As part of a recently identified cyber operation, a Russia-linked threat actor known as RomCom has been targeting entities supporting Ukraine, including guests at the 2023 NATO Summit taking place July 11-12, the cybersecurity unit at BlackBerry reports.
Taking place in Vilnius, Lithuania, the NATO Summit has on the agenda talks focusing on the war in Ukraine, as well as new memberships in the organization, including Sweden and Ukraine itself.
Taking advantage of the event, RomCom has created malicious documents likely to be distributed to supporters of Ukraine, and appears to have dry-tested its delivery on June 22 and a few days before the command-and-control (C&C) domain used in the campaign went live, BlackBerry explains.
The threat actor likely relied on spear-phishing to distribute one of the malicious documents, relying on an embedded RTF file and OLE objects to initialize an infection chain meant to harvest system information and to deliver the RomCom remote access trojan (RAT).
At one stage in the infection chain, a vulnerability in Microsoft’s Support Diagnostic Tool (MSDT) – CVE-2022-30190, also known as Follina – is exploited for remote code execution (RCE).
According to BlackBerry, the C&C domains and victim IPs identified during this campaign were all accessed from a single server, which has been observed connecting to known RomCom infrastructure.
Based on the observed tactics, techniques, and procedures (TTPs), network infrastructure, code similarities, and other collected artifacts, BlackBerry is confident that the RomCom threat actor – or members of RomCom – is behind the cyber operation.
“Based on the nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine,” BlackBerry says.
The company has alerted relevant government agencies of this campaign prior to making the information public.
Also tracked as Void Rabisu and Tropical Scorpius, and associated with the Cuba ransomware, RomCom was believed to be financially motivated, but recent campaigns have shown a shift in tactics and motivation, suggesting that the group is likely working for the Russian government.
Since at least October 2022, the threat actor’s RomCom backdoor has been used in attacks targeting Ukraine, including users of Ukraine’s Delta situational awareness program and organizations in Ukraine’s energy and water utility sectors.
Outside Ukraine, RomCom attacks targeted a provincial local government helping Ukrainian refugees, a parliament member of a European country, attendees of the Munich Security Conference and the Masters of Digital conference, and a European defense company.