Russia-aligned hackers target European and Iranian embassies in new espionage campaign

A Russia-linked hacking group is exploiting a known bug in a popular webmail server to spy on government and military agencies in Europe, as well as Iranian embassies in Russia, according to a new report.

In a recent espionage campaign, the hackers tracked as TAG-70 used a cross-site scripting (XSS) vulnerability in the Roundcube web-based email server. During XSS attacks, malicious scripts are injected by hackers into otherwise benign and trusted websites.

The goal of the group’s latest campaign was to collect intelligence on European political and military activities, "possibly to gain strategic advantages or undermine European security and alliances," according to researchers from Recorded Future’s Insikt Group, who analyzed the attacks and presented on the topic at the Munich Security Conference. The Record is an editorially independent unit of Recorded Future.

Earlier in February, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the Roundcube bug, tracked as CVE-2023-43770, to its catalog of known exploited vulnerabilities.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.

According to the Insikt Group’s report, the hackers, who overlap with the Winter Vivern group, likely started exploiting Roundcube webmail servers at the beginning of October 2023 and continued until at least mid-October.

Winter Vivern has been active since at least December 2020 and likely conducts cyber-espionage campaigns to serve the interests of Belarus and Russia. The group employs advanced techniques and tools, indicating that it’s a "well-funded and skilled threat actor that demonstrated a high level of sophistication in its attack methods,” researchers said.

Its victims were mostly located in Georgia, Poland, and Ukraine. The targeting of the Iranian embassies in Russia and the Netherlands may be linked to a desire “to assess Iran's current diplomatic activities and foreign policy, especially as Russia continues to rely on Iran-provided weapons in Ukraine,” according to the report.

Winter Vivern’s attack on Roundcube webmail servers is the most recent instance of targeting email software attributed to Russia-aligned threat actors, researchers said.

Last June, Insikt researchers discovered that the Russian state-sponsored cyber-espionage group BlueDelta, which overlaps with Fancy Bear, was targeting vulnerable Roundcube installations across Ukraine and had previously exploited a critical zero-day vulnerability in Microsoft Outlook.

Other Russian state hackers, such as Sandworm and Midnight Blizzard, have also targeted email services in various campaigns.

Winter Vivern poses a significant threat to Ukraine, as compromised email servers may expose sensitive information regarding Ukraine’s war effort and planning, its relationships, and negotiations with its partner countries, researchers said.

Last February, the group infected Ukrainian government computers with malware hosted on fake websites impersonating legitimate state services. During the campaign in March, Winter Vivern targeted government agencies and telecom operators in Ukraine, India, and Europe.

Ukraine’s cybersecurity agency did not respond to a request for comment about Roundcube hack targets in Ukraine.

READ MORE: Munich Cyber Security Conference 2024 Live Updates

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.