Russia Leaks Data From a Thousand Cuts–Podcast

Information about nuclear plants and air force capabilities. Conti ransomware gang crooks conjecturing that the National Security Agency (NSA) was maybe behind the mysterious, months-long TrickBot lull. Doxxed data about 120K Russian soldiers.

Those are just some of the sensitive, valuable data that’s being hacked out of Russia in the cyber war zone – a war that erupted even before the country invaded Ukraine.

“Everyone is so focused on Russia hacking the world, but the world has been hacking Russia…. And dumping a lot of critical data on military, nuclear plants, etc.,” said Vinny Troia, cybersecurity Ph.D. and founder of ShadowByte, a dark web threat intelligence and cyber fraud investigations firm.

He’s one of an untold number of experts on dark-web threat intelligence who’ve been pouring over the intel that’s been flooding out of practically every nook and cranny of the internet: data that’s being posted on Twitter, Telegram and within the multiple dumps of insider knowledge about the Conti ransomware gang posted by the Ukrainian supporter ContiLeaks/vx_underground.

That ongoing dump, which has included source code for Conti and TrickBot, a decryptor (that doesn’t help recent victims whose files have been encrypted by the Conti gang, unfortunately), and much more, stopped yesterday when the Conti gang shut down its Jabber servers, Troia told Threatpost on Wednesday.

He visited the Threatpost podcast to update us on the mountain of data about Russia that intelligence experts are now slogging through.

You can download the podcast below or listen here. For more podcasts, check out Threatpost’s podcast site. Also, see below for a lightly edited transcript.

Lightly Edited Transcript

Lisa Vaas: Listeners, welcome to the Threatpost podcast. My guest today is Vinny Troia, cybersecurity PhD and founder of ShadowByte, a dark web threat intelligence and cyber fraud investigations firm. Today, we’re going to focus on all of the data that’s being leaked on Russia as a result of its invasion of Ukraine.

Lisa Vaas: Thanks for coming on the podcast. Vinny, before we jump in, could you give us a bit of your background, please?

Vinny Troia: Sure. Thanks for having me. Yes. So my background I come from a DOD background did a lot of work for surface deployment command. And yeah, I was there for about, I think six or seven years before moving over to private sector.

Vinny Troia: And while I was there, you know did a lot of work in compliance and you know, random security hacking projects, a lot of red teaming, pen testing. And then eventually I started my own firm. You know, fast forward to today you know, our focus now is primarily dealing with a lot of ransomware cases, incident response you know, we do a lot of ransom negotiations as well.

Vinny Troia: So we’re constantly focused on, you know, dark web threat actors and you know, any of the players really.

Lisa Vaas: Thank you for that. And well this past week must be just a flurry with the dark web activity around Ukraine and Russia. So in an email, you were talking about how everyone is so focused on Russia hacking the world, but the world has been also hacking Russia and dumping a lot of critical data on military nuclear plants, etc.

Lisa Vaas: Where is your Intel coming from? Are there any forums in particular that you’re clued into or is that something you can’t even discuss?

Vinny Troia: it’s not even like that. It’s a, I mean, it’s literally everywhere. I mean, there’s Telegram channels. I mean, some is just being pasted right on Twitter.

Vinny Troia: I mean, it’s literally coming from all angles at this point.

Lisa Vaas: Well, tell me what you’re seeing.

Vinny Troia: I’d say last month, there was a lot of data coming out about Ukrainian citizens. I mean, a lot. So that was kind of interesting, almost like a precursor to what was happening.

Vinny Troia: And now it’s almost like, you know, the rest of the world that’s really pissed and started hacking back and you’re seeing so much data coming out. I’m actually looking for sorry, as we speak, I’m going through some of this data. I mean, there’s stuff on a nuclear plants, some of their air force capabilities.

Vinny Troia: There’s another database that I just recently came across that is about a hundred thousand of their military members with photos, passport numbers, things like that. I mean, it’s really just data coming from all depths of. From other infrastructure,

Lisa Vaas: well, who, who, who is the primary sources?

