A new cyber espionage campaign that targeted more than 80 organizations is thought to have used cross-site scripting ( XSS) vulnerabilities in Roundcube webmail servers. Threat actors with interests aligned with Belarus and Russia have been linked to the campaign.
According to Recorded Future, which attributed the intrusion set to the threat actor Winter Vivern, also known as TA473 and UAC0114, these entities are primarily found in Georgia, Poland, and Ukraine. Threat Activity Group 70 ( TAG- 70 ) is the name under which the cybersecurity company is monitoring the hacking group.
ESET previously highlighted Winter Vivern’s use of security flaws in Roundcube and software in October 2023, joining other Russia-linked threat actor groups that are known to target email software, including APT28 and Sandworm.
The attacker, who has been active since at least December 2020, has also been connected to the July 2023 infiltration of Moldovan and Tunisian organizations using a now-patched vulnerability in Zimbra Collaboration email software.
With the intention of gathering information on European political and military activities, the campaign discovered by Recorded Future began at the beginning of October 2023 and lasted until the middle of the month. The attacks coincide with additional TAG-70 activity that was found in March 2023 against government mail servers in Uzbekistan.
According to the company, “TAG70 has shown that its attack techniques are highly sophisticated.” To gain unauthorized access to targeted mail servers and get around the defenses of governmental and military organizations, the threat actors used social engineering techniques and cross-site scripting vulnerabilities in Roundcube webmail servers.
In order to deliver JavaScript payloads intended to exfiltrate user credentials to a command-and-control ( C2 ) server, attack chains exploit Roundcube flaws.
Additionally, according to Recorded Future, TAG-70 was found to have targeted the Georgian Embassy in Sweden as well as the Iranian embassies in Russia and the Netherlands.
It claimed that the targeting of Iranian embassies in Russia and the Netherlands” suggests a broader geopolitical interest in evaluating Iran’s diplomatic activities, particularly regarding its support for Russia in Ukraine.”
Similar to this, spying on Georgian government organizations reflects interests in keeping tabs on the country’s plans to join NATO and the European Union ( EU).