A Russia-linked hacking group known as RomCom targeted a U.S. civil engineering firm in September 2025 using SocGholish malware, a common initial access tool for cyber espionage and follow-on attacks. The firm had prior involvement in infrastructure projects within a city closely tied to Ukraine, suggesting potential geopolitical motivations behind the attack.The intrusion likely aimed at intellectual property theft, espionage, or disruption, given the firm’s role in civil engineering—a sector critical to national and regional security. While the article does not specify data exfiltration or operational disruption, the use of SocGholish (often a precursor to ransomware or advanced persistent threats) indicates high risk. If the attackers gained persistent access, they could have compromised sensitive project designs, government contracts, or proprietary engineering data, potentially undermining U.S. infrastructure resilience.The firm’s association with Ukraine-aligned projects heightens concerns of state-sponsored cyber warfare, where stolen data could be weaponized for sabotage, influence operations, or future kinetic attacks. The lack of public disclosure on breached systems or stolen data leaves the full impact unclear, but the targeting of a civil engineering entity aligns with broader trends of critical infrastructure attacks by adversarial nation-states.
Source: https://www.scworld.com/brief/dia-it-specialist-charged-in-espionage-attempt
TPRM report: https://www.rankiteo.com/company/se3
"id": "se31651416112825",
"linkid": "se3",
"type": "Cyber Attack",
"date": "6/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'civil engineering',
'location': 'United States',
'type': 'private sector'}],
'attack_vector': ['malware (SocGholish)',
'targeted phishing/social engineering (likely)'],
'date_detected': '2025-09',
'date_publicly_disclosed': '2025-11-26',
'description': 'Russia-linked hacking operation RomCom targeted a U.S. civil '
'engineering firm with SocGholish malware in September 2025, '
"following the firm's work in a city closely tied to Ukraine.",
'impact': {'brand_reputation_impact': ['potential reputational damage due to '
'association with geopolitical '
'targeting']},
'initial_access_broker': {'high_value_targets': ['potential geopolitical '
'intelligence',
'project data related to '
'Ukraine-tied city']},
'investigation_status': 'disclosed (limited details)',
'motivation': ['geopolitical (likely retaliation for work in Ukraine-tied '
'city)',
'espionage',
'potential data theft'],
'references': [{'date_accessed': '2025-11-26',
'source': 'Cybersecurity Dive'}],
'threat_actor': ['RomCom (Russia-linked hacking group)'],
'title': 'RomCom Hacking Group Targets U.S. Civil Engineering Firm with '
'SocGholish Malware',
'type': ['cyberattack', 'malware infection']}