Connect with us

Hi, what are you looking for?


Email Security

Russian APT Group Caught Hacking Roundcube Email Servers

A Russian hacking group has been caught hacking into Roundcube servers to spy on government institutions and military entities in Ukraine.

Russian Cyberattacks

A prolific APT group linked to the Russian government has been caught exploiting security flaws in the open-source Roundcube webmail software to spy on organizations in Ukraine, including government institutions and military entities involved in aircraft infrastructure.

According to an advisory [PDF] from threat intelligence firm Recorded Future, the Roundcube server infections are being used to run reconnaissance and exfiltration scripts, redirecting incoming emails and gathering session cookies, user information, and address books.

Recorded Future teamed up with Ukraine’s Computer Emergency Response Team (CERT-UA) to document the activity, which is being attributed to Russia’s GRU military spy unit.

“The campaign leveraged news about Russia’s war against Ukraine to encourage recipients to open emails with attachments, which immediately compromised vulnerable Roundcube servers without engaging with the attachment,” Recorded Future explained.

The company said the attachment contained JavaScript code that executed additional JavaScript payloads from the hacking team’s infrastructure. “The campaign displayed a high level of preparedness, quickly weaponizing news content into lures to exploit recipients. The spear-phishing emails contained news themes related to Ukraine, with subject lines and content mirroring legitimate media sources,” Recorded Future said.

The GRU-linked group, which has been operational since at least November 2021, has been blamed for previous use of zero-day flaws in Microsoft’s flagship Outlook software. According to public documentation, the group is focused on digital spying on entities in Ukraine and across Europe, primarily among government and military/defense organizations.  

Recorded Future released IOCs and technical artifacts from the latest discovery to help defenders and recommended that organizations configure intrusion detection systems (IDS), intrusion prevention systems (IPS) or  network defense mechanisms to pinpoint malicious activity from malicious domains.

Advertisement. Scroll to continue reading.

The company is also recommending that organizations implement measures to disable HTML and/or JavaScript within email attachments, and filter incoming email traffic using anti-spoofing and authentication mechanisms (such as SPF or DKIM) that check the validity of the sender’s records. 

Related: Microsoft: No-Interaction Outlook Zero Day Exploited Since Last April

Related: Microsoft Pins Outlook Zero-Day Attacks on Russia, Ships Detection Script

Related: Microsoft Warns of Outlook Zero-Day Exploitation, Patches 80 Security Vulns

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...