“RomCom” Hackers Strike Ukraine and US Healthcare Targets

RomCom Hackers Return with Sophisticated Attack on Ukraine and US Healthcare

The notorious threat actor known as RomCom has resurfaced with a geopolitical agenda-driven attack strategy. The group recently targeted Ukrainian politicians and a US healthcare organization that aids refugees from the war-torn country. The attackers used trojanized software that resembled authentic sites to encourage unsuspecting victims to download and install the compromised software. According to the BlackBerry Threat Research and Intelligence team, the campaign used typosquatting and phishing tactics to create fake websites that closely resembled legitimate software sites.

Modus Operandi

The trojanized version of Devolutions Remote Desktop Manager, deployed via phishing tactics, allowed RomCom to collect essential host and user metadata from the infected system. The malware began installing automatically after the user selected the destination path for the files to be installed. The malware then transmitted the collected information to its command-and-control server. RomCom relies on previous information about each victim, such as the software they use, how they use it, and the social or political programs they are working on. Thus, the malware’s endgame is the exfiltration of sensitive information.

Geopolitical Motivation

The campaign strongly suggests that the motivation behind it was a geopolitical agenda. According to Dmitry Bestuzhev, senior director, CTI, BlackBerry, the attackers targeted military secrets such as unit locations, defensive and offensive plans, arms, military training programs, and sensitive information about the refugees from Ukraine. The group uses previous information about the victim to develop and deliver fake update notifications.

A RomCom You Haven’t Seen Before

RomCom has a history of targeting the Ukranian military with fake software updates, and it has trojanized popular software products like SolarWinds Network Performance Monitor and PDF Reader Pro in English-speaking countries, particularly the UK. The cybersecurity community has noted that the group has adapted its command-and-control infrastructure to blend in with legitimate network traffic, making it harder to detect their malicious activities.

Advice on Defense Tactics

Industry experts advise that the standard defense tactics apply, regardless of whether the attack is carried out by cybercriminals or state-sponsored actors. Organizations should update their patches, follow vendor “secure installation” recommendations, and implement industry best practices. Employee training on how to spot spear-phishing and social engineering attacks is also crucial. Experts recommend that organizations rely on good cyber threat intelligence to detect the RomCom group’s operations in their systems, network traffic, and files.

Editorial

The RomCom group’s latest activity shows us the importance of cybersecurity in the area of geopolitics. Nation-state hackers have the power to use cybersecurity as a tool for pursuing their geopolitical goals, which have far-reaching implications for global security. Cybersecurity must be taken as a serious national security issue, and governments must be more proactive in dealing with it. Private companies must also prioritize comprehensive protection against cyberattacks and constant improvement of cybersecurity protocols.

Conclusion

In conclusion, the RomCom group’s attack on Ukraine and US healthcare indicates that an increasing number of cyberattacks have complex geopolitical motivations. The sophistication and adaptability of these attacks demonstrate the need for a comprehensive security approach that integrates cyber threat intelligence, employee training, and industry best practices. As the threat landscape continues to evolve, organizations must stay vigilant and prepared to detect and respond to these attacks.