Russian-Linked Hackers Breach 80+ Organizations via Roundcube Flaws

Feb 19, 2024NewsroomCyber Espionage / Vulnerability

Threat actors operating with interests aligned to Belarus and Russia have been linked to a new cyber espionage campaign that likely exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers to target over 80 organizations.

These entities are primarily located in Georgia, Poland, and Ukraine, according to Recorded Future, which attributed the intrusion set to a threat actor known as Winter Vivern, which is also known as TA473 and UAC0114. The cybersecurity firm is tracking the hacking outfit under the moniker Threat Activity Group 70 (TAG-70).

Winter Vivern’s exploitation of security flaws in Roundcube and software was previously highlighted by ESET in October 2023, joining other Russia-linked threat actor groups such as APT28, APT29, and Sandworm that are known to target email software.

The adversary, which has been active since at least December 2020, has also been linked to the abuse of a now-patched vulnerability in Zimbra Collaboration email software last year to infiltrate organizations in Moldova and Tunisia in July 2023.

The campaign discovered by Recorded Future took place from the start of October 2023 and continued until the middle of the month with the goal of collecting intelligence on European political and military activities. The attacks overlap with additional TAG-70 activity against Uzbekistan government mail servers that were detected in March 2023.

“TAG70 has demonstrated a high level of sophistication in its attack methods,” the company said. “The threat actors leveraged social engineering techniques and exploited cross-site scripting vulnerabilities in Roundcube webmail servers to gain unauthorized access to targeted mail servers, bypassing the defenses of government and military organizations.”

The attack chains involve exploiting Roundcube flaws to deliver JavaScript payloads that are designed to exfiltrate user credentials to a command-and-control (C2) server.

Recorded Future said it also found evidence of TAG-70 targeting the Iranian embassies in Russia and the Netherlands, as well as the Georgian Embassy in Sweden.

“The targeting of Iranian embassies in Russia and the Netherlands suggests a broader geopolitical interest in assessing Iran’s diplomatic activities, especially regarding its support for Russia in Ukraine,” it said.

“Similarly, espionage against Georgian government entities reflects interests in monitoring Georgia’s aspirations for European Union (EU) and NATO accession.”