Information about nuclear plants and air force capabilities. Conti ransomware gang crooks conjecturing that the National Security Agency (NSA) was maybe behind the mysterious, months-long TrickBot lull. Doxxed data about 120K Russian soldiers.
“Everyone is so focused on Russia hacking the world, but the world has been hacking Russia…. And dumping a lot of critical data on military, nuclear plants, etc.,” said Vinny Troia, cybersecurity Ph.D. and founder of ShadowByte, a dark web threat intelligence and cyber fraud investigations firm.
He’s one of an untold number of experts on dark-web threat intelligence who’ve been pouring over the intel that’s been flooding out of practically every nook and cranny of the internet: data that’s being posted on Twitter, Telegram and within the multiple dumps of insider knowledge about the Conti ransomware gang posted by the Ukrainian supporter ContiLeaks.
That ongoing dump, which has included source code for Conti and TrickBot, a decryptor (that doesn’t help recent victims whose files have been encrypted by the Conti gang, unfortunately), and much more, stopped yesterday when the Conti gang shut down its Jabber servers, Troia told Threatpost on Wednesday.
He visited the Threatpost podcast to update us on the mountain of data about Russia that intelligence experts are now slogging through.
Lightly Edited Transcript
Lisa Vaas: Listeners, welcome to the Threatpost podcast. My guest today is Vinny Troia, cybersecurity PhD and founder of ShadowByte, a dark web threat intelligence and cyber fraud investigations firm. Today, we’re going to focus on all of the data that’s being leaked on Russia as a result of its invasion of Ukraine.
Lisa Vaas: Thanks for coming on the podcast. Vinny, before we jump in, could you give us a bit of your background, please?
Vinny Troia: Sure. Thanks for having me. Yes. So my background I come from a DOD background did a lot of work for surface deployment command. And yeah, I was there for about, I think six or seven years before moving over to private sector.
Vinny Troia: And while I was there, I did a lot of work in compliance and random security hacking projects, a lot of red teaming, pen testing. And then eventually I started my own firm. Fast forward to today, our focus now is primarily dealing with a lot of ransomware cases, incident response, and we do a lot of ransom negotiations as well.
Vinny Troia: We’re constantly focused on dark web threat actors and any of the players, really.
Lisa Vaas: Thank you for that. And well this past week must be just a flurry with the dark web activity around Ukraine and Russia. So in an email, you were talking about how everyone is so focused on Russia hacking the world, but the world has been also hacking Russia and dumping a lot of critical data on military nuclear plants, etc.
Lisa Vaas: Where is your Intel coming from? Are there any forums in particular that you’re clued into or is that something you can’t even discuss?
Vinny Troia: it’s not even like that. It’s a, I mean, it’s literally everywhere. I mean, there’s Telegram channels. I mean, some is just being pasted right on Twitter.
Vinny Troia: I mean, it’s literally coming from all angles at this point.
Lisa Vaas: Well, tell me what you’re seeing.
Vinny Troia: I’d say last month, there was a lot of data coming out about Ukrainian citizens. I mean, a lot. So that was kind of interesting, almost like a precursor to what was happening.
Vinny Troia: And now it’s almost like, the rest of the world that’s really pissed and started hacking back and you’re seeing so much data coming out. I’m actually looking for sorry, as we speak, I’m going through some of this data. I mean, there’s stuff on a nuclear plants, some of their air force capabilities.
Vinny Troia: There’s another database that I just recently came across that is about a hundred thousand of their military members with photos, passport numbers, things like that. I mean, it’s really just data coming from all depths of. From other infrastructure,
Lisa Vaas: well, who, who, who is the primary sources?
Lisa Vaas: I mean, I know that anonymous of course has jumped in to, to, to wage war on behalf of Ukraine, cyber war on behalf of Ukraine. And I know that you can put out a call for help from cyber experts on this too. So who, who exactly is, is. Hacking this stuff out of Russia.
Vinny Troia: I mean, I, honestly, I couldn’t tell you, I mean, it’s coming, like I said, it’s coming from all sorts of places.
Vinny Troia: Right. And when things get leaked, I mean, they just get leaked from various [sources’] usernames on forums or Telegram channels. And so you never really know who it’s coming from. It is interesting that the world kind of banded together against this. And Russia was supposed to have this big cyber arsenal against them.
