Too Many Toads: Lost in Translation
The perils of machine translation, the importance of dates, and how cultural and linguistic nuances cast new light on the Conti ransomware group
As the Natto Team pointed out in a previous posting, understanding cyber threat actors is like solving a 1000-piece jigsaw puzzle; it works best when the whole cybersecurity community shares insights, clues and research ideas. The Natto Team has seen many great cyber threat intelligence reports that nevertheless feel frustrating. These reports provide screenshots and quotations that offer valuable glimpses of the methods and motives of cyber threat actors….but they contain outright mistakes because they rely on machine-translated text. Or they fail to provide dates and foreign-language original text that researchers with language and country knowledge can analyze. This is understandable: reports are often written under great time pressure, and laborious final tasks such as providing dates and original-language texts fall by the wayside. But without them, we are wasting valuable clues that could contribute to understanding and protecting against cyber threats.
What’s with the Toads and Soap?
Machine translation can make mistakes that throw off our understanding of threats. Examples:
You may have seen screenshots of conversations in which the participants talk about contacting each other using a “toad.” This is a machine mis-translation of жаба (pronounced “zhaba”), the Russian-language nickname for the Jabber instant messaging service.
Or they talk about communicating by cart: this probably comes from телега (pronounced “telega”), a Russian nickname for Telegram.
Why do they keep referring to communicating by soap? Turns out it actually refers to emails (which in Russian slang is мыло, pronounced “mwiluh,” literally “soap”).
The Russian word мир (pronounced “meer”) can mean either “peace” or “world.” The meaning can depend on context. Or it can be ambiguous: Russian President Vladimir Putin’s broad invocation of the term русский мир (“Russian peace/world”) seems to mean both. It refers to everyone in the world who speaks Russian, feels any cultural tie to Russia, or has ever been under Russian domination, and it implies that Russia should rightfully exert influence over all of these people. Russian ideologists have combined the two meanings, arguing for a “pax russica” [Russian peace], comparable to the Pax Romana during the Roman empire.
Knowing the date a conversation or event took place can unlock whole layers of meaning, depending on events going on at that time. For example, a member of the Wazawaka crime organization posted the cryptic phrase “Escape from Bakhmut” on May 5, 2023. Knowing about the dramatic events of that day in the battle for Bakhmut, Ukraine, may be a clue that the person was making a political commentary rather than identifying his home town, as an earlier Natto Thoughts posting noted. Update April 19-20 2024: A sharp-eyed reader pointed out that the phrase “Escape from Bakhmut” could be a reference to the video game “Escape from Tarkov,” in which Russian- and English-speaking mercenaries battle each other in a fictional Russian city. Political commentary, or life as video game? For more discussion, see the update at the end of the “Wazawaka, Part 2” posting.
Enriching Analysis: Case Study of Conti and the Cozy Bears
Readers who can understand the foreign language and the significance of dates can pick up on additional meanings that can be overlooked if the original-language version of a text is available. One striking example comes in a leaked chat among leaders of the Conti ransomware group. A report by US-based cybersecurity firm Trellix helpfully provides the dates and the Russian originals as well as English translations of the messages.
The Trellix report provides abundant evidence of Conti members’ ties with Russian government agencies – a topic that upcoming Natto Thoughts postings will explore in more depth. At the same time, a look at the original-language screenshots in the Trellix report allows a Russian-speaking analyst to find alternative translations and additional nuance. These insights can be a valuable contribution to the shared quest to solving the 1000-piece jigsaw puzzle of understanding cyber threat actors.
Below are some Trellix findings, in bold, followed by Natto Team comments in italics:
“Basil (tester/coder) was asked if he is from FSB, he subsequently replied he had serious intelligence related to Ukrainian border activity. This statement was made seven days prior to Russia’s incursion into Ukraine.” This conversation, taking place February 21 2022, was actually only three days before Russia’s full-scale invasion of Ukraine. Basil literally said, “I have very serious information that what’s happening on the border is not [just] an exercise.” Basil was likely referring to the Russian troop buildup on the borders with Ukraine, contradicting Russian government claims that it was only a military exercise. Whether true or false, Basil’s claim of inside knowledge gave him cover to state what was obvious to most of the world, that an invasion was imminent. Plus, he simply said “the border,” not the border with Ukraine. If anyone dared to challenge him, he could claim that he had in mind the arrival of NATO troops in northeastern Poland — near the border of Russia’s Kaliningrad region and of Russia’s ally Belarus — for the Saber Strike exercise; at least one Twitter post on February 21 had insinuated that this was not just an exercise on NATO’s part. This conversation illustrates the atmosphere of rumor, uncertainty, and possibly bluffing among group members about each other’s relationships with intelligence services.
