RomCom Group Targets Ukraine Supporters Ahead of NATO Summit

Written by

The RomCom threat actor has reportedly launched a targeted cyber campaign aimed at organizations and individuals supporting Ukraine just days before a highly anticipated NATO Summit.

The BlackBerry Threat, Research and Intelligence team uncovered this sophisticated operation and described it in an advisory published earlier today.

In particular, the team said it discovered two deceptive documents on July 4 used as lures by the RomCom group.

“Based on our internal telemetry, network data analysis and the full set of cyber weapons we collected, we believe the threat actor behind this campaign ran their first drills on June 22, and also a few days before the command-and-control (C2) mentioned in this report was registered and went live,” reads the advisory.

BlackBerry said the malicious files were designed to deceive and compromise organizations supporting Ukraine abroad, as well as individuals expected to attend the upcoming NATO Summit. 

According to the technology firm, the tactics employed by RomCom underscore the group’s ability to exploit geopolitical contexts and leverage major international events for their malicious activities.

While the exact method of initial infection remains undisclosed, the BlackBerry team suspects spear-phishing as the primary vector utilized by the RomCom group. 

Read more about this threat actor: RomCom Weaponized KeePass and SolarWinds Instances to Target Ukraine, Maybe UK

By impersonating the Ukrainian World Congress organization and creating a fabricated lobbying document supporting Ukraine, the threat actors aimed to deceive their targets and gain unauthorized access to sensitive information.

The weaponization of the attack involved the use of embedded RTF files and OLE objects within the malicious documents. Upon opening these files, the victims’ machines established connections with suspicious IP addresses associated with VPN/proxy services. Communication between the victims and the threat actors primarily occurred over HTTP and SMB services.

The RomCom group has a notorious reputation for their advanced cyber campaigns, and BlackBerry noted that the tactics observed in this recent operation had similarities with their previous attacks. 

The company added that the timing of the attack, just ahead of the NATO Summit, emphasizes the group’s intent to exploit the discussions surrounding Ukraine’s potential NATO membership.

“One of the topics on the agenda is Ukraine and its possible future membership in the organization. President of Ukraine Zelenskyy confirmed his participation,” reported BlackBerry. 

The BlackBerry advisory comes weeks after cybersecurity experts from Symantec warned against new attacks by the Shuckworm espionage group on Ukrainian targets.

What’s hot on Infosecurity Magazine?