RomCom Cyber Threat Looms Over NATO Summit: Phishing Attack Targets Ukraine and Allies
BlackBerry Detected Attack
Overt Operator
July 11, 2023
Ahead of the highly-anticipated NATO Summit in Lithuania, cybersecurity firm BlackBerry has detected what appears to be a sophisticated phishing attack aimed at Ukraine and its supporting nations. The attack is suspected to be the work of the notorious RomCom hacker group, exploiting the event's high-profile status to infect its guests with malicious software.
The summit, set to take place on July 11-12 in Lithuania's capital, Vilnius, is of paramount importance to Ukraine as it aspires for future membership in the alliance. The list of attending world leaders includes U.S. President Joe Biden, French President Emmanuel Macron, British Prime Minister Rishi Sunak, and Ukrainian President Volodymyr Zelensky.
BlackBerry uncovered a deceptive website imitating the Ukrainian World Congress, a bona fide nonprofit. The website hosts documents lobbying for Ukraine's invitation to NATO, but these also house malware that activates once the files are opened. Researchers revealed that these documents were submitted via a Hungarian IP address.
Ukraine's computer emergency response team, CERT-UA, had written about this malevolent website last week, though they refrained from attributing the attack to any specific group. However, BlackBerry has linked similar activities to the RomCom group in the past.
To infiltrate a victim's system, the hackers exploit a now-patched vulnerability known as Follina, which targets the Microsoft Support Diagnostic Tool (MSDT), a utility designed to diagnose Microsoft product issues. This exploit permits the attacker to execute remote code—a tactic often employed by the RomCom group.
The malware's primary function is to gather information about the compromised system, including details about the computer memory, username, and the machine's network adapter, as per BlackBerry's analysis.
The researchers possess "medium to high confidence" that this operation is RomCom-related, or that one or more members of the RomCom hacker group are orchestrating this campaign, possibly in collaboration with a new threat group.
RomCom, also known by the aliases Tropical Scorpius, UNC2596, and Void Rabisu, has previously targeted Ukrainian military organizations, IT companies, and politicians maintaining close ties with Western countries. Additional targets included a U.S.-based healthcare company providing aid to refugees fleeing Ukraine and receiving medical assistance in the U.S.
Earlier last week, CERT-UA detected two other campaigns targeting Ukrainian organizations. One involved the UAC-0057 hacker group utilizing PicassoLoader malware against Ukrainian government services. In addition, CERT-UA researchers discovered an espionage operation seemingly conducted by the Russian state-sponsored hacker group, Fancy Bear."RomCom Cyber Threat Looms Over NATO Summit: Phishing Attack Targets Ukraine and Allies"
Ahead of the highly-anticipated NATO Summit in Lithuania, cybersecurity firm BlackBerry has detected what appears to be a sophisticated phishing attack aimed at Ukraine and its supporting nations. The attack is suspected to be the work of the notorious RomCom hacker group, exploiting the event's high-profile status to infect its guests with malicious software.
The summit, set to take place on July 11-12 in Lithuania's capital, Vilnius, is of paramount importance to Ukraine as it aspires for future membership in the alliance. The list of attending world leaders includes U.S. President Joe Biden, French President Emmanuel Macron, British Prime Minister Rishi Sunak, and Ukrainian President Volodymyr Zelensky.
BlackBerry uncovered a deceptive website imitating the Ukrainian World Congress, a bona fide nonprofit. The website hosts documents lobbying for Ukraine's invitation to NATO, but these also house malware that activates once the files are opened. Researchers revealed that these documents were submitted via a Hungarian IP address.
Ukraine's computer emergency response team, CERT-UA, had written about this malevolent website last week, though they refrained from attributing the attack to any specific group. However, BlackBerry has linked similar activities to the RomCom group in the past.
To infiltrate a victim's system, the hackers exploit a now-patched vulnerability known as Follina, which targets the Microsoft Support Diagnostic Tool (MSDT), a utility designed to diagnose Microsoft product issues. This exploit permits the attacker to execute remote code—a tactic often employed by the RomCom group.
The malware's primary function is to gather information about the compromised system, including details about the computer memory, username, and the machine's network adapter, as per BlackBerry's analysis.
The researchers possess "medium to high confidence" that this operation is RomCom-related, or that one or more members of the RomCom hacker group are orchestrating this campaign, possibly in collaboration with a new threat group.
RomCom, also known by the aliases Tropical Scorpius, UNC2596, and Void Rabisu, has previously targeted Ukrainian military organizations, IT companies, and politicians maintaining close ties with Western countries. Additional targets included a U.S.-based healthcare company providing aid to refugees fleeing Ukraine and receiving medical assistance in the U.S.
Earlier last week, CERT-UA detected two other campaigns targeting Ukrainian organizations. One involved the UAC-0057 hacker group utilizing PicassoLoader malware against Ukrainian government services. In addition, CERT-UA researchers discovered an espionage operation seemingly conducted by the Russian state-sponsored hacker group, Fancy Bear.