“In another conversation involving Target (manager) he stated if they indeed encrypted Credit One Bank Troy (tester/crypter) would get a reward in the Kremlin.” Target literally said, “They will even give you a reward, a pirozhok [Russian pasty] with cabbage )))))))))).” Taking a step back to get the context, we can better understand his irony. This conversation took place in September 2020, at the height of the COVID pandemic, when Russia was racing against Western countries to make and distribute vaccines. Target’s previous sentence (containing a typo) should probably best be read as “If tomorrow they have no vaccine (не будет вакцины у них), then our people will gladly provide them some domestically made [vaccine].” The term “domestically made” has political resonance, given that Russia had been under global sanctions for many years, and Russian officials constantly called for import substitution and the promotion of domestically made goods. In addition, in recent years Russia had imposed counter-sanctions on imported delicacies like jamon and brie, raising the prospect of a return to the bland Soviet-era diet. In this context, the image of a pasty with cabbage suggests the pitiful rustic goods these coders were being offered in return for their sophisticated cyber actions against Russia’s enemies.
“Occasionally Conti seems to be asked to do so-called ‘pioneering’ (volunteering) work on a special request from one of two ‘offices’. As Soviet Pioneers (aka scouts) they do their fair share of work similarly to what Cozy Bear does.” A re-examination of the actual wording provides even more concrete evidence that Conti members have done not only unpaid Pioneer-style volunteering but also done paid work for Russia’s intelligence services. A group member nicknamed “Professor” writes, “у меня есть кое кто по внешке кто платит…” Most reports translate this as “I have somebody externally who pays…” However, the term внешка (pronounced “vneshka”) in this context likely refers to a foreign-intelligence service (внешняя разведка), most likely Russia’s SVR (example of this usage here). Given the context, a better translation of this phrase would be, “I have somebody who works in the foreign intelligence field and who pays…” That is, Professor is saying he gets paid by the SVR.
Just a few lines later, “Professor” seems to confirm such a relationship, mentioning “the Cozy Bears are already going through the list.” He is referring to the SVR-linked state hacker group known as Cozy Bear or APT29. (Professor used the term “кози медведи,” using the English word for “cozy” and the Russian word for “bears”). By “going through the list,” he likely meant that Conti hackers had provided Cozy Bear with a list of targets already compromised, and that Cozy Bear personnel would identify targets of particular interest for further exploitation. This is how FSB officials worked with Russian cybercriminals to obtain intelligence from the 2014 Yahoo hack, according to a 2017 US indictment. Conti group member “Target” also proposed using this approach in targeting foreign government entities, according to Israel-based cybersecurity firm Kela.
“It is probable that one of the two offices [commissioning work from Conti] is a so-called ‘Bolshoy Dom’ (Big House), an office building located at 4 Liteyny Avenue which serves as the headquarters of Saint Peterburg’s local branch of FSB.” Together with the point mentioned above, this suggests that the two government “offices” with which Conti group members had relationships are the SVR and the FSB. The September 28 2020 message from Conti leader “Target” literally reads “Литейный пер. 4 - ответственный (Liteynyi Alley [sic] 4 is responsible),”* likely meaning that the FSB office was in charge of a particular task. This formulation echoes the language of official minutes from Russian meetings, in which each agenda item ends with the notation that so-and-so is “responsible” for carrying out the decision (here is one example of this usage).
These examples show how providing original-language screenshots and dates can allow analysts who have deep knowledge of a foreign language and culture to find insights that benefit the whole cybersecurity enterprise. Recent reports by Palo Alto Networks’ Unit 42 and Trustwave are additional models in this area. Kela Cyber provides the original screenshots without translations.
Update June 29 2024: For more detail on Russian cybercriminals’ use of prison slang, see this May 2022 article by cyber intelligence analyst Roman Faithfull.
Updated August 13 2024 to specify Basil’s original phrase about border activity in the February 21 2022 conversation.
———————————-
*A typo in “Target”s message led the Natto Team down a rabbit hole. He used the abbreviation пер. in the address, which refers to an Alley (переулок), not an Avenue (проспе́кт, abbreviated пр.). The Natto Team thought it worth exploring whether this address could refer to a different building than the FSB headquarters. A Google search for Литейный пер., 4 yields several instances of that address in Russia; available images show them to be shabby houses or ordinary apartments and offices. Therefore, it seems safe to assess that Target accidentally wrote пер. Instead of пр. in the address and did have in mind the FSB building.
Very interesting. And I like the picture too ☺️