Vinny Troia: And it’s really funny that Joe Biden didn’t mention security once in the state of the union last night, being that it was such a big deal and everybody’s been talking about it.
Lisa Vaas: Yeah. And, and I remember it was an NBC news last week or, or was reporting on the big cyberattacks, the major offensive cyberattacks that were being discussed at the White House, but then the White House denied [considering offensive cyberattacks].
Vinny Troia: The news has been all about cyberattacks and Russia’s capabilities and it’s such a priority, but it just wasn’t even mentioned once. I just, I find that really strange, but regardless, it’s nice that the world kind of banded together to really come after Russia. One of the most, honestly, just incredibly fascinating things is all these leaks that have been occurring regarding the Conti ransomware. Yes. And they’re arguably the largest or at least one of the top few largest ransomware groups in the world. And I mean, they’re just having everything leak: source code, recovery, keys, chat logs.
Vinny Troia: I mean, as early, as recently as today with the most recent chat logs that came out, so somebody still has access to their servers and I haven’t even had a chance to read the ones from today.
Lisa Vaas: I just wrote up the second dump and I didn’t even know there was more posted today. It’s so hard to keep up. Can we talk a little bit about those dumps? Now as I understand it, it’s the decryptor for version two of the Conti Lock ransomware software [that was leaked]. That’s not even going to be usable to anybody because it was for an older version.
Lisa Vaas: How is this going to affect Conti? Another one of my sources was telling me that just one of the gang’s groups got hit by this [leak] and everybody else is pretty much doing fine. They’re carrying on business as usual.
Vinny Troia: I think what’s really interesting. And they talked about this in one of the, in some of the logs. So Conti uses, or used, this one piece of software called TrickBot in order to disseminate and … one of the or groupings of the chat log showed that the NSA came after TrickBot specifically.
Vinny Troia: I don’t know whether or not they reverse engineered or what they did, but I mean, they were able to shut it down for a couple of weeks just by changing patch numbers and uploading them to a server that would accept the changes. And so what they did was they maxed out the maximum patch number.
Vinny Troia: The software couldn’t take any new updates at that point. So they effectively shut it down for a little bit. That was actually really amazing.
Lisa Vaas: I totally missed that. Which repository was that in? What’s the name of the repository?
Vinny Troia: It’s all JSON files.
Lisa Vaas: Everybody knew that TrickBot pretty much shut down for a few months, but I didn’t know that about the NSA piece.
Vinny Troia: It’s presumed to be the NSA, given the level of skill that was involved, we’ll call it finesse. I would say it would have to be some government agency.
Lisa Vaas: Was there chatter about the shutdown?
Vinny Troia: Yeah, it’s basically a handful of officials talking about it and how they were shut down and how they basically had to rebuild their infrastructure.
Vinny Troia: They were down for a little bit and eventually they came back, but it just shows that they were being targeted by nation states. I think the most interesting thing is, if this really is a Russian operated group, which is what it seems like, then the fact that all these files are being leaked, whether it’s from an insider or somebody who’s a researcher who’s attacking them specifically, I think this is going to have a major toll on Russia’s finances, especially considering this is a group that is averaging what, a couple hundred million dollars a year recurring revenue?
Lisa Vaas: I don’t expect you to know this, but maybe you do: How much of Russia’s economy is actually coming from ransomware or other malware?
Vinny Troia: I think the majority, actually. So I think the majority of Russia’s economy is coming from some sort of crime. There’s not a whole lot going on over there. It’s like a big wasteland,
Lisa Vaas: Right. The underground members say “protect the motherland, the motherland protects you. “Except for when they need some stooges to arrest, some low-level stooges to make the U.S. happy, which happened recently.
Vinny Troia: As far as the decryptor [goes], you’re correct. It is for an older version. I think I saw some keys floating around as well, but new code is written on top of old code and it’s not like it was replaced completely. So I would imagine that there will be some fallout from that code base.
Lisa Vaas: Yeah, there’s a lot of code to go through. I hear. So what were some other really great finds in the intelligence that we’re getting out of Russia during this crisis?
Vinny Troia: It’s information on citizens, it’s information on military members. I’ve seen things on nuclear plants. I can’t speak to what can be done with all of it, honestly, but the point is it’s there and, in the right hands, I’m sure it could be pretty useful.