Lisa Vaas: I mean, I know that anonymous of course has jumped in to, to, to wage war on behalf of Ukraine, cyber war on behalf of Ukraine. And I know that you can put out a call for help from cyber experts on this too. So who, who exactly is, is. Hacking this stuff out of Russia.

Vinny Troia: I mean, I, honestly, I couldn’t tell you, I mean, it’s coming, like I said, it’s coming from all sorts of places.

Vinny Troia: Right. And when, when things get leaked, I mean, they just get leaked from various, you know, you know, people start, you know, usernames on forums or telegram channels. And so you never really know who it’s coming from. It is interesting that, you know, the world kind of banded together against this. And, you know, Russia was supposed to have this big cyber arsenal against them.

Vinny Troia: And, you know, it’s really funny that Joe Biden didn’t mention security once in the state of the union last night, being that it was such a big deal and everybody’s been talking about it.

Lisa Vaas: Yeah. And, and I remember it was an NBC news last week or, or was reporting on the big cyber attack, major offensive.

Lisa Vaas: Offensives that were being discussed at the white house, but then the white house denied that.

Vinny Troia: Well, but, and even, so the news has been all about cyber attacks and Russia’s capabilities and, you know, it’s such a priority, but it just wasn’t even mentioned once. I just, I find that really strange, but regardless you know, it’s, it’s nice that the world kind of banded together to really.

Vinny Troia: Come after Russia and you know, one of the most, honestly, just incredibly fascinating things is all these leaks that have been occurring regarding the Conti ransomware. Yes. And they’re arguably, you know, the largest or at least one of the top few largest ransomware groups in the world. And I mean, they’re just having everything leak, a source code, recovery, keys, chat logs.

Vinny Troia: I mean, as early, as most recent as today with the most recent chat logs that came out, so somebody still has access to their servers and I haven’t even had a chance to read the ones from the. But, I mean, there’s really great

Lisa Vaas: Intel. Damn. I just wrote up the second dump and I didn’t even know there was more posted today.

Lisa Vaas: Ah, it’s so hard to keep up. Oh, damn well. Let’s can we talk a little bit about those dumps? Now as I understand it, I mean, it’s like, well, the decrypter for version two of the Conti. LOC ransomware software. That’s not even going to be usable to anybody because it was for an kind of, for an older version.

Lisa Vaas: Right. So, so that’s, that’s not usable, but and, and also, ah, You know, how is this going to affect Conti? Another one of my sources was telling me that they there’s just one, one of the groups, one of the gangs groups that, that got hit by this and everybody else is pretty much doing fine. And they’re, they’re kind of carrying on business as usual.

Vinny Troia: I think, I think what’s really interesting. And they talked about this in one of the, in some of the logs. So Conkey uses or used this one. Called piece of software called trick bot in order to disseminate and in fact clients, and one of the or grouping of the chat log showed that the NSA came after trick bots specifically.

Vinny Troia: I don’t know whether or not they reverse engineered or what they did, but I mean, they were able to shut it down for a couple of weeks just by. Changing patch numbers and uploading them to a server that would accept the changes. And so what they did was they maxed out it will, they maxed out the maximum patch number.

Vinny Troia: And so the serve the. The software couldn’t take any new updates at that point. So they effectively shut it down for a little bit. That was actually really amazing.

Lisa Vaas: I totally missed that. Which, which repository was that in? What’s the name of the repository? You know,

Vinny Troia: offhand. It’s all Jason files. I couldn’t even

Lisa Vaas: okay.

Lisa Vaas: Okay. Because. I mean, we reported everybody. Everybody knew that trick bot pretty much shut down for a few months, but I didn’t, I didn’t know that about the NSA piece. That’s, that’s fascinating.

Vinny Troia: Okay. So, and I will say it’s presumed to be the NSA, but given the level of skill that was involved in we’ll call it finesse.

Vinny Troia: I would say it was some, it would have to be some government agency.

