RomCom threat actors reportedly launched a targeted cyber campaign targeting organizations and individuals supporting Ukraine just days before the highly anticipated NATO summit.
BlackBerry’s Threat, Research and Intelligence team discovered this advanced manipulation and described it in an advisory published earlier today.
Specifically, the team said it found two deceptive documents used by RomCom Group as decoys on July 4.
“Based on internal telemetry, network data analysis, and the full set of cyberweapons collected, the attackers behind this campaign conducted an initial exercise on June 22nd, and also reduced the number of command and control (C2) We believe we conducted the exercise earlier in the day.) mentioned in this report were registered and operational,” the advisory states.
BlackBerry said these malicious files were designed to deceive and compromise organizations supporting Ukraine abroad and individuals planning to attend the upcoming NATO summit.
Technology companies say the tactics employed by Romcom underscore the group’s ability to exploit geopolitical contexts and turn critical international events into malicious activity.
The exact method of initial infection has not yet been revealed, but the BlackBerry team suspects spear phishing as the primary vector used by the RomCom group.
Read more about this threat actor: RomCom weaponizes KeePass and SolarWinds instances to target Ukraine, possibly UK
By impersonating the Ukrainian World Congress Organization and creating fabricated lobbying documents in favor of Ukraine, the attackers aimed to defraud their targets and gain unauthorized access to sensitive information.
Weaponization of this attack included the use of RTF files and OLE objects embedded within malicious documents. Upon opening these files, the victim’s machine established a connection with a suspicious IP address associated with her VPN/proxy service. Communication between victims and attackers was primarily via HTTP and SMB services.
The RomCom group has a notorious reputation for sophisticated cyberattacks, and BlackBerry noted that the tactics observed in this operation have similarities to previous attacks.
The company added that the timing of the attack just before the NATO summit underscores the group’s intention to capitalize on the debate over Ukraine’s potential NATO membership.
“One of the topics on the agenda is Ukraine and its possible future membership in the organization. Ukrainian President Volodymyr Zelensky confirmed his participation,” BlackBerry reported.
BlackBerry’s advisory comes weeks after Symantec cybersecurity experts warned of a new attack by the spy group Shuckworm targeting Ukraine.
