Ukrainian Activists Hack Trigona Ransomware Gang, Wipe Servers

Cyber Security Threat Summary:
A group of cyber activists under the Ukrainian Cyber Alliance (UAC) banner has hacked the servers of the Trigona ransomware gang and wiped them clean after copying all the information available. The Ukrainian Cyber Alliance fighters say they exfiltrated all of the data from the threat actor’s systems, including source code and database records, which may include decryption keys” (Bleeping Computer, 2023).

According to reports, the hackers gained access to Trigona ransomware’s infrastructure using a public exploit for CVE-2023-22515, a critical vulnerability in Confluence Data Center and Server. The zero-day has been used in attacks since September by a threat actor Microsoft tracks as Storm-0062.

The Ukrainian Cyber Alliance was able to breach Trigona’s Confluence server, establish persistence, and mapped out the criminal’s infrastructure without being noticed. One of the activist who uses the handle herm1t was able to publish screenshots of the ransomware groups internal support documents. After the screenshots were published, the ransomware group attempted to change passwords and took down their public-facing infrastructure. However, over the next week, the activists managed to take all the information from the threat actor’s administration and victim panels, their blog and data leak site, and internal tools (Rocket.Chat, Jira, and Confluence servers). Herm1t says they were also able to exfiltrate the developer environment, cryptocurrency hot wallet, source code, and database records. Should any decryption keys be found in the transferred data, the hackers say they will release them.

Once the hackers harvested all available data, they deleted and defaced the groups websites, and shared the key for the groups administration panel site.

Security Officer Comments:
In 2014, multiple hacktivists groups in Ukraine and around the world began working together to defend the country’s cyberspace from Russian cybercriminals. “About two years later, individual hackers and several hacker groups united to form the Ukrainian Cyber Alliance (UAC), now registered as a non-governmental organization, and began to target various organizations and individuals supporting Russia’s activity against Ukraine” (Bleeping Computer, 2023).

Previously, the group has exposed information about Russian activity and propaganda efforts in Ukraine and other countries. Among UCA’s activities are hacking the Russian Ministry of Defense twice in 2016 and leaking public defense contracts and confidential data on the provision of the state defense order of 2015–2016. Another success was hacking the emails of Vladislav Surkov, an individual believed to have designed the machinery for Russian propaganda of the past years, where he discussed the annexation of Crimea and how to fund the Luhansk and Donetsk territories when they became Russian republics.

Our Operations Team has tracked a handful of attacks carried out by Trigona. While not the most prolific ransomware operation, the group has targeted at least 15 companies in the manufacturing, finance, construction, agriculture, marketing, and high technology sectors. The group appeared in late October last year, after launching a TOR site for negotiations. Before the launch of the TOR site, the group was observed in the wild without the Trigona branding, and used email to negotiate with victims.

Earlier this year, Trigona hackers were targeting Microsoft SQL servers exposed on the public internet using brute-force or dictionary attacks to obtain access credentials.

At the moment, due to the Ukrainian Cyber Alliance’s recent actions, none of the Trigona ransomware public websites and services are online. While UAC’s efforts will hinder the groups operations, it is unclear what the full impact will be. It is fairly common for ransomware actors to rebrand and create new infrastructure.