Customer Advisory: Awareness | Storm-0978 (RomCom): Cyber-espionage Campaign Targeting NATO Talks, Exploiting CVE-2023-36884

By Adversary Tactics and Intelligence Team

Estimated Reading Time: 9 minutes

Source Material:

Targeted Industries: Public Administration and Educational Services, specifically those involved in international affairs and global policy-making

Executive Summary

This cyber threat intelligence report provides an in-depth analysis of recent cyber-espionage activities conducted by the threat group Storm-0978, also known as RomCom. The report sheds light on the tactics, techniques, and procedures (TTPs) employed by the threat actors, their intentions, objectives, and capabilities, as well as the potential risks and impacts of their activities. Our findings are based on information reported by Microsoft, BlackBerry, and CERT-UA utilizing various analytic techniques.

The threat actors employed spear-phishing emails with malicious attachments to gain initial access, leveraging a remote code execution vulnerability (CVE-2023-36884) before its disclosure to Microsoft. They exhibit advanced social engineering skills and demonstrate a high level of technical capability. The threat actors’ political objective is to disrupt Ukraine’s NATO membership talks while gathering sensitive intelligence.

The report highlights the potentially severe impact of Storm-0978’s activities, including significant data breaches and the risk of geopolitical instability. The targeted organizations, specifically those involved in international affairs and global policy-making, face significant risk. To counter these threats, recommendations include implementing robust email security measures, multi-factor authentication, regular system patching, and training staff to recognize and report phishing attempts.

The findings of this report emphasize the need for organizations to enhance their cybersecurity posture and remain vigilant against the evolving tactics of Storm-0978. Organizations can strengthen their resilience against this threat by implementing the recommended mitigation actions and protecting their critical assets and sensitive information.

ATI Insights & Determinations

  • Storm-0978 displays advanced social engineering skills and technical capabilities, evidenced by their sophisticated spear-phishing techniques and exploitation of undisclosed vulnerabilities to deliver custom backdoors.
  • The threat actors demonstrate their intention to influence geopolitical events, evidenced by their targeting of organizations with sensitive intelligence related to Ukraine and NATO.
  • The targeted organizations, particularly those involved in international affairs, face a significant risk from Storm-0978’s activities, including potential severe data breaches and geopolitical instability.
  • Storm-0978 will likely continue targeting organizations involved in geopolitical events, focusing on influencing or disrupting Ukraine’s potential NATO membership. Their tactics, techniques, and procedures (TTPs) are expected to evolve, incorporating more advanced exploits and intrusion methods. Vigilance and proactive defense measures are crucial in mitigating this threat.


This cyber threat intelligence report provides an in-depth analysis of recent cyber-espionage activities conducted by the threat group Storm-0978 also known as RomCom, as reported by Microsoft and BlackBerry, respectively. The report aims to shed light on the tactics, techniques, and procedures (TTPs) employed by Storm-0978, their intentions, objectives, and capabilities, as well as the potential risks and impacts of their activities. This report’s purpose is to enhance the understanding of this latest activity among cybersecurity professionals, enabling them to detect, respond to, and mitigate the threat posed by Storm-0978, thereby strengthening the overall cybersecurity posture. Questions or feedback about this intelligence can be submitted here.

Overview & Background

A recent blog post from Microsoft provides additional information to BlackBerry’s previous blog post concerning the activities of Storm-0987 or RomCom, which targeted Ukraine and NATO membership talks at the 2023 NATO Summit in Vilnius, Lithuania. In Microsoft’s blog post, they highlight how the threat actors exploited a remote code execution vulnerability before it was disclosed to Microsoft. BlackBerry’s post provides a more detailed analysis of the threat actor’s tactics, techniques, and procedures (TTPs) and their potential impacts on global security and geopolitics.

Historically, the threat actor known as Storm-0987/RomCom has been involved in ransomware attacks and cyber espionage operations. This actor has been known to employ sophisticated and less sophisticated techniques to infiltrate systems and networks, often with the intent of financial gain or espionage. The RomCom backdoor can receive approximately 42 commands, including running AnyDesk and freeSSHd, exfiltrating data, or downloading additional files.

Threat Analysis

The threat actor has demonstrated a sophisticated blend of tactics and techniques in their operations. Their latest campaign, motivated by political objectives, involved spear-phishing emails with malicious attachments for initial access that exploited a remote code execution vulnerability before disclosure to Microsoft (CVE-2023-36884) to deliver a backdoor with capabilities similar to RomCom. The threat actors crafted the emails to appear legitimate. They included links to two documents hosted on a domain (ukrainianworldcongress[.]info) cloned from the legitimate website and created on 26 June and resolving to the IP address 213.139.204[.]13 [AS 395092( SHOCK-1 )].

Indicators include specific email subjects and senders (“NATO Summit, 11-12 July 2023″/uwcukraine@ukrainianworldcongress[.]info), malicious file hashes, and unique network traic patterns associated with the backdoor. These IOCs can identify Storm-0987 activity and create new correlation rules, alerts, or filters. The data sources that contain these reported TTPs and indicators include email servers, endpoint protection platforms, and network monitoring tools.

To correlate malicious activity, an alert on a suspicious email can be associated with endpoint logs showing the execution of a suspicious file. Similarly, network logs can be correlated with endpoint logs to identify the full scope of an intrusion.

The threat actor’s intention for this campaign is political, aiming to disrupt Ukraine’s NATO membership talks and gather intelligence. The group is highly capable, demonstrating advanced social engineering and malware development skills.

