Threat actors operating with interests aligned with Belarus and Russia have been linked to a new cyber espionage campaign that likely exploited cross-site scripting (XSS) vulnerabilities in Roundcube email servers to target more than 80 organizations .
These entities are mainly located in Georgia, Poland and Ukraine, according to Recorded Future, which attributed the intrusion to an actor known as Winter Vivern, also known as TA473 and UAC0114. The cybersecurity firm is tracking the hacking group under the nickname Threat Activity Group 70 (TAG-70).
Winter Vivern’s exploitation of Roundcube and software security flaws was previously highlighted by ESET in October 2023, joining other Russian-linked threat actor groups such as APT28, APT29 and Sandworm, known to target email software.
The adversary, active since at least December 2020, has also been linked to abusing a now-patched vulnerability in Zimbra Collaboration email software last year to infiltrate organizations in Moldova and Tunisia in July 2023.
The campaign discovered by Recorded Future began from the beginning of October 2023 and continued until the middle of the month with the aim of gathering information on European political and military activities. The attacks overlap with additional TAG-70 activity against Uzbek government mail servers detected in March 2023.
“TAG70 demonstrated a high level of sophistication in its attack methods,” the company said. “Threat actors leveraged social engineering techniques and exploited cross-site scripting vulnerabilities in Roundcube webmail servers to gain unauthorized access to targeted email servers, bypassing the defenses of government and military organizations.”
The attack chains involve exploiting Roundcube flaws to deliver JavaScript payloads designed to exfiltrate user credentials on a command and control (C2) server.
Recorded Future said it found evidence of TAG-70 against Iranian embassies in Russia and the Netherlands, as well as the Georgian embassy in Sweden.
“The attack on Iranian embassies in Russia and the Netherlands suggests a broader geopolitical interest in assessing Iran’s diplomatic activities, particularly regarding its support for Russia in Ukraine,” it said.
“Similarly, espionage against Georgian government entities reflects interests in monitoring Georgia’s aspirations to the European Union (EU) and NATO membership.”