top of page

Russian-Based Ransomware and Phishing Attacks

April 14-20, 2022 | Issue 4 - Counterintelligence and Cyber (CICYBER) Team

Keanna Grelicha, Emma Hoskins, Marina Tovar, CICYBER Team

Léopold Maisonny, Editor; Jennifer Loy, Chief of Staff

Phishing Attack[1]

Date: April 14, 2022

Location: Rostock, Germany

Parties involved: Nordex; Conti ransomware group; hacker groups

The event: Conti, a Russian-based ransomware group, claimed the ransomware attack on Nordex, a global manufacturer of wind turbines, that led to the shut down of its Information Technology (IT) systems and turbine servers. Nordex disabled the remote servers that manage the turbines to mitigate further damages from the ransomware attack. Conti accessed the network after conducting phishing attacks using Trickbot[2] malware. Once the malware entered the system, Conti accessed Nordex’s internal IT infrastructure that holds physical and software components, like routers and applications, to manage the network. Nordex reported that the attack remained within their internal system and did not spread to customer or third-party data, with no indication of a data leak.[3]

Analysis & Implications:

  • The absence of a report of released data or ransom payment very likely indicates that Nordex is undergoing negotiations with the Conti ransomware group over the data accessed from the internal IT infrastructure system. If Conti encrypted the data through the malware used in the attack, Nordex would very likely try to negotiate a low ransom payment to regain control of the blocked data. If Nordex does not pay the ransom, Conti will almost certainly release the data, very likely exposing the company's assets and impacting its business ventures and turbine management systems. If Conti releases the data, other hacker groups could very likely target the company with the released data to attack and access other Nordex systems, very likely leading to a decline in firewall security and management.

  • Though Conti's attack did not spread past the internal systems, other hacker groups could very likely mimic the ransomware attack and attempt to reach customer and third-party data in the external systems. If Nordex does not implement additional security measures, like firewall protections, to its servers, a successful breach of customer and third-party data will very likely impact its reputation. The inability to prevent future cyberattacks will likely spur distrust among Nordex’s customers and third-party vendors that use the turbines, likely resulting in customers using other providers. A decline in customers will likely impact revenues and decrease the company's profit from a global customer base.

Date: April 17, 2022

Location: Ukraine

Parties involved: Ukrainian government; Computer Emergency Response Team of Ukraine (CERT-UA); Russian government; UAC-0041; UAC-0097

The event: UAC-0041, a Russian-based cyber group, and UAC-0097, an unknown threat actor, conducted phishing attacks targeting CERT-UA to steal sensitive governmental information, like banking credentials and government emails. UAC-0041 used IcedID[4] malware attached to the Excel documents in the phishing emails, allowing them to steal data and load other malware to the targets’ software.[5] UAC-0097 sent phishing emails with embedded images containing a “Content-Location” header pointing, leading them to a remote code that triggers the vulnerability CVE-2018-6882 and allows UAC-0097 to control the victim’s accounts. The last step of the phishing attack was transferring the victims’ emails to an account under the UAC-0097 control.[6] UAC-0097’s phishing emails resemble the Tactics, Techniques, and Procedures (TTPs) Russian and Belarusian threat actors used to target Ukrainian governmental sectors.[7]

Analysis & Implications:

  • UAC-0097’s tactics very likely indicate that the group is conducting a cyberespionage campaign targeting Ukraine’s governmental sectors as the group seeks to access sensitive information from governmental institutions. If UAC-0097 accessed sensitive information relating to the Ukraine-Russia war, like military plans and tactics, they would likely provide it to the Russian government. The Russian government could very likely use this data to understand Ukrainian military tactics, which will likely provide them an advantage when on-the-ground military troop confrontation occurs.

  • UAC-0041 will very likely use IcedID malware to load further malware, like ransomware, onto Ukrainian governmental devices to access more information and threaten the target by encrypting their data. Access to more data, like financial credentials associated with the Ukrainian government, will very likely allow UAC-0041 to manage those accounts. UAC-0041 will very likely transfer government funds to their accounts to expand their finances. Once UAC-0041 has transferred all the funds, they will likely demand a ransom to CERT-UA for the encrypted data, likely worsening the financial burden.

________________________________________________________________________ The Counterterrorism Group (CTG)

[2] “Trickbot malware is a specific Windows-based malware that allows Conti access to the target’s network through a backdoor entry point created from the phishing email”. What is Trickbot malware?, Crowdstrike, January 2022

[3] Wind turbine firm Nordex hit by Conti ransomware attack, Bleeping Computer, April 2022,

[4] “IcedID malware is a banking trojan used to deploy other malware, like ransomware”. Microsoft Exchange targeted for IcedID reply-chain hijacking attacks, Bleeping Computer, March 2022,

[5] New Hacking Campaign Targeting Ukrainian Government with IcedID Malware, The Hacker News, April 2022,

[6] IcedID Malware Is Being Used in a New Hacking Campaign Targeting the Ukrainian Government, Heimdal Security, April 2022,

[7] Ukrainian Military and News Providers Targeted by Phishing Attacks, IT governance, March 2022,



bottom of page