Connect with us

Hi, what are you looking for?



Russia-Linked RomCom Hackers Targeting NATO Summit Guests

A recent RomCom cyber operation has been targeting NATO Summit guests and other entities supporting Ukraine.

As part of a recently identified cyber operation, a Russia-linked threat actor known as RomCom has been targeting entities supporting Ukraine, including guests at the 2023 NATO Summit taking place July 11-12, the cybersecurity unit at BlackBerry reports.

Taking place in Vilnius, Lithuania, the NATO Summit has on the agenda talks focusing on the war in Ukraine, as well as new memberships in the organization, including Sweden and Ukraine itself.

Taking advantage of the event, RomCom has created malicious documents likely to be distributed to supporters of Ukraine, and appears to have dry-tested its delivery on June 22 and a few days before the command-and-control (C&C) domain used in the campaign went live, BlackBerry explains.

The threat actor likely relied on spear-phishing to distribute one of the malicious documents, relying on an embedded RTF file and OLE objects to initialize an infection chain meant to harvest system information and to deliver the RomCom remote access trojan (RAT).

At one stage in the infection chain, a vulnerability in Microsoft’s Support Diagnostic Tool (MSDT) – CVE-2022-30190, also known as Follina – is exploited for remote code execution (RCE).

According to BlackBerry, the C&C domains and victim IPs identified during this campaign were all accessed from a single server, which has been observed connecting to known RomCom infrastructure.

Based on the observed tactics, techniques, and procedures (TTPs), network infrastructure, code similarities, and other collected artifacts, BlackBerry is confident that the RomCom threat actor – or members of RomCom – is behind the cyber operation.

Advertisement. Scroll to continue reading.

“Based on the nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine,” BlackBerry says.

The company has alerted relevant government agencies of this campaign prior to making the information public.

Also tracked as Void Rabisu and Tropical Scorpius, and associated with the Cuba ransomware, RomCom was believed to be financially motivated, but recent campaigns have shown a shift in tactics and motivation, suggesting that the group is likely working for the Russian government.

Since at least October 2022, the threat actor’s RomCom backdoor has been used in attacks targeting Ukraine, including users of Ukraine’s Delta situational awareness program and organizations in Ukraine’s energy and water utility sectors.

Outside Ukraine, RomCom attacks targeted a provincial local government helping Ukrainian refugees, a parliament member of a European country, attendees of the Munich Security Conference and the Masters of Digital conference, and a European defense company.

Related: Microsoft Outs New Russian APT Linked to Wiper Attacks in Ukraine

Related: A Year of Conflict: Cybersecurity Industry Assesses Impact of Russia-Ukraine War

Related: Pro-Russian Group DDoS-ing Governments, Critical Infrastructure in Ukraine, NATO Countries

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...