Lisa Vaas: What what’s in the the leak files. Is it a chat chatter about that? That shutdown?

Vinny Troia: Yeah, it’s basically a couple, it’s a handful of officials talking about it and how they were shut down and how they basically had to rebuild their infrastructure.

Vinny Troia: And I mean, they were down for a little bit and I mean, eventually they came back, but it just shows that you know, they were being targeted for you know, by, you know, nation states. But I mean, I think the most interesting thing is, I mean, if this really is a Russian operated group, which is what it seems like Then the fact that all these files are being leaked, whether it’s from an insider or somebody who’s, you know, a researcher who’s attacking them specifically.

Vinny Troia: I think this is going to have a major toll on Russia’s finances, especially considering, I mean, this is a group that is averaging what a couple hundred million dollars a year recurring revenue. I mean, that, that can’t be an easy hit for.

Lisa Vaas: Right. And, and I guess, well, if Russia’s economy is, I mean, what, what, I I’m just musing out loud.

Lisa Vaas: I don’t expect you to know this, but maybe you do how much of Russia’s economy is actually coming from ransomware or other malware.

Vinny Troia: I think the majority actually. So I think the majority of Russia’s economy is coming from some sort of crime period. I mean, there’s not a whole lot going on over there.

Vinny Troia: I mean, it’s like a big wasteland,

Lisa Vaas: right? And the, as like the, the, the underground members say protect the motherland, the motherland protects you. Except for when they need some Stooges to Arrest some low-level Stooges to make the us happier, whatever happened recently. Okay. Well,

Vinny Troia: I mean, as far as what I was gonna say, as far as the decryptor, I mean, you’re correct.

Vinny Troia: I mean, it is for an older version. I think I saw some keys floating around as well, but you know what I mean, new code is written on top of old code and it’s not like it was replaced completely. So I would imagine that there will be some fallout from, you know, from that code base.

Lisa Vaas: Yeah, well, yeah, there’s a lot to go through.

Lisa Vaas: There’s a lot of code to go through. I hear. So what were some other really great fines in the in the intelligence that we’re getting out of Russia during this crisis?

Vinny Troia: I mean, you know, it’s like I mentioned before, I mean, it’s information on citizens, it’s information on military members. I I’ve seen things on nuclear plants, so it’s.

Vinny Troia: You know, I can’t speak to what can be done with all of it, honestly, but the point is it’s, it’s there and you know, in the right hands, I’m sure it could be pretty useful.

Lisa Vaas: Right. Right. Okay. Well, it it’s really interesting. I don’t know what else to ask you about it. But you’re just, you’re keeping an eye on it constantly.

Lisa Vaas: I assume, during these days, it’s just not going to let up.

Vinny Troia: No, you know, and like I said, You know, a couple of hours ago we had more leaks from their Jabber server. So I would imagine whoever has access, you know, has been able to pull off a lot down and I think they actually just shut it down finally.

Vinny Troia: Oh,

Lisa Vaas: so that means they they figured out, well, they just shut down Jabber. That doesn’t mean that they figure it out who the leaker is. Right.

Vinny Troia: I mean the person leaking it, it goes by VX under. But you know, whether or not he’s the one with access, you know, I don’t know. But the point is they, they figured out that somebody did have access to their Jabber logs.

Vinny Troia: So now they’ve moved servers.

Lisa Vaas: Okay. But Vieques underground. I thought they were just a source that was connected to Conti leaks, but a, there might be one in the same entity, I assume.

Vinny Troia: Yeah. I can’t speak to that.

Lisa Vaas: Yeah. Okay. Well, awesome. What what else, what else can you tell listeners? What can you leave us with?

Vinny Troia: You know, I would say that. You know, just because Connie’s out doesn’t mean that the problem is going away anytime soon. So be diligent and keeping up with your passwords and making sure that you actually have fresh passwords, because I mean, looking at these logs and how they’re getting into a lot of these systems, it’s just using other people’s recycled passwords.

Vinny Troia: You know, the hacks they’re using aren’t even that sophisticated. And I mean, even now the majority of hats are still. You know, caused by reuse passwords.

