Russia-linked cyber agent RomCom attacks Ukraine supporters during NATO 2023 summit

Recently, a cyber operation orchestrated by a Russia-linked threat actor known as RomCom was identified. The main target of these operations are entities and individuals who support Ukraine, including participants of the NATO 2023 summit taking place on 11 and 12 July. This information was reported by BlackBerry's cybersecurity unit.

Tactics used and preliminary analysis

The NATO summit takes place in Vilnius, Lithuania, and on the agenda are discussions focused on the war in Ukraine, as well as new additions to the organisation, such as Sweden and Ukraine itself. RomCom used the event to create malicious documents likely intended for supporters of Ukraine. BlackBerry reports that RomCom apparently tested its deployment on June 22 and days before the command and control (C&C) domain used in the campaign went live.

Detailed description of the chain of infection

For the distribution of one of the malicious documents, the threat actor likely relied on spear-phishing, using an embedded RTF file and OLE objects to initiate an infection chain intended to gather system information and distribute the Access trojan remote (RAT) of RomCom. At one stage in the infection chain, a vulnerability in Microsoft's Support Diagnostic Tool (MSDT) - CVE-2022-30190, also known as Follina - for remote code execution (RCE) is exploited.

Conclusions of the analysis and notices to the authorities

According to BlackBerry, the C&C domains and victim IPs identified during this campaign were all accessed from a single server, which was observed connecting to RomCom's known infrastructure. Based on observed tactics, techniques, and procedures (TTPs), network infrastructure, code similarities, and other artifacts collected, BlackBerry believes threat actor RomCom - or members of RomCom - is behind the operation informatics. The company reported this campaign to relevant government agencies before making this information public.