Last November, President Biden asked Congress to allocate an additional $37 million to Ukraine to defend itself against cybersecurity attacks, bringing the total to $82 million since February 2022, and some $120 million since 2016.
The measure, intended to “strengthen Ukraine’s capacity to detect, deter, and respond to cyber incidents and threats,” and protect critical networks and infrastructure, was reaffirmed by the State Department last month.
Now at the July 11-12 NATO Summit in Vilnius, Lithuania, an example of how much Ukraine needs the backing showed up in a high-profile setting. Immediately ahead of the conference, much of which focused on Ukraine’s acceptance into the organization, BlackBerry researchers said they have determined that the threat actor known as RomCom targeted Ukraine supporters timed to the conference.
Malevolent Documents Discovered
On July 4, BlackBerry researchers found two malevolent documents submitted from an IP address in Hungary, sent as lures to an organization supporting Ukraine abroad, and a document targeting upcoming NATO Summit guests “who may also be providing support to Ukraine,” the researchers wrote in a security blog.
Based on the “nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor,” the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine, BlackBerry said.
BlackBerry shared its intelligence findings with relevant government agencies several days prior to publishing the blog.
“Based on our internal telemetry, network data analysis, and the full set of cyber weapons we collected, we believe the threat actor behind this campaign ran their first drills on June 22, and also a few days before the command-and-control (C2) mentioned in this report was registered and went live.”
The suspected threat group is believed to be using fake documents that pretend to lobby for Ukraine’s acceptance into NATO.
The researchers subsequently concluded based on tactics, techniques and procedures (TTP) that the RomCom threat actor was orchestrating the campaign.
“Taking advantage of this event and the request of Ukraine to join NATO, threat actors have created and distributed a malicious document impersonating the Ukrainian World Congress organization to presumably distribute to supporters of Ukraine.”
In that instance, the threat actor “likely relied” on spear-phishing techniques, engaging their victims to click on a specially crafted replica of the Ukrainian World Congress website.
In addition, BlackBerry’s researchers found another malicious document from the same threat actor, which is believed to be a fake lobbying document in support of Ukraine at the NATO Summit.
The fake documents are intended to entice targets to click on a link to a website that impersonates ukrainianworldcongress.org by appending “.info” at the end instead of “.org” in a trick called "typosquatting."
Clicking on the link will infect the user’s device, allowing the attackers to pry out the system’s particulars such as username and IP address. The attack chain then deploys the Microsoft zero day vulnerability CVE-2022-30190, also known as Follina.
If successfully exploited, it allows an attacker to conduct a remote code execution-based attack via the crafting of a malicious .docx or .rtf document designed to exploit the vulnerability.
BlackBerry’s researchers said that based on the available information, its security team has a “medium to high confidence” that the campaign is a RomCom rebranded operation, or that “one or more members” of the RomCom threat group are supporting a new threat group.