Russian government hackers have been noted by BlackBerry researchers to be behind the Cuba ransomware operation, which has been associated with the RomCom RAT malware used in attacks against Ukraine, TechCrunch reports.
Attackers' targets and the timing of malicious operations played a big part in BlackBerry's conclusions, with researchers observing that different digital signatures mimicking various sites and websites coincided with major events surrounding the ongoing Russia-Ukraine war.
"So each time a major event happened, like something big in geopolitics, and especially on the military field, RomCom RAT was just there, just right there," said BlackBerry Cyberthreat Intelligence Team Senior Director Dmitry Bestuzhev.
However, other cybersecurity experts are skeptical of Cuba ransomware and RomCom RAT being Russian state-backed operations, including Palo Alto Networks' Unit 42 senior researcher Doel Santos, who noted the more sophisticated operations of RomCom RAT operators, compared with other ransomware gangs.
"Unit 42 has seen the activity targeting Ukraine. There is an espionage angle with this and because of that, they could be getting direction from a nation-state. However, we don't know the extent of that relationship. It goes outside the normal activities of a ransomware group," said Santos.
As part of its latest attacks discovered in June, Tropic Tropper exploited several known Microsoft Exchange Server and Adobe ColdFusion vulnerabilities to distribute an updated China Chopper web shell on a server hosting the Umbraco open-source content management system.
More than 50 Alibaba-hosted command-and-control servers have been leveraged to facilitate the distribution of the backdoor, which impersonates the Java, bash, sshd, SQLite, and edr-agent utilities.
Angola and the Democratic Republic of Congo, which is a new Intellexa client, may have leveraged new Predator infrastructure to enable spyware staging and exploitation, according to an analysis from Recorded Future's Insikt Group.