Russian RomCom Cyberattack: Romance Meets Espionage at NATO Summit

Cyberwarfare: Russia-Linked RomCom Hackers Targeting NATO Summit Guests

Introduction

A recently identified cyber operation conducted by a Russia-linked threat actor known as RomCom has targeted entities supporting Ukraine, including guests attending the 2023 NATO Summit in Vilnius, Lithuania. The cybersecurity unit at BlackBerry has reported on this operation, which involves the use of malicious documents distributed through spear-phishing emails. The goal of the operation appears to be to gather information from organizations and individuals supporting Ukraine. The RomCom group, also known as Void Rabisu and Tropical Scorpius, has previously been associated with financial motivations, but its recent activities indicate a shift towards working for the Russian government.

The Cyber Operation

RomCom has created malicious documents likely to be distributed to supporters of Ukraine, taking advantage of the NATO Summit event. The delivery of these documents was dry-tested on June 22, and the command-and-control (C&C) domain used in the campaign went live a few days later. The threat actor used spear-phishing techniques, embedding RTF files and OLE objects in the emails to initiate an infection chain. This infection chain is designed to collect system information and deliver the RomCom remote access trojan (RAT). In one stage of the infection chain, a vulnerability in Microsoft’s Support Diagnostic Tool (MSDT) was exploited for remote code execution.

Identification of RomCom‘s Activities

BlackBerry has identified the C&C domains and victim IPs used in this campaign, all of which were accessed from a single server connected to known RomCom infrastructure. Based on the observed tactics, techniques, and procedures (TTPs), network infrastructure, code similarities, and other artifacts, BlackBerry is confident in attributing this cyber operation to the RomCom threat actor or its members.

Targeted Victims and Motivation

The nature of the upcoming NATO Summit and the lure documents sent by RomCom indicate that the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine. The RomCom group has previously targeted Ukraine, including users of Ukraine’s Delta situational awareness program, as well as organizations in Ukraine’s energy and water utility sectors. The group has also targeted entities outside of Ukraine, such as a provincial local government assisting Ukrainian refugees, a parliament member of a European country, conference attendees, and a European defense company.

Shift in Tactics and Motivation

RomCom was originally believed to be financially motivated, but recent campaigns have shown a change in tactics and motivation, suggesting that the group is now working for the Russian government. This shift in behavior aligns with the broader context of Russia’s ongoing conflict with Ukraine.

Analysis and Commentary

Internet Security Concerns

The RomCom cyber operation targeting the NATO Summit guests highlights the ever-present threat of cyber warfare. Adversary nations have increasingly turned to cyberspace to achieve their geopolitical objectives and gather intelligence. This highlights the urgent need for better internet security measures and increased cooperation between nations to combat these threats.

Philosophical Discussion: Cyberwarfare and International Relations

The rise of cyber warfare raises important questions about the nature of conflict in the digital age and the role of nation-states in cyberspace. Traditional rules of engagement may not apply in this new domain, and there is a need for international norms and regulations to govern state-sponsored cyber activities. The RomCom cyber operation serves as a reminder that protecting critical infrastructure and ensuring cybersecurity is a core responsibility of governments worldwide.

Editorial and Advice

Protecting Critical Infrastructure

The RomCom cyber operation targeting the NATO Summit guests underscores the importance of securing critical infrastructure and sensitive information against cyber threats. Governments and organizations should prioritize investing in robust cybersecurity measures, including threat intelligence, network monitoring, and employee training to detect and mitigate potential threats.

International Cooperation

Addressing cyber threats requires international cooperation between governments, intelligence agencies, and private sector companies. Information sharing and joint efforts can help identify and track threat actors, disrupt their operations, and hold them accountable. The RomCom cyber operation should serve as a catalyst for increased collaboration among nations to address the growing threat of cyber warfare.

Individual Responsibility

Individuals must also play their part in securing cyberspace. Practicing good cyber hygiene, such as regularly updating software, using strong and unique passwords, and being cautious of suspicious emails and links, can go a long way in defending against cyber attacks. Enhanced cybersecurity awareness and education should be promoted at all levels of society.

In conclusion, the RomCom cyber operation targeting NATO Summit guests highlights the evolving landscape of cyber warfare and the need for enhanced internet security measures, international cooperation, and individual vigilance. Governments and organizations must prioritize cybersecurity to protect critical infrastructure and preserve national security in the face of persistent and sophisticated cyber threats.