A new round of cyberattacks against the US has raised concerns about hidden attempts to access urban infrastructure systems, according to an update from the Center for Countering Disinformation.
Investigators found that the attackers relied on SocGholish and RomCom, two tools widely used in cybercrime. While these tools are not new, their deployment in this case suggests a deliberate effort to imitate criminal activity and make attribution significantly harder.
Security analysts say this approach has become more common in cyberattacks against the US, where Russian special services attempt to blur the line between criminal campaigns and state-backed operations. By doing so, they complicate forensic analysis and slow the response of US intelligence agencies, buying themselves more time inside targeted networks.
Cyberattacks Against the US Engineering Firm
The breached engineering company works closely with contractors that operate water supply networks, transportation systems, and emergency response services. During the intrusion, hackers reportedly accessed information about internal workflows and critical access points linked to these sectors.
This type of information is valuable for anyone looking to understand how US infrastructure is managed, maintained, and defended. Even without causing immediate disruption, gaining insight into these processes can help adversaries identify weak spots or plan future interference.
The breach also shows how third-party contractors continue to be an attractive entry point for attackers studying the broader ecosystem of American infrastructure.
Use of SocGholish–RomCom Chain Raises Attribution Concerns
The use of the SocGholish–RomCom chain is notable because it is frequently associated with financially motivated cybercrime. In this case, however, analysts say its deployment looks more like a cover than a coincidence.
By leaning on familiar criminal tools, Russian-linked groups can:
- Disguise the true nature of the operation
- Blend in with regular cybercrime traffic
- Delay the time it takes to trace the activity
- Force investigators to sift through layers of misleading indicators
This tactic has effectively created a “fog” around cyberattacks against the US, making it harder to quickly determine whether an incident is routine criminal activity or something more coordinated.
Possible Motives
Targeting an engineering firm suggests the attackers were not simply looking for data to sell. Analysts believe the motive was reconnaissance, specifically, understanding how infrastructure systems are structured and how contractors manage their access privileges.
Such information could be used in the future to exploit vulnerabilities or carry out sabotage. Experts also point out that even an incomplete attack offers useful insights into how American cybersecurity teams respond, how fast they contain threats, and what defensive tools they rely on.
The report also comes as international partners continue stepping up their own cybersecurity efforts. The Netherlands recently committed €10 million to join the UK’s cyber program supporting Ukraine, citing growing digital threats.
Canada, meanwhile, expanded its sanctions to include more than 100 vessels from Russia’s “shadow fleet” and several organizations connected to the country’s cyber infrastructure. The move is part of a wider effort to limit the networks and resources that support Russian cyber operations.
