A prolific APT group linked to the Russian government has been caught exploiting security flaws in the open-source Roundcube webmail software to spy on organizations in Ukraine, including government institutions and military entities involved in aircraft infrastructure.
According to an advisory [PDF] from threat intelligence firm Recorded Future, the Roundcube server infections are being used to run reconnaissance and exfiltration scripts, redirecting incoming emails and gathering session cookies, user information, and address books.
Recorded Future teamed up with Ukraine’s Computer Emergency Response Team (CERT-UA) to document the activity, which is being attributed to Russia’s GRU military spy unit.
“The campaign leveraged news about Russia’s war against Ukraine to encourage recipients to open emails with attachments, which immediately compromised vulnerable Roundcube servers without engaging with the attachment,” Recorded Future explained.
The GRU-linked group, which has been operational since at least November 2021, has been blamed for previous use of zero-day flaws in Microsoft’s flagship Outlook software. According to public documentation, the group is focused on digital spying on entities in Ukraine and across Europe, primarily among government and military/defense organizations.
Recorded Future released IOCs and technical artifacts from the latest discovery to help defenders and recommended that organizations configure intrusion detection systems (IDS), intrusion prevention systems (IPS) or network defense mechanisms to pinpoint malicious activity from malicious domains.