Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Ukraine Government. Show all posts

This Threat Actor Targeted NATO Summit Attendees

 

A Russia-linked threat actor known as RomCom has been targeting entities supporting Ukraine, including guests at the 2023 NATO Summit. The summit is taking place in Vilnius, Lithuania, and will discuss the war in Ukraine and new memberships in NATO, including Sweden and Ukraine itself.

RomCom has created malicious documents that are likely to be distributed to supporters of Ukraine. The threat actor appears to have dry-tested the delivery of these documents on June 22, a few days before the command-and-control (C&C) domain used in the campaign went live, BlackBerry explained.

The malicious documents are likely distributed via spear-phishing. They contain an embedded RTF file and OLE objects that initialize an infection chain that garners system information and delivers the RomCom remote access trojan (RAT).

At one stage in the infection chain, a flaw in Microsoft's Support Diagnostic Tool (MSDT) – CVE-2022-30190, also known as Follina – is exploited for remote code execution (RCE).

BlackBerry has identified the C&C domains and victim IPs used in this campaign. All of these were accessed from a single server that has been observed connecting to known RomCom infrastructure.

"Based on the nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine,” BlackBerry says.

BlackBerry has alerted relevant government agencies of this campaign. RomCom is also known as Void Rabisu and Tropical Scorpius, and is associated with the Cuba ransomware. The group was previously believed to be financially motivated, but recent campaigns have shown a shift in tactics and motivation, suggesting that they are now working for the Russian government.

Since at least October 2022, the RomCom backdoor has been used in attacks targeting Ukraine. These attacks have targeted users of Ukraine's Delta situational awareness program and organizations in Ukraine's energy and water utility sectors.

Outside Ukraine, RomCom attacks have targeted a provincial local government helping Ukrainian refugees, a parliament member of a European country, attendees of the Munich Security Conference and the Masters of Digital conference, and a European defense company.

China-Sponsored Hacking Groups are Targeting Ukrainian government

 

Google's Threat Analysis Group (TAG) has unearthed a cyberespionage operation sponsored by the Chinese People's Liberation Army (PLA) and other Chinese intelligence agencies targeting Ukrainian government to gather information on the ongoing conflict.

Billy Leonard, a security engineer at Google TAG, said Google has informed that Ukrainian government agencies are targeted by China-sponsored hacking groups. 

"Over the last few weeks Google TAG has identified a govt backed actor from CN targeting Ukrainian govt orgs, and we provided notifications to impacted parties,"  Billy Leonard said. “While our priority is providing notifications to impacted parties, we've provided related IOCs to community partners, and we will publish more details for the security community in the near future." 

Group leader Shane Huntley also confirmed Leonard’s assessment, saying that “the Ukrainian war has not only attracted the attention of European threatening players, but China is working hard here too.”

Last week, the hacktivist collective group Intrusion Truth stated that the campaign was directly sponsored by the Chinese government. The group announced that it is sharing IOCs with community partners and plan to provide additional details on the ongoing attacks in the future. 

Google TAG’s report on China’s ongoing cyber activity in Ukraine follows another warning issued a week ago regarding a Chinese-sponsored hacking group tracked as APT31 targeting Gmail users linked with the U.S. government. A day ago, Google security researchers disclosed that Russia and Belarus targeted Ukrainian and European government and military organizations in extensive phishing and DDoS assaults. 

"In the last 12 months, TAG has issued hundreds of government-backed attack warnings to Ukrainian users alerting them that they have been the target of government-backed hacking, largely emanating from Russia," stated Shane Huntley.

Google also reported China-backed Mustang Panda cyberespionage group (also known as Temp.Hex and TA416) have also switched to phishing assaults on European entities using lures linked with the invasion of Ukraine. 

In some attacks identified by Google, hackers employed malicious attachments with file names such as ‘Situation at the EU borders with Ukraine.zip’. On the same day, Proofpoint revealed that Mustang Panda was found phishing “European diplomatic organizations, including refugees and individuals involved in migrant services.”