Cybercriminals who focused Ukraine are literally Russian authorities hackers, researchers say

For years, Russian authorities hackers have used a number of made-up personas to cover their tracks and attempt to trick safety researchers and authorities companies into pointing the blame within the flawed path.

They’ve pretended to be a lone Romanian hacktivist known as Guccifer 2.0 once they hacked the Democratic Nationwide Committee; unleashed a harmful malware designed to appear to be run-of-the-mill ransomware; hid inside the servers utilized by an Iranian hacking group; claimed to be an Islamist hacking group known as Cyber Caliphate; hacked the 2018 Winter Olympics leaving breadcrumbs that pointed to North Korea and China; and slipped false proof inside paperwork launched as a hack and leak operation supposedly carried out by an hacktivist group known as Cyber Berkut.

Now, safety researchers declare to have discovered a brand new Russian authorities false flag.

In keeping with safety researchers at BlackBerry, the cybercrime group often called Cuba Ransomware, which was beforehand linked to a malware pressure often called RomCom RAT, just isn’t a cybercrime group in any respect. It’s really a gaggle working for the Russian authorities focusing on Ukrainian navy items and native governments, the researchers mentioned.

“It’s a deceptive attribution,” mentioned Dmitry Bestuzhev, senior director of BlackBerry’s cyberthreat Intelligence staff, referring to the hyperlinks between RomCom RAT and Cuba. “It appears to be like prefer it’s simply one other unit working for the Russian authorities,” he mentioned.

The Russian Embassy in Washington D.C. didn’t reply to a request for remark.

RomCom RAT is a distant entry trojan first found by Unit 42, the Palo Alto Networks safety analysis group, in Might 2022. The corporate’s safety researchers linked the malware to the Cuba gang, which has used ransomware towards targets within the sectors of “monetary companies, authorities amenities, healthcare and public well being, essential manufacturing, and knowledge expertise,” in accordance with U.S. cybersecurity company CISA.

The identify comes from the group itself, who used illustrations of Fidel Casto and Che Guevara on its darkish web page, though no researcher has ever discovered any proof that the group has something to do with the island nation.

RomCom RAT has reportedly used pretend variations of widespread apps to focus on its victims, such because the password supervisor KeePass, the IT administration device SolarWinds, Superior IP Scanner, and Adobe Acrobat reader. Over the previous couple of months, in accordance with Bestuzhev and his colleagues, RomCom RAT additionally focused Ukrainian navy items, native authorities companies, and Ukraine’s parliament.

Bestuzhev defined that their conclusion is not only based mostly on the targets, but in addition on the timing of the hackers’ operations.

His staff have tracked the group for a yr and adopted its path via the web. As a part of their investigation, the researchers noticed the hackers utilizing totally different digital certificates to register the pretend domains they used to plant malware on targets.

In a single case, the researchers witnessed the hackers creating an Austria-presenting digital certificates to signal a booby-trapped web site on March 23, every week earlier than Ukraine’s President Volodymyr Zelensky addressed the Austrian parliament by way of video name.

The identical sample occurred different instances. When the RomCom RAT hackers mimicked a SolarWinds web site in November 2022, it was across the time Ukrainian forces entered the besieged metropolis of Kherson. When the hackers mimicked Superior IP Scanner in July 2022, it was simply as Ukraine started deploying HIMARS rockets provided by the U.S. authorities. After which in March 2023, the hackers mimicked Distant Desktop Supervisor across the time Ukrainian pilots had been getting educated to fly F-16 fighter jets, and Poland and Slovakia determined to offer Ukraine with navy tech.

“So every time a serious occasion occurred, like one thing large in geopolitics, and particularly on the navy subject, RomCom RAT was simply there, excellent there,” Bestuzhev mentioned.

Different safety researchers, in addition to the Ukrainian authorities itself, nevertheless, are nonetheless not totally satisfied RomCom RAT and Cuba Ransomware are literally Russian authorities hackers.

Doel Santos, a senior researcher at Palo Alto Networks’ Unit 42, mentioned that the group behind the RomCom RAT malware is “extra subtle than conventional ransomware teams,” for its use of customized instruments.

“Unit 42 has seen the exercise focusing on Ukraine. There’s an espionage angle with this and due to that, they could possibly be getting path from a nation state,” Santos instructed TechCrunch. “Nevertheless, we don’t know the extent of that relationship. It goes outdoors the traditional actions of a ransomware group.”

Nonetheless, Santos added, “some teams moonlight to get further work — this can be what we’re seeing on this case.”

Bestuzhev mentioned he and his staff have thought-about this chance however have excluded it based mostly on the hackers’ persistence, the timing and targets of the assaults, which point out their actual aim is espionage and never crime.

A spokesperson for the State Particular Communications Service of Ukraine, or SSSCIP, mentioned that certainly one of RomCom RAT’s operations in Ukraine focused customers of a particular situational consciousness software program known as DELTA, and “in accordance with the goal and used malware, it may be assumed that the aim was gathering intelligence from the Ukraine navy.”

“However there may be not sufficient proof to attach it with Russia (besides the truth that Russia is essentially the most authorities in such sort of data),” an SSSCIP spokesperson added.

Mark Karayan, a spokesperson for Google’s menace intelligence groups, who’ve been monitoring the hacking group, mentioned that “our staff can’t confidently verify or deny these findings with out seeing [BlackBerry’s] full analysis.”

Bestuzhev mentioned that his group doesn’t plan on publishing all of the technical particulars of their findings, in an try and not present their hand to RomCom RAT hackers, and forestall them from altering their methods and strategies. This fashion, Bestuzhev defined, they’ll maintain monitoring the hackers and see what they do subsequent.

The jury remains to be out on who’s actually behind RomCom RAT and Cuba Ransomware, however Bestuzhev and researchers from different firms will proceed to keep watch over the group.

“These guys, let’s say, they know we all know. We love one another. And so it’s like a long run relationship,” Bestuzhev mentioned, laughing.

Do you’ve got extra details about this hacking group? Or different hacking teams concerned within the battle in Ukraine? We’d love to listen to from you. You’ll be able to contact Lorenzo Franceschi-Bicchierai securely on Sign at +1 917 257 1382, or by way of Wickr, Telegram and Wire @lorenzofb, or e-mail You may also contact TechCrunch by way of SecureDrop.

Related Articles


Please enter your comment!
Please enter your name here

Latest Articles