The involuntarily disclosed internal communication of a cybercrime gang provides astonishing insights. The recognisable structures are based on those of classic companies. But the personnel policy of the criminals appears to be quite questionable.
The Ukraine conflict is also leading to remarkable distortions in cybercrime. The criminals usually operate in a division of labour. The gang members are often distributed internationally and are mainly based in Eastern Europe. It is not uncommon for the heads of these gangs to be in Russia.
In the course of the armed conflict, disputes and splits also occurred in these groups, for example when a group consisted of Russians and Ukrainians, among others. The Conti group, known for numerous large-scale cyber attacks, was not spared either. As a result, internal chat logs and communication histories were leaked. According to the findings of security specialists, the Conti gang consists of Russian and Eastern European cyber criminals and is held responsible by the FBI for several hundred ransomware attacks (offers for protection against ransomware at it-sa 365), which are said to have caused damage of several hundred million US dollars.
The leak brought several gigabytes of chat histories to light, which security researchers found a feast for their eyes. Their analyses provide a picture of a group that functions like a small medium-sized company. There is a human resources department, an IT department whose administrators take care of the infrastructure and a customer service department for negotiations with the victims. However, a few special areas stand out, for example the OSINT team, which conducts research on victims in public sources. It tries to determine and evaluate sales figures, product announcements or planned acquisitions from public sources. This forms the basis for determining a ransom sum.
Company on course for growth
In mid-2021, the Conti Group reportedly had a total of 62 employees, mostly programmers. They work in different areas, some develop malware, others are responsible for its disguise and camouflage so that it cannot be detected by security software. Still other specialists are responsible for reverse engineering security software to analyse its functionality and capabilities. However, they look just as closely at the malware of other gangs in order to adopt their features. The head of the Conit gang operates under the alias "Stern". Security specialists have compiled an overview of the people involved and their roles.
Conti tends to be on a growth path, in the month mentioned above 25 more employees were hired, according to the chat log, and more should follow, according to an executive. To this end, the people from HR scour underground forums, approach potential employees there and even place advertisements on relevant portals.
Unconventional personnel policy
But the salaries offered apparently do not correspond to the ideas of Russian cyber criminals. The 2000 US dollars offered by Conti were mockingly commented on in the forums. One executive then felt compelled to emphasise that this was only the starting salary and that interested parties could move up very quickly, resulting in salaries between USD 5000 and 10,000. However, Conti employees complain in the chats not only about poor working conditions, but also about the lavish pay-offs of the management figures, although details remain unclear. They also complain about monotonous and boring jobs. In addition, many employees have to submit daily reports about their work. High staff turnover apparently forces the human resources department to constantly look for new employees.
In addition, US investigative agencies have recently been putting a lot of pressure on the group, especially the FBI and the NSA. Then, as a precautionary security measure, numerous employees are dismissed as soon as they threaten to blow the whistle or are assessed as a security risk. So although the "company" generates high profits, it apparently cannot offer safe and interesting jobs.
Technical details on the Conti Group are illuminated in the article "Conti-Group: Thanks to millions in profits in the sights of investigators".
One of the most detailed analyses of the Conti chats can be found at security expert Brian Krebs.
Author: Uwe Sievers