New evidence indicates the threat actor associated with the RomCom backdoor is not only motivated by financial gain but is increasingly targeting entities likely for geopolitical purposes. Security researchers at Trend Micro assess that the use of the RomCom backdoor in recent attacks, including on water and energy utilities, suggests the threat actor’s motives have changed since October 2022.
Since the start of the war in Ukraine in February 2022, the number of cyber campaigns against Ukraine and North Atlantic Treaty Organization (NATO) countries has increased significantly. Indeed, many cyber criminals based in Russia or sympathetic to its cause appear to have shifted from purely financial motives to geopolitical goals. The criminal threat actor, tracked as Void Rabisu or Tropical Scorpius, believed to be associated with Cuba ransomware and the RomCom backdoor, has shifted its operations from targeting organizations for financial gain to targeting entities in Ukraine and in countries that support Ukraine. Trend Micro’s telemetry and research shows that the RomCom backdoor has been used in geopolitically motivated attacks since at least October 2022, with targets that included Ukrainian water and energy utilities.
Trend Micro security researchers provide details of the various tactics, techniques, and procedures employed by the Void Rabisu threat actor. The blog also provides indicators of compromise related to this threat activity. Although Void Rabisu has primarily targeted organizations in Ukraine, they, along with other pro-Russian threat actors, are still at risk of shifting to target entities in countries supportive of Ukraine. This shift is especially likely if the war continues and pro-Russian actors perceive that Russia is losing on the battlefield. Ultimately, the researchers predict that significant geopolitical events like the current war against Ukraine will accelerate the alignment of the campaigns of threat actors who reside in the same geographic region, leading to new challenges for network defenders. Read more at Trend Micro.