Louise Ferrett, Threat Analyst at Searchlight Security

On April 16, 2022, the ContiNews ransomware PR site posted the gang's newest victim: the Ministry of Finance of Costa Rica. Three days later, the post was updated with a sample of the stolen data, and a threat to continue attacks against Costa Rican agencies unless the government paid a requested ransom of $10 million.

On April 21, the post was updated to include the URLs of two more compromised government departments - the Ministry of Labour and Social Security and the Fund for Social Development and Family Allowances - shortly followed by an invite to Costa Rican hackers to monetize the growing tranche of published data. On April 25, another victim organization was added to the list - the Interuniversity Headquarters of Alajuela province - alongside another threat, this time of attacks against Costa Rican private companies. Despite these remarks, the freshly inaugurated government led by Rodrigo Chaves has not obliged Conti, instead declaring a State of Emergency in response to the attacks, which the president has compared to terrorism.

While certainly unusual, some parts of Costa Rica's ongoing ransomware siege are not without precedent; targeting public services and government agencies, issuing increasingly extreme threats to motivate ransom payment, and failing that, dumping a trove of stolen data on the dark web are all common tactics of current ransomware outfits. However, there are some notable features that distinguish this situation from the typical get-rich-quick ransomware heist, or even from its most similar predecessors. This blog explores these parallels and contrasts, and dives into the dark web history of the attack's potential mastermind.

Parallels with DarkSide Colonial Pipeline Attack

As Conti's attack on Costa Rica has unfolded, comparisons are being drawn between it and one of the highest-profile incidents of last year; the DarkSide ransomware attack against Colonial Pipeline, which resulted in widespread fuel shortages across the South-eastern United States. The cases do mirror each other in several ways, not least in the invocation of some form of emergency powers in response to a ransomware attack. 

Both attacks appear to have been initiated by an affiliate member of DarkSide and Conti's Ransomware as a Service (RaaS) models, rather than the core leadership of each operation. Both groups' representatives, following heightened media attention, have insisted their motivations are purely financial and their actions devoid of influence by a state government (despite both groups being widely regarded as semi-autonomous assets of the Russian intelligence services). This protestation was arguably more convincing in DarkSide's case, not only due to Conti's now-deleted statement of explicit support for Russia's invasion of Ukraine back in February.

Despite the attack against it having far-reaching political and critical infrastructure consequences, Colonial Pipeline was ultimately a private company, giving DarkSide a sliver of plausible deniability. In the case of Conti's attack against Costa Rica, however, the group has targeted government agencies and public services during a presidential transition, even going so far as to recently demand Costa Rican citizens take to the streets and overthrow the new administration if they do not pay the ransom, now increased to $20 million. While their core aim may still be to generate profit, Conti are certainly not afraid to wreak all manner of political havoc in order to achieve it.

Another key distinction between the two cases is that DarkSide did not name the supposed reckless affiliate responsible for initiating the attack, much less allow them control of the group's dark web PR site. In contrast, Conti's announcement regarding Costa Rica has been periodically updated with edicts from the alleged instigator of this operation, an actor identifying themselves as UNC1756. The difference in tone is also stark; DarkSide were almost apologetic, claiming they "didn't mean to create problems", before quickly deleting the Colonial Pipeline announcement from their PR site.

UNC1756 has made no such appeals, opting instead to publish 97% of the exfiltrated data, threaten further attacks against the Costa Rican government as well as large companies, and generally berate its victim for their lack of cooperation. One of the updates by UNC1756 stated their intention to "carry out attacks of a more serious format with a larger team", citing Costa Rica as "a demo version". It should be noted that Peru's intelligence agency has also been recently attacked by Conti, with the government being similarly derided and threatened on the group's PR site.

Who is UNC1756?

So who is UNC1756? The name itself reveals something about the actor's aspirations, with UNC being the prefix used in Mandiant's naming convention to denote a cluster of cyber threat activity not yet categorized as either an Advanced Persistent Threat (APT) or financially motivated (FIN). The moniker UNC1756 appears to be self-applied, with no record of previous threat activity being grouped under this label. It suggests the actor wants to be viewed as a serious and credible threat, one that has been officially identified and tracked.

If the dark web breadcrumb trail is to be believed, it appears UNC1756 is fairly new to the underground cybercrime scene, at least under this identity. In one update to the Costa Rica announcement on Conti's PR site, a link is included at the end of the post, which resembles a shortened URL pointing to a user profile on Exploit, a popular Russian cybercrime forum. A user by the name of UNC1756 does indeed exist on Exploit, having registered on the forum in early March 2022.

Their first post, made on the same day they registered, is a job listing offering various ransomware-adjacent services, including corporate network access, reconnaissance of network structure and backups, and accessing and downloading databases. They received generally positive reviews, with their only stipulation being that they would not work against companies in the CIS region and China. Over a month later, and two days after the first attack against Costa Rica's finance ministry was announced, UNC1756 closed the service "due to lack of demand".

Their next post, last edited on April 18 but likely created earlier, is selling access to "special" networks in Costa Rica. As UNC1756 tells it, "special networks are like Hacienda", aka the Ministry of Finance. This is possibly the point at which UNC1756 was privately recruited by Conti. Other posts include an enquiry about exploiting the 2020 SMBGhost vulnerability (CVE-2020-0796), a detailed response to a user seeking advice on gaining access to a CISCO network and using AdFind - a tool used by threat actors to harvest information from Active Directory and perform network reconnaissance - and a request for a list of sites from another user selling web shell access.

A post from May 10, 2022, shows UNC1756 offering their hacking services once more; the post includes a reference to the fact there is a reward assigned to them - presumably referring to the $15 million reward being offered by the US State Department for information on Conti members and leadership - and that this has triggered an influx of unwanted attention from English speakers. UNC1756 closed the topic within an hour, citing a lack of profitability from the endeavour and that it would be better for them to "take a break", perhaps an indication that the reality of their newfound notoriety was starting to set in.

UNC1756 has remained active on Exploit throughout the attack against Costa Rica, mainly offering their opinion on various hacking-related topics and seeking further access to corporate networks. Other than the previously mentioned indication that they may take a break, the threat actor does not appear phased by the international scrutiny now focused on their actions. They also recently claimed responsibility for another, seemingly unrelated, cyberattack against Oregon-based receptionist company Ruby Receptionists last week. Like the announcement on Conti's dark web site that implored Costa Ricans to protest their government, this post specified that UNC1756 consists of two people.

Final Thoughts

While this short investigation has uncovered a decent amount of information about UNC1756 - an apparently competent pair of hackers with a curiously young Exploit account, who are actively participating in numerous unrelated forum threads during their attack on Costa Rica - we're left with more questions than answers. Why would Conti allow an apparent outsider and forum newbie to not only launch an attack against a nation-state using their malware, but also have full control over their dark web PR page, even promoting their own forum profile in several of the announcements? Is this a ruse cooked up by Conti, a fake persona hastily assembled to confuse authorities? Is UNC1756 genuine, and being allowed by Conti leadership to make a spectacle with the intention of selling them out afterwards? Are Conti burning their reputation before moving on to a new venture? Only time will tell.