Microsoft vulnerability exploited in spear phishing attack on NATO summit

NATO summit 2023

Blackberry Team Names RomCom in Latest Target Against Ukraine Supporters, Points to Email as Most Likely Attack Vector.

If you’re a cinephile, you’ve probably heard the term “rom-com.” Short for “romantic comedy,” these films are known for being lighthearted, amusing, and focused on relationships. In the world of threat actors, however, the term “rom-com” isn’t giving anyone the warm fuzzies.

A well-known Russia-linked threat actor Storm-0978 (also referred to by its backdoor name, RomCom), has been targeting entities supporting Ukraine for some time now, but recently, the Blackberry Threat and Intelligence Team discovered an attack aimed at guests of the 2023 NATO Summit (and promptly reported to the authorities).

NATO Summit Attack

The summit was held July 11-12 in Vilnius, Lithuania, and featured a broad range of topics, including talks focusing on the war in Ukraine, as well as potential new members of the alliance (Ukraine and Sweden). Threat actors targeted the high-profile event’s attendees using malicious documents likely distributed via spear-phishing. The Blackberry cybersecurity team believes the group of threat actors dry-tested delivery of the materials in late June and then delivered them prior to the event.

The malicious documents shared in these spear-phishing attacks included an embedded RTF file and OLE objects to initiate an infection chain that was targeted at gathering system information. Once targets opened the document, a RomCom remote access trojan (RAT) was activated, and outbound connections were initiated from the victim’s machine.

All Signs Point to RomCom

Blackberry believes the attack is from RomCom based on observed tactics, techniques, and procedures (TTPs), code similarities to previous RomCom attacks, and the network infrastructure employed, among other clues.

Additionally, the company reports that the victim IPs and C&C domains of those targeted initiated from a single server, which has been observed connecting to known RomCom infrastructure.

“Based on the available information, we have medium to high confidence to conclude that this is a RomCom rebranded operation, or that one or more members of the RomCom threat group are behind this new campaign supporting a new threat group” Blackberry says.

While RomCom operatives have been known in the past to be financially motivated, recent campaigns like this one showcase a shift in motivations, suggesting the group is likely backed by the Russian government. The group of threat actors’ backdoor has been used in attacks targeting Ukraine in October 2022, if not before. Targets have included the country’s core systems such as water and energy, as well as governments helping Ukrainian refugees, attendees of various conferences, defense companies, parliament members, and other Ukrainian allies.

How to Protect Your Organization

Libraesva Email Security protects customers from these types of threats. QuickSand gateway sandbox technology removes dangerous payloads and active content from attachments. It does that by using deep inspection to find any malicious attachment code that writes a payload and executes it.

As threat actors and their related groups continue to gain strength across the globe, there’s never been a more important time to ensure your email security is rock solid. The security experts at Libraesva can help.

Get your free consultation today!