The NATO summit in Lithuania was targeted by the infamous RomCom criminal gang known for aggressive targeting of Ukraine and its allies.
Part of the reason the summit was being held in Lithuania, was to determine whether or not the country should be part of NATO — it’s also worth noting that RomCom (or RomCom RAT) has links to another gang that was accused of being Russian government actors posing as a cybercriminal group.
Professionals from the BlackBerry Research and Threat team found two malicious documents sent using tactics and techniques used by the criminal group in question. One was a fake pro-Ukraine lobbying document, the other was a correspondence from the Ukrainian World Congress.
“Based on our internal telemetry, network data analysis, and the full set of cyber weapons we collected, we believe the threat actor behind this campaign ran their first drills on June 22,” Explains the researchers in a recent security advisory.
The attack was meant to allow the group to deliver a payload using RTF file vulnerabilities and execute a backdoor that would allow the group to begin collecting the personal data of their victims.
“Based on the nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine.”
The RomCom group has shown signs of increasing aggression on Ukraine, including targeting Ukrainian government officials and health sectors last month, using similar techniques, phishing scams, and backdoor-creation strategies.
Full details about the severity of the infection haven’t been released yet, however, the investigation is continuing.
The BlackBerry team has released a list of IoCs to help victims determine whether or not their systems were compromised during this attack. Until the investigation is concluded, all NATO summit attendees ought to remain steadfast against cybersecurity threats.