This week, Palo Alto Unit 42 released a new report detailing new TTPs linked to a Russia-aligned campaign targeting Ukraine, attributed to the RomCom Group actor. This report reveals the group's continued efforts in cyber warfare operations. The RomCom Group implemented a new Mark of the Web bypass technique, exploiting a remote code execution in Microsoft Office (CVE-2023-36884). The campaign utilized lures consistent with talking points from the NATO summit in Vilnius, Lithuania, with the potential to target military, government, and state administration through phishing and spear-phishing vectors.
Additional information was released by Ukraine's National Cyber Security Coordination Center (NCSCC). The NCSCC report claims that the Russian Foreign Intelligence Service-linked APT29 (a.k.a "Cozy Bear") has been conducting an espionage campaign targeting Ukraine-based embassies of Azerbaijan, Greece, Romania, and Italy, as well as the Greek internet services provider Otenet. The intrusion was reportedly carried out via phishing emails—with approximately 200 selected targets—presenting various lures, including enticing car purchase deals. The campaign exploited a recent WinRAR vulnerability (CVE-2023-38831). Temporal analysis suggests the attacks were correlated with the crisis in the Nagorno-Karabakh region.
Intelligence on Russia-sponsored operations come also from the Danish SektorCERT released a report detailing at least two waves of cyber attacks against Denmark's critical energy infrastructure. The attackers targeted organizations and companies that are part of the infrastructure supply chain so as to cause disruptive impact and gain a foothold in the targets' networks. The main vector was exploitation of critical vulnerabilities in Zyxel firewall - reportedly CVE-2023-28771, CVE-2023-33009, and CVE-2023-010. The events have been attributed to Russia-aligned APT Sandworm. A second wave of attacks witnessed the involvement of ransomware groups including BlackCat and LockBit.
Additional activities may be targeting Australia. press sources suggest Australia's plan to acquire nuclear submarines may raise an unusual direction of interest from Russia- and China-aligned state-sponsored threat actors seeking to implement espionage operations to steal intellectual property. However, our research identified no further context of information to substantiate this piece of news.