top of page

Conti, a Russian-Based Ransomware Group Dissolves and KrebsOnSecurity Reports DEA's LEIA Breach

May 19-25, 2022 | Issue 9 - Counterintelligence/Cyber (CICYBER)

Keanna Grelicha, Emma Hoskins, Marina Tovar, CICYBER Team

Justin Maurina, Editor; Jennifer Loy, Chief of Staff

Data Security Breach[1]

Date: May 19, 2022

Location: Global

Parties involved: Conti; AlphV; HIVE; AvosLocker; Karakurt; BlackByte

The event: Conti, a Russian-based ransomware group, shut down its Ransomware-as-a-Service (RaaS)[2] operations website, negotiation services, and chat servers, but pending ransom negotiation will remain active. Conti’s dissolution aims to create smaller autonomous groups that partner with other cybercrime groups, like AlphV, HIVE, and AvosLocker, to conduct future cyberattacks using their malware. Conti also plans to work with cyber groups like Karakurt and BlackByte, who use stolen information from attacks to extort the victims.[3]

Analysis & Implications:

  • Conti’s disintegration will likely allow its members to avoid detection in future attacks by operating in smaller and less monitored cybercrime groups and attack more regularly due to this reduced detectability. Increased attacks will likely cause law enforcement difficulty identifying and prosecuting these groups because of splitting resources to handle attacks. Fewer resources available will very likely force law enforcement to restructure its methodology to detect the cybercrime groups’ activity to adapt to this changing scenario. New law enforcement tactics will very likely pressure cyber groups to create different attacking techniques to avoid creating a pattern and being easily detected.

  • The newly autonomous groups will likely consist of members specializing in RaaS or malware to enhance group capabilities and attack effectiveness. The specialized groups will likely connect with similar cyber groups and share their techniques to improve future attacks. New partnerships could very likely emerge as new cybergroups offer services like Malware-as-a-Service (MaaS)[4] or RaaS, very likely aiding unspecialized cyber groups to target new victims and conduct more attacks. Increased and more effective attacks will likely reduce the companies’ ability to protect their networks due to outdated cybersecurity policies.

Date: May 20, 2022

Location: Washington DC, USA

Parties involved: US; US Drug Enforcement Agency (DEA); US Department of Justice (DOJ); US Federal Bureau of Investigations (FBI); US forces; KrebsOnSecurity; Unknown Cybercriminal(s); Unknown Online Hacker(s); Russia; China

The event: KrebsOnSecurity reported that cybercriminals accessed the DEA’s data portal known as the Law Enforcement Inquiry and Alerts (LEIA) system and alerted the US DOJ, FBI, and the DEA. The DEA is currently investigating the potential data breach on its system, which does not require two-factor authentication (2FA). The cybercriminals who breached the DEA’s LEIA system are associated with online hackers who impersonate police officers in the requests, gaining them access based on the pretense of an emergency alert. The cybercriminals possibly then surfed the alert system and accessed LEIA’s search capabilities that link to 16 different federal law enforcement databases and 3330 data inventories[5] under the DOJ.[6]

Analysis & Implications:

  • Access to other databases and inventories will very likely allow cybercriminals to obtain mission-sensitive information about military or trade, likely selling the content to US adversaries like Russia or China for financial profit. Foreign countries accessing the data could likely target US clandestine military positions, likely to gather US intelligence. The data exposure could likely allow enemy forces to locate and strike at US forces, very likely leading to the US espionage agent deaths.

  • Future data breaches within US agency’s systems that lack 2FA will very likely increase due to the lack of additional authentication measures like time-based one-time passwords (TOTP)[7]. US government portals lacking 2FA will very likely allow cybercriminals to enter employee accounts without detection as login credentials are likely easier to cycle through than hacking a TOTP, which requires a physical agent. The lack of detection will very likely enable them to surf the accounts that very likely hold classified intelligence like counterterrorism investigations through the linked databases. This data release would almost certainly pose a national security threat to the US as the intelligence could reach offenders under investigation, who will very likely move locations to avoid capture.

________________________________________________________________________ The Counterterrorism Group (CTG)

[2] “RaaS is an illicit parent-affiliate(s) business infrastructure where operators, like malicious software owners, provide tools to affiliates to carry out ransomware attacks.” Ransomware-as-a-Service (RaaS) - The Rising Threat to Cybersecurity, Heimald Security, August 2021,

[3] Conti ransomware is shutting down operations, what will happen now?, Security Affairs, May 2022,

[4] “MaaS is a service that allows malware providers to provide paid access to highly-effective malware and technical support to cyber groups to conduct malware attacks.” Malware-as-a-Service (MaaS), Kaspersky, 2022,

[5] “A data inventory is referred to as a data map which displays a catalog of all data assets within the organization.” The Basics of Data Privacy, Exterro, 2022,

[6] Data Breach on DEA Law Enforcement System Grants Cyber Criminals Access to 16 Databases, CPO Magazine, May 2022,

[7] “TOTP is a mobile-generated passcode specifically for the user that it needs to manually type when introducing their login credentials to keep their accounts safe.” Tokens and Passcodes, DUO, 2022,



bottom of page