A group of Anonymous-affiliated hackers turned Russia‘s own ransomware against its national space agency, security experts have said.
Network Battalion 65 – or NB65 – last month claimed in a series of posts on Twitter that the group had stolen files from Roscosmos, and taken down satellites.
NB65 shared a series of images of what it said was Roscosmos server information, that it said demonstrated it had shut down a monitoring system operated by the Russian space agency.
The group claimed Russian President Vladimir Putin ‘no longer had control over spy satellites’ and said it had downloaded and deleted confidential files related to the space agency’s satellite imaging and Vehicle Monitoring System.
Putin’s ally Dmitry Rogozin – who is the chief of Roscosmos – denied that it had lost control of its systems and called the group ‘scammers and petty swindlers’.
‘All our space activity control centres are operating normally,’ Rogozin wrote in a tweet last month in response to the claims.
Analysts who delved into a file containing the source code behind the hack have now claimed it shared code with ransomware used by a Russian cyber crime group, according to The Daily Telegraph.
A group of Anonymous-affiliated hackers turned Russia’s own ransomware against its national space agency, security experts have said (stock image of Anonymous)
The experts said they found it matched 66 percent of the same code as Conti – a Russian crime group and its ransomware with the same name – that extorted millions of dollars from western companies.
This suggested that NB65 turned Russian ransomware against itself in its cyber attack on Roscosmos last month.
Conti was responsible for a hack that took down key servers used by Ireland’s health service and hospitals, temporarily crippling its IT infrastructure. It has also extorted millions from companies by holding vital IT systems for ransom.
According to the Australian Cyber Security Centre (ACSC): ‘Conti is offered as a Ransomware-as-a-Service (RaaS), enabling affiliates to utilise it as desired, provided that a percentage of the ransom payment is shared with the Conti operators as commission.’
Conti’s code and details of its internal chats were leaked online last year by Ukraine-affiliated cyber activists. The leak helped analysts link the cyber gang with the Russian state, and helped security professionals develop defences against it.
NB65’s file was uploaded to an anti-malware website called VirusTotal and examined by Intezer Analyze. It was then compared to VirusTotal’s database of malware, and found to match Conti’s ransomware.
Russian President Vladimir Putin speaks with Roscosmos space agency employees at a rocket assembly factory during his visit to the Vostochny cosmodrome outside the city of Tsiolkovsky, in the far eastern Amur region Tsiolkovsky , Russia, Tuesday, April 12, 2022
For their part, NB65 has praised Ukraine’s resistance against the on-going Russian invasion. Unusually, it mostly communicates in English, the Telegraph reported.
On Friday, the group posted on Twitter: ‘A couple of things we want to take a moment and clarify due to some recent media attention.
‘1) Companies and governments outside of Russia need not be worried about NB65. Russian assets our our only targets. 2) Ransomware payments (if any are made) will be donated to #Ukraine,’ it said.
The group has faced controversy in the past when in March it said it had stolen information from Kaspersky Lab – a Russian antivirus company. It later emerged the files it stole did not contain confidential information.
News of NB65’s use of Conti’s code came as Anonymous leaked a massive trove of Kremlin files, as it vowed to keep targeting Russia until the country ends its ‘aggression’ against Ukraine.
Government institutions and Russian companies were breached in the cyber attack, with the data dump including more than 200,000 emails from the Russian Ministry of Culture, a body which has oversight over censorship, archives and art.
Russian President Vladimir Putin (L) congratulates Roscosmos cosmonaut Alexander Skvortsov (R) after awarding him with the Order of Merit for the Fatherland (3d class) at the Vostochny cosmodrome outside the city of Tsiolkovsky, some 180 km north of Blagoveschensk, in the far eastern Amur region, Russia, 12 April 2022
The vigilante hackers also hijacked emails and data from the oil and gas company Aerogas as part of ongoing attempts to infiltrate and disrupt the Russian war effort.
It has now insisted that it will continue hacking and releasing confidential information until Russia withdraws from its offensive.
In a tweet, the group wrote: ‘The hacking will continue until Russia stops their aggression.’
Government institutions and Russian companies were breached in the cyber attack, with the data dump including more than 200,000 emails from the Russian Ministry of Culture, a body which has oversight over censorship, archives and art
It first announced it was ‘officially in cyber war against the Russian government’ on the day Putin invaded Ukraine on February 24.
Since then, the hacking collective has been involved in various attacks in an effort to spread information about what Russia still says is a ‘special military operation’.
New press censorship legislation in Russia is severely hampering transparency about what is actually happening within the Kremlin.
The ‘fake news’ laws mean that anyone found guilty of disseminating ‘false information’ about the Russian forces can face extreme penalties, including a prison sentence of up to 15 years.
Earlier this month, Anonymous also leaked the personal data of 120,000 Russian soldiers fighting in Ukraine, disclosing personal information such as names, date of birth, addresses, unit affiliation and passport numbers.
‘All soldiers participating in the invasion of Ukraine should be subjected to a war crime tribunal,’ the hackers wrote on Twitter.
Anonymous also claimed it had targeted Russia’s central bank and stole 35,000 files, as well as hacking unsecured printers across Russia to print out ‘anti-propaganda’ messages about the Ukrainian invasion.
Anonymous has insisted that it will continue hacking and releasing confidential information until Russia withdraws its offensive (pictured)
Anonymous has already launched a series of cyber attacks in retaliation for Vladimir Putin’s invasion of Ukraine, including a data leak of Russian soldiers and takeovers of state-controlled TV
A member of the collective, who goes by @DepaixPorteur on Twitter, tweeted: ‘We have been printing anti-propaganda and tor installation instructions to printers all over [Russia] for 2 hours, and printed 100,000+ copies so far. 15 people working on this op as we speak.
‘We’re currently launching a printer attack on 156 [Russian] printers. Already over 40,000+ copies.’
Only last week Anonymous claimed it had also managed to leak more than 900,000 Russian state media emails.
Anonymous has previously targeted groups including the Ku Klux Klan and Islamic extremists.
Members are known as ‘Anons’ and are distinguished by their Guy Fawkes masks.
In July last year, the collective warned Tesla founder Elon Musk that they planned to target him after saying he wields too much power over the cryptocurrency markets.
THE ELUSIVE HACKING GROUP ANONYMOUS
Hacker group Anonymous has been linked to online attacks around the world aimed at punishing governments for policies of which the hackers disapprove.
Members are known as ‘Anons’ and are distinguished by their Guy Fawkes masks.
The group are seen as anything from digital Robin Hoods to cyber terrorists for their hacking campaigns against government agencies, child pornography sites and the Klu Klux Klan.
In 2008 the online community staged a series of protests, pranks, and hacks Church of Scientology as part if its ‘Project Chanology.’
Later targets of Anonymous ‘hacktivism’ included government agencies of the US, Israel, Tunisia, Uganda, and others, copyright protection agencies; the Westboro Baptist Church; and corporations such as PayPal, MasterCard, Visa, and Sony.
In 2013 they declared war on secretive ‘chat sites’ used by paedophiles to trade images.
Dozens of people have been arrested for involvement in Anonymous cyberattacks, in countries including the US, UK, Australia, the Netherlands, Spain, and Turkey.