The hacker group works on behalf of Russia on an ad hoc basis.

A cache of 60,000 leaked chat messages and files from the notorious Conti ransomware group proves how the criminal gang is well connected within Russia, according to a report in Ars Technica.

The documents were reviewed by WIRED and first published online at the end of February by an anonymous Ukrainian cybersecurity researcher who infiltrated the group. They show how Conti operates on a daily basis and its crypto ambitions. They likely further reveal how Conti members have connections to the Federal Security Service (FSB) and an acute awareness of the operations of Russia’s government-backed military hackers.

Russia’s cybercrime groups have long acted with relative impunity. The Kremlin and local law enforcement have repeatedly ignored disruptive ransomware attacks as long as they didn’t target Russian companies. Despite direct pressure on Vladimir Putin to rein in ransomware groups, they’re still intimately tied to Russia’s interests.

As the world was struggling to come to grips with the COVID-19 pandemic’s outbreak and early waves in July 2020, cybercriminals around the world turned their attention to the health crisis. WIRED reported that on July 16 of that year, the governments of the UK, US, and Canada publicly called out Russia’s state-backed military hackers for trying to steal intellectual property related to the earliest vaccine candidates. The hacking group Cozy Bear, also known as Advanced Persistent Threat 29 (APT29), was attacking pharma businesses and universities using altered malware and known vulnerabilities, the three governments said.

After the leak, it’s “business as usual” for Conti

Russian patriotism is constant throughout the Conti group, which has many of its members based in the country. However, the group is international in its scope, has members in Ukraine and Belarus, and has links to members farther afield.

While members of the group reference Russian interests or government agencies, it’s unlikely they are working on behalf of officials. Senior members of Conti may have contacts, but rank-and-file coders and programmers aren’t likely to be as well connected.

Since Conti’s internal files were published on February 27 and 28, the group has continued to work. “They definitely reacted,” says Jérôme Segura, director of threat intelligence at the security firm Malwarebytes. “You can see from the chats that they were closing some stuff and switching to private chats. But it was really business as usual.”