Phishing campaign targets Ukraine, allies ahead of NATO summit

Hackers linked to the so-called RomCom group are suspected of carrying out phishing attacks against Ukraine and countries that support it ahead of a NATO Summit in Lithuania, according to cybersecurity researchers.

The attackers appear to be taking advantage of the event’s high profile in trying to infect guests with malicious software, according cybersecurity firm BlackBerry. The summit is particularly important to Ukraine as it pushes for future membership in the alliance.

Among world leaders who will attend the summit on July 11-12 in Lithuania’s capital, Vilnius, are U.S. President Joe Biden, French President Emmanuel Macron, British Prime Minister Rishi Sunak and Ukrainian President Volodymyr Zelensky.

BlackBerry discovered a fake website that impersonates the Ukrainian World Congress, a legitimate nonprofit. The website hosts lobbying documents that call on NATO to invite Ukraine, but also contain malware that launches when users open the files. The documents were submitted from a Hungarian IP address, researchers said.

Last week, Ukraine’s computer emergency response team, CERT-UA, wrote about this malicious website but didn’t attribute the attack to any specific group. BlackBerry has previously tracked similar activity by the RomCom group.

To get into the victim’s system, the hackers exploit a now-patched vulnerability known as Follina. It targets Microsoft Support Diagnostic Tool (MSDT), a built-in utility provided by Microsoft to help diagnose issues with Microsoft products and services. The exploit allows an attacker to conduct remote code execution — the RomCom group’s specialty.

The malware ultimately is designed to collect information about the infected system, including the size of the computer memory, username and information about the machine’s network adapter, BlackBerry said.

The researchers have “medium to high confidence” that this is a RomCom-related operation, or that one or more members of the RomCom hacker group are behind this campaign but perhaps in support of a new threat group.

RomCom, also tracked under the names Tropical Scorpius, UNC2596, and Void Rabisu, previously targeted Ukrainian military organizations, IT companies, politicians who are working closely with Western countries, BlackBerry said. Other targets included a U.S.-based healthcare company providing humanitarian aid to the refugees fleeing from Ukraine and receiving medical assistance in the U.S.

Earlier last week, CERT-UA discovered two other campaigns targeting Ukrainian organizations. In one of these campaigns, a hacker group identified as UAC-0057 used PicassoLoader malware to target Ukrainian government services. In addition, CERT-UA researchers have discovered an espionage operation apparently carried out by the Russian state-sponsored hacker group known as Fancy Bear.