Lisa Vaas: I assume, during these days, it’s just not going to let up.
Vinny Troia: No, and like I said, a couple of hours ago we had more leaks from their Jabber server. So I would imagine whoever has access has been able to pull off a lot, and I think [Conti] actually just shut it down finally.
Lisa Vaas: So that means they they shut down Jabber. That doesn’t mean that they figured out who the leaker is. Right?
Vinny Troia: The person leaking it goes by [ContiLeaks]. But whether or not he’s the one with access, I don’t know. But the point is they figured out that somebody did have access to their Jabber logs. So now they’ve moved servers.
Lisa Vaas: Well, awesome. What else can you tell listeners? What can you leave us with?
Vinny Troia: I would say that, just because Conti’s out doesn’t mean that the problem is going away anytime soon. So be diligent and keep up with your passwords and make sure that you actually have fresh passwords, because looking at these logs and how they’re getting into a lot of these systems, it’s just using other people’s recycled passwords.
Vinny Troia: The hacks they’re using aren’t even that sophisticated. And I mean, even now the majority of hacks are still caused by reused passwords.
Lisa Vaas: We can get some intelligence out of the exploits that they’re targeting. I think I saw Zerologin was mentioned as one, and of course we know a lot about their tooling right now. Like the whole Cobalt Strike beacon thing.
Vinny Troia: Cobalt Strike’s been a red teaming tool forever. It’s a staple. For pen testers, it’s an amazing tool. And so the fact that they were using it isn’t really a surprise.
Lisa Vaas: Well, is there anything surprising that was found in the dumps? I know that we’ve got email addresses of some of the members of the gang.
Vinny Troia: You can use that to look for other accounts and potentially start to reverse back to maybe who they are. But I mean, there’s so much information here. I haven’t even gone through maybe a 10th of it. It’s coming up too fast. It’s a full-time job. It takes a full-time team at this point to go through all of this. Because then there was another thing that came out: rocket chat logs from a rocket chat. There’s thousands of logs here.
Lisa Vaas: Yeah, that’s pretty bad. When you’ve got a researcher, an intel expert who says he’s getting too much: The firehouse is open so wide. So the takeaways for listeners are that these leaks haven’t stopped, and we don’t even know how many that [ContiLeaks] is promising.
Vinny Troia: I mean, the fact that today’s leaks caused the shutdown, I presume caused a shut down of their Jabber server. I’m going to say that well has pretty much run dry. I don’t know what else is going to be released in terms of tools, but I’d say all of this has probably put a dent in everything they’re doing for a little bit.
Lisa Vaas: We can hope so, but I don’t think we should assume anything. And that’s what you’re telling us: They’re still going to be active and they’re going to retool anyway. Right. And will resurface.
Vinny Troia: Yeah. I was going to say, giving credit to [security journalist Brian] Krebs on this one, one of the things he reported on was that there was a conversation, and I haven’t even made it to the set about how the ransomware groups were being investigated.
Vinny Troia: And someone high up in the group basically told them they didn’t have anything to worry about. The investigation was going to go off of them. And that was right around the time that Russia took down REvil. So it was interesting. It’s almost like they had insider information, or maybe they literally were working for [Russia].
Lisa Vaas: I think REvil. that takedown, was the one I was thinking about when I alluded to this kind of token law enforcement action on Russia’s part to maybe make the U.S. shut up. Now I have to go read Brian Krebs. Why didn’t I read Brian Krebs earlier today? I have to do that. That’s like a requirement of the job. OK, well, Vinnie, unless you’ve got anything else to add, I’m going to let you go.
Vinny Troia: No, all good.
Lisa Vaas: I appreciate it. Thank you so much. Thanks for coming on the podcast.
030322 10:49 UPDATE: ContiLeaks, the source of the Conti leaks, is not believed to be the same entity as vx_underground, which has disseminated the leaked files.
Register Today for Log4j Exploit: Lessons Learned and Risk Reduction Best Practices – a LIVE Threatpost event sked for Thurs., March 10 at 2PM ET. Join Sonatype code expert Justin Young as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. Register Now for this one-time FREE event, Sponsored by Sonatype.