Lisa Vaas: So yeah. Well, we can get some more, we can get some intelligence out of like the exploits that they’re targeting. I think I saw zero login was mentioned as one and of course we, we know a lot about their tools, their tooling right now.

Lisa Vaas: Like the whole cobalt strike beacon thing. Well, I mean,

Vinny Troia: cobalt strikes been a, a red teaming tool forever. I mean, that’s, I mean, that’s just, it’s a, it’s a staple. I mean, for pen testers, I mean, it’s an amazing tool. And so the fact that they were using it, isn’t really a surprise. I mean, one of the things that cobalt Stripe does really well is it allows pen testing between teams.

Vinny Troia: So you can you can interact with other team members. So I mean, I could totally see why they would do something.

Lisa Vaas: Well, is there anything surprising that was found in the dumps? It’s just really great stuff. I, I know that we’ve got like email, email addresses of, of some of the members of the gang, but I, I don’t know what kind of done with that.

Vinny Troia: I mean, you can use that to look for other accounts, so their usernames and potentially start to reverse back to maybe who they are. But I mean, there’s so much information here. I mean, I haven’t even gone through maybe a 10th of it. I mean, it’s, it’s coming up too fast. What

Lisa Vaas: are you going to look for in particular?

Lisa Vaas: You just going to applaud through it and just whatever jumps out you ain’t supposed to be a lot of.

Vinny Troia: Yeah, it takes it’s a full-time yeah. Full-time job. It takes a full-time team at this point to go through all of this. I mean, because then there was another thing that came out rocket chat logs from a rocket chat.

Vinny Troia: I mean, there’s thousands of logs here.

Lisa Vaas: Yeah, that’s pretty bad. When you’ve got a researcher, an Intel expert who says he’s getting too much until the firehouse is open so wide. Yeah, exactly. Yeah. Well, okay. So, so, okay. So the takeaways for listeners or that and these, these leaks haven’t stopped, we don’t even know how many that VX underground is promising.

Vinny Troia: I mean, the fact that today’s leaks caused the shutdown, I presume caused a shut down of their Jabber server. I’m going to say that well has pretty much run dry. I don’t know what else is going to be released in terms of tools, but I’d say all of this has probably put a dent in everything they’re doing for a little bit.

Lisa Vaas: Well, we can hope so, but I don’t think we should assume anything. And that’s what you’re, you’re telling us, you know, they’re still going to be active and they’re going to retool anyway. Right. And come up resurface. So it’s not,

Vinny Troia: yeah. Oh, no, I was going to say, you know, giving credit to Krebs on this one, one of the things he reported on was that there was a conversation and I haven’t even made it to the set about how the ransomware groups were being investigated.

Vinny Troia: And someone high up in the group basically told them, you know, they didn’t have anything to worry about. The investigation was going to go off of them. And that was right around the time that Russia took down rebel. So it was interesting. It’s almost like the head insider information, or maybe they’ve literally, we’re working for.

Lisa Vaas: Yeah, maybe. I mean I think revel that I think that take down was the one I was thinking about when I was thinking of when I alluded to this kind of token tokenism token law enforcement action on Russia’s part to maybe make us shut up now it’s like, yeah, they didn’t get anybody. And that boss at all poor slob level grunts Jesus.

Lisa Vaas: Okay, well awesome. Now I have to go read Brian Krebs. Why didn’t I read Brian Krebs earlier today? I have to do that. That’s like a requirement of the job. Okay, well, Vinnie, unless you’ve got anything else to add, I’m going to let you go.

Vinny Troia: No, all good.

Lisa Vaas: I appreciate it. Thank you so much. Thanks for coming on the podcast.

Register Today for Log4j Exploit: Lessons Learned and Risk Reduction Best Practices – a LIVE Threatpost event sked for Thurs., March 10 at 2PM ET. Join Sonatype code expert Justin Young as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. Register Now for this one-time FREE event, Sponsored by Sonatype.