For years, Russian government hackers have used several made-up personas to hide their tracks and try to trick security researchers and government agencies into pointing the blame in the wrong direction.
They have pretended to be a lone Romanian hacktivist called Guccifer 2.0 when they hacked the Democratic National Committee; unleashed a destructive malware designed to look like run-of-the-mill ransomware; hid within the servers used by an Iranian hacking group; claimed to be an Islamist hacking group called Cyber Caliphate; hacked the 2018 Winter Olympics leaving breadcrumbs that pointed to North Korea and China; and slipped false evidence within documents released as a hack and leak operation supposedly carried out by an hacktivist group called Cyber Berkut.
Now, security researchers claim to have found a new Russian government false flag.
According to security researchers at BlackBerry, the cybercrime group known as Cuba Ransomware, which was previously linked to a malware strain known as RomCom RAT, is not a cybercrime group at all. It’s actually a group working for the Russian government targeting Ukrainian military units and local governments, the researchers said.
“It’s a misleading attribution,” said Dmitry Bestuzhev, senior director of BlackBerry’s cyberthreat Intelligence team, referring to the links between RomCom RAT and Cuba. “It looks like it’s just another unit working for the Russian government,” he said.
The Russian Embassy in Washington D.C. did not respond to a request for comment.
RomCom RAT is a remote access trojan first discovered by Unit 42, the Palo Alto Networks security research group, in May 2022. The company’s security researchers linked the malware to the Cuba gang, which has used ransomware against targets in the sectors of “financial services, government facilities, healthcare and public health, critical manufacturing, and information technology,” according to U.S. cybersecurity agency CISA.
The name comes from the group itself, who used illustrations of Fidel Casto and Che Guevara on its dark web site, although no researcher has ever found any evidence that the group has anything to do with the island nation.
RomCom RAT has reportedly used fake versions of popular apps to target its victims, such as the password manager KeePass, the IT administration tool SolarWinds, Advanced IP Scanner, and Adobe Acrobat reader. Over the last few months, according to Bestuzhev and his colleagues, RomCom RAT also targeted Ukrainian military units, local government agencies, and Ukraine’s parliament.
Bestuzhev explained that their conclusion is not just based on the targets, but also on the timing of the hackers’ operations.
His team have tracked the group for a year and followed its trail through the internet. As part of their investigation, the researchers observed the hackers using different digital certificates to register the fake domains they used to plant malware on targets.
In one case, the researchers witnessed the hackers creating an Austria-presenting digital certificate to sign a booby-trapped website on March 23, a week before Ukraine’s President Volodymyr Zelensky addressed the Austrian parliament via video call.
The same pattern happened other times. When the RomCom RAT hackers mimicked a SolarWinds website in November 2022, it was around the time Ukrainian forces entered the besieged city of Kherson. When the hackers mimicked Advanced IP Scanner in July 2022, it was just as Ukraine began deploying HIMARS rockets supplied by the U.S. government. And then in March 2023, the hackers mimicked Remote Desktop Manager around the time Ukrainian pilots were getting trained to fly F-16 fighter jets, and Poland and Slovakia decided to provide Ukraine with military tech.
“So each time a major event happened, like something big in geopolitics, and especially on the military field, RomCom RAT was just there, just right there,” Bestuzhev said.
Other security researchers, as well as the Ukrainian government itself, however, are still not fully convinced RomCom RAT and Cuba Ransomware are actually Russian government hackers.
Doel Santos, a senior researcher at Palo Alto Networks’ Unit 42, said that the group behind the RomCom RAT malware is “more sophisticated than traditional ransomware groups,” for its use of custom tools.
“Unit 42 has seen the activity targeting Ukraine. There is an espionage angle with this and because of that, they could be getting direction from a nation state,” Santos told ProWellTech. “However, we don’t know the extent of that relationship. It goes outside the normal activities of a ransomware group.”
Still, Santos added, “some groups moonlight to get additional work — this may be what we’re seeing in this case.”
Bestuzhev said he and his team have considered this possibility but have excluded it based on the hackers’ persistence, the timing and targets of the attacks, which indicate their real goal is espionage and not crime.
A spokesperson for the State Special Communications Service of Ukraine, or SSSCIP, said that one of RomCom RAT’s operations in Ukraine targeted users of a specific situational awareness software called DELTA, and “according to the target and used malware, it can be assumed that the goal was collecting intelligence from the Ukraine military.”
“But there is not enough evidence to connect it with Russia (except the fact that Russia is the most interested government in such kind of information),” an SSSCIP spokesperson added.
Mark Karayan, a spokesperson for Google’s threat intelligence teams, who have been tracking the hacking group, said that “our team can’t confidently confirm or deny these findings without seeing [BlackBerry’s] full research.”
Bestuzhev said that his group doesn’t plan on publishing all the technical details of their findings, in an attempt to not show their hand to RomCom RAT hackers, and prevent them from changing their strategies and techniques. This way, Bestuzhev explained, they can keep tracking the hackers and see what they do next.
The jury is still out on who’s really behind RomCom RAT and Cuba Ransomware, but Bestuzhev and researchers from other companies will continue to keep an eye on the group.
“Those guys, let’s say, they know we know. We love each other. And so it’s like a long term relationship,” Bestuzhev said, laughing.
Do you have more information about this hacking group? Or other hacking groups involved in the war in Ukraine? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email firstname.lastname@example.org. You can also contact ProWellTech via SecureDrop.