by a ‘neo-Nazi junta’ and that its government is seeking nuclear weapons. Members of the chat continually shared news updates that exaggerated Russia’s success so far in the war,” Micah Lee reported for the Intercept.
The hackers also frequently used anti-Semitic tropes to describe Ukraine’s Jewish president Volodymyr Zelensky.
7. Putin’s war may have ended the Pax Romana among cybercrime gangs
One feature of the pre-Ukraine invasion ransomware industry is that — while many hackers were Russian — citizens of other post-Soviet states often joined the ranks. That may be ending as the relations between criminal hackers from Russia and other nations become more divisive.
“Ian McGinley, a former federal prosecutor in Manhattan who specialized in complex cyber cases, compares the upheaval the Ukraine war has provoked to the internecine conflicts within traditional criminal groups, like the mafia,” Shaun reports.
8. Yet, other ransomware gangs played the politics better
The Lockbit gang, for example, came out with a statement on the invasion nearly as quickly as Conti did — but it pledged neutrality.
Allan Liska, director of threat intelligence at the cybersecurity firm Recorded Future:
Looks like the LockBit ransomware group had some fun with Google Translate this morning and decided not to make the same mistake as Conti. pic.twitter.com/eRKZQ8lsLy
— Allan “Ransomware Sommelier🍷” Liska (@uuallan) February 27, 2022
9. Law enforcement and researchers are having a field day with the leaks
In addition to what they show about the inside workings of ransomware operations, the leaks will also make it far easier for law enforcement to identify individual members of the gang, perhaps leading to criminal indictments.
“It’s the most valuable data dump ever about ransomware,” Brett Callow, a threat analyst at the cybersecurity firm Emsisoft, told Shaun.
10. How the heck were they so careless?
Encryption is the bread and butter of ransomware gangs — the tool they use to lock up victims’ computers and demand ransoms. Yet, the vast majority of chats between Conti members were easily available to the leaker in unencrypted formats. Only a small portion of Conti members used an add-on tool to encrypt their chats on the gang’s server.
“The dumb part of this is the way they did it in an unencrypted [manner],” a spokesperson for the hacktivist collective Anonymous told the Record’s Dina Temple-Raston. “That’s unthinkable, right? They must be shaking in their boots right now, because a lot of their identities will be revealed through these leaks.”
11. Conti is down but not out
It looked for a minute in early March as if Conti may have been driven out of business by the leaks. But they were up and running again by March 7, CyberScoop’s Suzanne Smalley reports.
“They will reemerge more powerful and better than ever and more bulletproof,” Vitali Kremez, CEO of the cybersecurity firm AdvIntel told Suzanne. “They will adapt, they will improve, some members will relocate. But [Conti] will definitely not be pushed out of the market.”
The keys
The pipeline industry is extremely frustrated with new cybersecurity rules
The Transportation Security Administration (TSA) has been overwhelmed by requests for workarounds to stringent new cybersecurity rules imposed after the Colonial Pipeline hack, operators told Politico’s Eric Geller.
Industry officials and analysts expressed dismay to The Post after the rules were imposed, warning that implementing them as written could be difficult. Things haven’t improved since then, Geller reports.
The TSA has approved a mere handful of the more than 170 requests to use “alternative measures,” senior officials told Geller.
The rules are ill-suited to industrial cybersecurity and have gotten in the way of more useful security initiatives, experts warned.
“There is not a single pipeline operator who has felt positive about the interactions that I’m aware of,” Robert M. Lee, chief executive of the industrial-focused cyber firm Dragos, told Geller. “This has derailed lots of other valuable security efforts.”
Arizona Republicans want to break up Maricopa County
They're backing a bill that would split Maricopa County up into four separate counties — creating three solidly Republican counties and one Democratic one out of a county that helped deliver Joe Biden's victory in 2020.
The county was a locus for Donald Trump’s false claims that his election loss was illegitimate and the site of a partisan and ultimately fruitless audit aiming to disprove the election results.
Critics say the bill is punishment for county officials pushing back against Trump’s claims, Griff Witte reports. Election experts also say the proposal could help lay the groundwork for challenges to the 2024 contest.
The bill has passed in committee, but it appears to have stalled for now as Republicans navigate a tight majority in the state House and Senate.
“This is about putting more chips on the roulette table so you can win your bet,” state Rep. Lorenzo Sierra, a Democrat, argued. “One of these three counties, I’m sure, would decertify this election in a heartbeat.”
State Rep. Jake Hoffman, a Republican who introduced the bill, has denied that it has to do with elections, arguing that it’s about bringing power closer to the people. Hoffman, who declined an interview request, was one of 11 Arizonans who falsely declared that he was empowered to cast Arizona's electoral votes for Trump.
Russia’s government sites are under ‘unprecedented’ digital attack
Some of the attacks appear to be surges of Internet traffic that aim to overwhelm the websites. Russian regulators are filtering Internet traffic coming from abroad to mitigate the power of the digital attacks, Mary Ilyushina reports. The attacks were “two to three times more powerful” than previous ones, the country’s Ministry of Digital Development and Communications said.
Other recent attacks hitting Russia:
- Hackers replaced the hotline phone number on Russia's Emergency Situations Ministry website to list a number for Russian soldiers to call if they want to defect.
- They also modified news stories on the page to tell readers not to believe Russian news reports
- Dozens of Russian judicial sites displayed insults aimed at President Vladimir Putin.
- Hackers claiming affiliation with Anonymous displayed livestreams of dozens of surveillance cameras inside Russia, Vice reports.
Securing the ballot
Industry report
Global cyberspace
Hill happenings
Daybook
- CISA Director Jen Easterly speaks at the National Women in Cybersecurity Conference today at around 1 p.m.
- Senate Homeland Security Committee Chairman Gary Peters (D-Mich.) speaks at an Information Technology Industry Council Bridge for Innovation event on Wednesday at 11 a.m.
- CISA senior adviser and strategist Allan Friedman speaks at an Institute for Critical Infrastructure Technology event on Thursday at 1 p.m.
Secure log off
For today’s third @washingtonpost TikTok, another dramatic telenovela https://t.co/g4odxY8JhT pic.twitter.com/FMZ299He6d
— Washington Post TikTok Guy 🤹🏼♂️ (@davejorgenson) March 17, 2022
A tuber of a gourd? Thanks for reading. See you Monday.