Virtual Event Today: Ransomware Resilience & Recovery Summit - Login to Live Event
Connect with us

Hi, what are you looking for?



Russian Cyberspies Exploit Roundcube Flaws Against European Governments

Russian cyberespionage group targets European government, military, and critical infrastructure entities via Roundcube vulnerabilities.

A Russian cyberespionage group has been observed exploiting vulnerable Roundcube webmail servers in attacks against European government, military, and critical infrastructure entities, cybersecurity firm Recorded Future reports.

The threat actor, tracked as Winter Vivern, TA473, TAG-70, and UAC-0114, has been active since at least December 2020, targeting governments in Europe and Central Asia, in line with Belarusian and Russian interests.

In October 2023, Winter Vivern was caught targeting CVE-2023-5631, a zero-day cross-site scripting (XSS) vulnerability in the Roundcube webmail server, in attacks aimed at government entities and a think tank in Europe.

In a new report (PDF), Recorded Future notes that, in October 2023, the threat actor exploited vulnerable Roundcube servers in attacks against at least 80 organizations, mainly in Georgia, Poland, and Ukraine. The attacks also hit the Iranian embassies in Moscow and the Netherlands, and Georgia’s embassy in Sweden.

“TAG70 predominantly targeted government and military webmail servers; however, the group also targeted the transport and education sectors along with chemical and biological research organizations,” Recorded Future says.

As part of the observed attacks, the threat actor relied on social engineering and exploited XSS flaws to gain access to the targeted mail servers and collect intelligence on political and military activities, likely “to gain strategic advantages or undermine European security and alliances”.

In the context of the war in Ukraine, the compromise of email servers may lead not only to the exposure of sensitive information regarding Ukraine’s war effort and planning, but also to the manipulation of communication channels, Recorded Future notes.

The cybersecurity firm attributes the attacks to Winter Vivern based on the reuse of infrastructure and artifacts (HTTP banners) observed in previous campaigns, as well as code similarities with previously identified JavaScript malware.

Advertisement. Scroll to continue reading.

“Belarus and Russia-aligned cyber-espionage groups will almost certainly continue, if not expand, targeting webmail software platforms, including Roundcube, while the conflict in Ukraine continues and while tensions with the EU and NATO remain high,” Recorded Future concludes.

Related: CISA Warns of Roundcube Webmail Vulnerability Exploitation

Related: Zimbra Flaw Exploited by Russia Against NATO Countries Added to CISA ‘Must Patch’ List

Related: Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

More People On The Move

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...


A China-linked hackers are exploiting a vulnerability (CVE-2022-42475 ) in Fortinet FortiOS SSL-VPN, Mandiant claims.


In a campaign called Volt Typhoon, Microsoft says Chinese government hackers were siphoning data from critical infrastructure organizations in Guam, a U.S. territory in...