Risk & Impact Assessment

Based on the information gathered from the blog posts, it is evident that targeted organizations face a significant risk. The threat actor demonstrates advanced capabilities in cyber espionage and financially motivated attacks. The group’s recent activities indicate a shift in focus towards organizations involved in Ukraine’s NATO membership talks. This shift suggests that the threat actor is interested in obtaining sensitive political information, which could have far-reaching implications for the targeted organizations and nations.

The impact of Storm-0987’s activities is potentially severe. Their multi-stage intrusions can lead to significant data breaches. The threat actor’s focus on Ukraine’s NATO membership talks also raises concerns about geopolitical instability. If sensitive information about these talks is leaked or manipulated, it could disrupt diplomatic relations and potentially escalate tensions. Furthermore, the group could remain undetected for extended periods, allowing them to exfiltrate sensitive data before defensive measures can be implemented. Therefore, organizations must prioritize cybersecurity measures to promptly detect and mitigate such threats.


The threat actor known as Storm-0987 or RomCom has demonstrated a clear pattern of targeting political organizations, particularly those involved in Ukraine’s NATO membership talks. Their use of sophisticated techniques such as spear-phishing, credential harvesting, and lateral movement within networks indicates a high level of technical capability and strategic planning.

Given their recent activities and President Biden’s statement on 13 July that Ukraine will join NATO, it is likely that Storm-0987 will continue to target similar organizations, particularly those involved in geopolitical events. The group’s focus on Ukraine and NATO suggests they are interested in influencing or disrupting Ukraine’s potential NATO membership. Therefore, organizations involved in these discussions, or those with a significant stake in the outcome, should be particularly vigilant.

Furthermore, the group’s use of custom malware and zero-day exploits suggests that they are well-resourced and capable of developing new attack vectors. As such, we can expect that their tactics, techniques, and procedures (TTPs) will continue to evolve, potentially incorporating more advanced exploits or novel intrusion and data exfiltration methods.

ATI Actions & Recommendations

ATI has added observables to our indicator feeds and we conduct further detection assessment and threat hunting from data reported in this intelligence report. However, not all activity can be hunted, detected, or monitored due to limitations in log sources received by Deepwatch.

To counter techniques used by Storm-0987, organizations should consider the following actions:

  • Implement robust email security measures such as DMARC, DKIM, and SPF to prevent spear-phishing attacks. Regularly train staff to recognize and report phishing attempts.
  • Implement multi-factor authentication (MFA) across all systems, particularly for privileged accounts, to mitigate the risk of credential harvesting.
  • Regularly update and patch all systems to protect against known vulnerabilities. Consider implementing a vulnerability management program to identify and remediate vulnerabilities systematically.

Additionally, Microsoft recommends the following actions to mitigate the risk of Storm-0987 and CVE-2023-36884 exploitation attempts:


We recommend that all customers retrospectively hunt for malicious activity, which will likely indicate compromise, using the threat hunting guidance provided below, and the observables listed in the source material.

Be On the Lookout (BOLO)

  • AV/EDR alerts related to the following
    • Registry dumping of the SAM hive
    • Exploitation of CVE-2023-36884
    • Impacket (SMBExec & WMIExec)
  • Anomalous child processes of Microsoft Word (WINWORD.EXE)
    • Ex. WINWORD.EXE spawning msdt.exe (may be indicative of Follina/CVE-2022-30190 exploitation)
  • Anomalous outbound network connections from WINWORD.EXE or its children processes
    • Especially on TCP ports 80, 445, and 139 (HTTP & SMB)
  • In the absence of process network telemetry, it may be possible to hunt this activity by examining web proxy data for outbound connections on port 80 with a rare user agent related to microsoft office
  • Outbound web traic containing the patterns below:
    • ?d= in the URL
      • Ex. hxxp://74.50.94[.]156/MSHTML_C7/zip_k.asp?d=34.141.245[.]25_f68f9_
    • “mds/ ” in the URL
      • Ex. hXXp://65[.]21.27.250:8080/mds/D————————
    • “/MSHTML_*/” in the URL
      • hXXp://74[.]50.94.156/MSHTML_C7/RFile[.]asp
      • hxxp://74.50.94[.]156/share1/MSHTML_C7/1/
  • Presence of C:\\Users\\Public\\AccountPictures\\Defender\\Security.dll or addition of registry run keys referencing it
  • External emails containing links to .doc or .docx files as shown in Figure 3
  • Presence/execution of astrachat.msi
  • Modification of the Windows Registry as shown below
    • [HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{C90250F3-4D7D  4991-9B69-


  • @=”%PUBLIC%\\Libraries\\prxyms<number>.dll”
  • Presence/reference to the following:
    • %PUBLIC%\Libraries\PhotoDirector.dll
    • %PUBLIC%\Libraries\BrowserData\procsys.dll
    • %PUBLIC%\Libraries\upd-fil<number>.dll0
    • %PUBLIC%\Libraries\dsk.exe
    • %PUBLIC%\Libraries\wallet.exe
    • %PUBLIC%\Libraries\7z.dll
    • %PUBLIC%\Libraries\7z.exe
    • %PUBLIC%\Libraries\7za.exe
    • %PUBLIC%\Libraries\msg.dll
    • %PUBLIC%\Libraries\FileInfo.dll
  • Usage of the following commands:
    • %SYSTEMROOT%\System32\control.exe %TEMP%\testdll64.cpl
    • %TEMP%\testdll.dll
    • rundll32.exe %TEMP%\testdll.dll
    • taskkill.exe /f /im iexplore.exe
  • Anomalous/unauthorized usage of 3proxy.exe, plink.exe, or AnyDesk
  • Anomalous ports being opened via rundll32.exe (especially in the range 5554-5600)


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog