A Russian cyberespionage group has been observed exploiting vulnerable Roundcube webmail servers in attacks against European government, military, and critical infrastructure entities, cybersecurity firm Recorded Future reports.
The threat actor, tracked as Winter Vivern, TA473, TAG-70, and UAC-0114, has been active since at least December 2020, targeting governments in Europe and Central Asia, in line with Belarusian and Russian interests.
In October 2023, Winter Vivern was caught targeting CVE-2023-5631, a zero-day cross-site scripting (XSS) vulnerability in the Roundcube webmail server, in attacks aimed at government entities and a think tank in Europe.
In a new report (PDF), Recorded Future notes that, in October 2023, the threat actor exploited vulnerable Roundcube servers in attacks against at least 80 organizations, mainly in Georgia, Poland, and Ukraine. The attacks also hit the Iranian embassies in Moscow and the Netherlands, and Georgia’s embassy in Sweden.
“TAG70 predominantly targeted government and military webmail servers; however, the group also targeted the transport and education sectors along with chemical and biological research organizations,” Recorded Future says.
As part of the observed attacks, the threat actor relied on social engineering and exploited XSS flaws to gain access to the targeted mail servers and collect intelligence on political and military activities, likely “to gain strategic advantages or undermine European security and alliances”.
In the context of the war in Ukraine, the compromise of email servers may lead not only to the exposure of sensitive information regarding Ukraine’s war effort and planning, but also to the manipulation of communication channels, Recorded Future notes.
The cybersecurity firm attributes the attacks to Winter Vivern based on the reuse of infrastructure and artifacts (HTTP banners) observed in previous campaigns, as well as code similarities with previously identified JavaScript malware.
“Belarus and Russia-aligned cyber-espionage groups will almost certainly continue, if not expand, targeting webmail software platforms, including Roundcube, while the conflict in Ukraine continues and while tensions with the EU and NATO remain high,” Recorded Future concludes.
Related: CISA Warns of Roundcube Webmail Vulnerability Exploitation
Related: Zimbra Flaw Exploited by Russia Against NATO Countries Added to CISA ‘Must Patch’ List
Related: Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
