Western hackers have turned Russia’s own ransomware against it in a cyber attack on the country’s space agency, data obtained by security experts suggests.
A group of hackers linked to the cyber activist organisation Anonymous boasted of stealing files from Roscosmos, Russia’s space agency, in a series of posts on Twitter last month.
The hacking group, called Network Battalion 65, or NB65, posted images of server information that it claimed to show it had shut down a monitoring system used by the Russian space agency.
The chief of Roscosmos, Putin ally Dmitry Rogozin, hit back at the claims describing NB65 as “scammers and petty swindlers”.
“All our space activity control centers are operating normally,” said Mr Rogozin in a tweet last month.
However, analysis of a file containing source code claims to have found that the hackers used 66pc of the same code as that of Conti, the Russian cybercrime group known for using ransomware to extort millions of dollars from US and European companies.
Conti was behind a hack that paralysed Ireland’s health service and hospitals by scrambling key servers which prevented clinical staff from using online systems.
Ransomware is among the most feared online threats, being used to cause thousands of pounds of damage and paralyse businesses for weeks.
The file was uploaded to anti-malware website VirusTotal and analysed by Intezer Analyze.
VirusTotal is used by companies fighting off computer virus attacks to help identify malware found on their networks. Files uploaded to it are checked against databases of known malware and can also be viewed by security researchers.
William Thomas, a cybersecurity expert at Curated Intelligence, a research organisation, said: “We know NB65 have made a modified version of Conti thanks to the sample on VirusTotal.”
Ian Thornton-Trump, chief information security officer of cyber threat intelligence company Cyjax, played down the notion of Russia treating NB65 as a provocation.
He said there is a “tiny bit above zero chance” of Russia responding to such attacks in kind.
“Some ‘punks’ armed with a ransomware tool kit are the least of their worries right now,” he added, saying Russian cyber-forces most likely have their hands full supporting their army’s invasion of Ukraine.
NB65 has faced controversy in the past over its claims of stealing confidential files. In early March the gang said it had stolen information from Russian antivirus company Kaspersky Lab, though it emerged those files only related to Kaspersky’s public-facing websites and contained no confidential information.
Source code for Conti was leaked online earlier this year by Ukraine-affiliated cyber activists, along with details of internal chats from the Russian gang. These helped researchers identify clear links between the shadowy cybercriminals and the Russian state.
NB65 has praised Ukrainian resistance against Russia and, unusually among hacking gangs, communicates mainly in English.
Experts believe most ransomware gangs are based in former Soviet Union nations, to the extent that US president Joe Biden raised the topic with Vladimir Putin, the Russian president, in bilateral talks last year.
In a ransomware attack, computer files are scrambled by malicious software to prevent their use. Unscrambling them is only possible by paying whoever deployed the software for the de-encryption key.
Creating or using ransomware is a criminal offence in the UK, carrying a prison sentence of up to 14 years.
