Russian for years government hackers have used various made-up personas to cover their tracks and try to trick security researchers and government agencies into pointing the blame in the wrong direction.
They have pretended to be a lone Romanian hacktivist called Guccifer 2.0 when they hacked the Democratic National Committee; unleashed a destructive malware designed to look like run-of-the-mill ransomware; hidden in the servers used by an Iranian hacking group; claimed to be an Islamic hacking group called Cyber Caliphate; hacked the 2018 Winter Olympics leave breadcrumbs that pointed to North Korea and China; and slipped false evidence into documents released as a hack and leak operation supposedly carried out by a hacktivist group called Cyber Berkut.
Now security researchers claim to have found another false flag from the Russian government.
According to BlackBerry security researchers, the cybercrime group is known as Cuba ransomware, which was previously linked to a malware strain known as RomCom RAT, is not a cybercriminal group at all. It’s actually a group that works for the Russian government and targets Ukrainian military units and local governments, the researchers said.
“It’s a misleading attribution,” said Dmitry Bestuzhev, senior director of BlackBerry’s cyberthreat intelligence team, referring to the ties between RomCom RAT and Cuba. “It looks like it’s just another unit working for the Russian government,” he said.
The Russian embassy in Washington, DC, did not respond to a request for comment.
RomCom RAT is a remote access trojan first discovered by Unit 42the Palo Alto Networks security research group, in May 2022. The company’s security researchers linked the malware to the Cuba Gang, which has used ransomware against targets in the “financial services, government facilities, healthcare and public health, critical manufacturing, and information technology,” This is reported by the American cybersecurity agency CISA.
The name comes from the group itself, which used illustrations by Fidel Castro and Che Guevara on its dark web site, though no researcher has ever found any evidence that the group has anything to do with the island nation.
RomCom RAT reportedly has using fake versions of popular apps to attack its victims such as the password manager KeePass, IT management tool SolarWinds, Advanced IP Scanner and Adobe Acrobat reader. In recent months, RomCom RAT has also carried out attacks against Ukrainian military units, local government agencies and the Ukrainian parliament, according to Bestuzhev and his colleagues.
Bestuzhev explained that their conclusion is based not only on the targets, but also on the timing of the hackers’ operations.
His team followed the group for a year and tracked it via the Internet. As part of their investigation, the researchers observed that the hackers used various digital certificates to register the fake domains they used to deliver malware to targets.
In one case, investigators witnessed the hackers on March 23, a week before Ukrainian President Volodymyr Zelenskyy addressed the Austrian parliament via video call.
The same pattern occurred other times. When the RomCom RAT hackers impersonated a SolarWinds website in November 2022, it was around the time the Ukrainian Armed Forces entered the besieged city of Kherson. When the hackers imitated Advanced IP Scanner in July 2022, it was just when Ukraine started deploying HIMARS missiles provided by the US government. And then, in March 2023, the hackers mimicked Remote Desktop Manager around the time of Ukrainian pilots were trained to fly F-16 fighter jetsand Poland and Slovakia decided to provide Ukraine with military technology.
“So whenever there was a major event, like something big in geopolitics, and especially in the military field, RomCom RAT was just there, right there,” Bestuzhev said.
However, other security researchers, as well as the Ukrainian government itself, are still not fully convinced that RomCom RAT and Cuba Ransomware are actually Russian government hackers.
Santos, a senior researcher at Unit 42 of Palo Alto Networks, said the group behind the RomCom RAT malware is “more sophisticated than traditional ransomware groups,” due to its use of custom tools.
“Unit 42 has seen the activity on Ukraine. This has an espionage angle and so they could get leads from a nation state,” Santos told TechCrunch. “However, we don’t know how big that relationship is. It falls outside the normal activities of a ransomware group.”
Still, Santos added, “some groups moonlight to get extra work — this may be what we’re seeing in this case.”
Bestuzhev said he and his team considered this possibility, but ruled it out based on the persistence of the hackers, the timing and the targets of the attacks, which indicate their real goal is espionage, not crime.
A spokesperson for the Special State Communication Service of Ukraineor SSSCIP, said so one of RomCom RAT’s operations in Ukraine targeted users of a specific situational awareness software called DELTA, and “according to the target and the malware used, it can be assumed that the purpose was to collect information from the Ukrainian military.”
“But there is not enough evidence to link it to Russia (other than the fact that Russia is the government most interested in such information),” an SSSCIP spokesman added.
Mark Karayan, a spokesman for Google’s threat intelligence teams, who have been tracking the hacking group, said that “our team cannot confidently confirm or deny these findings without seeing the full investigation of (BlackBerry).”
Bestuzhev said his group does not plan to publish all the technical details of their findings, in an effort not to show their hand to RomCom RAT hackers and prevent them from changing their strategies and techniques. This way, Bestuzhev explained, they can keep tracking the hackers and see what they do next.
The jury is still out on who is really behind RomCom RAT and Cuba Ransomware, but Bestuzhev and researchers from other companies will continue to keep an eye on the group.
“Those guys, let’s say, they know we know. We love eachother. And so it’s like a long-term relationship,” Bestuzhev said with a laugh.
Do you have more information about this hacking group? Or other hacking groups involved in the war in Ukraine? We’d love to hear from you. You can safely contact Lorenzo Franceschi-Bicchierai on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.
