HQ/EMEAFind out how we can help your business
A sophisticated espionage campaign orchestrated by Russian-affiliated hackers, known as Winter Vivern or TA473/UAC0114, has emerged as a source of growing concern. This targeted assault has impacted more than 80 organisations whose interests align closely with Belarus and Russia. By capitalising on flaws within Roundcube webmail servers, the threat actors skillfully utilised cross-site scripting (XSS) techniques, as determined by cybersecurity experts.
The affected entities, primarily located in Georgia, Poland, and Ukraine, were subjected to a sophisticated attack by Threat Activity Group 70 (TAG-70), aka Winter Vivern.
The group, active since at least December 2020, has a history of exploiting security flaws in Roundcube email servers, as previously highlighted by ESET in October 2023. Winter Vivern joins the ranks of other Russia-linked threat actor groups, including APT28, APT29, and Sandworm, known for targeting email software.
TAG-70 targeted European political and military intelligence, using Roundcube flaws to access mail servers and bypass government defences.
Commencing in early October 2023 and extending through the middle of the month, the campaign had a central goal of gathering intelligence on European political and military activities. TAG-70 showcased a remarkable level of sophistication, employing social engineering tactics and exploiting vulnerabilities in Roundcube webmail servers to clandestinely access targeted mail servers. This adept approach allowed them to bypass the defences of government and military organisations.
The attack chains utilised Roundcube flaws to deliver JavaScript payloads designed to exfiltrate user credentials to a command-and-control (C2) server. This method allowed the hackers to compromise the security of the targeted organisations and access sensitive information.
TAG-70’s operations go beyond local boundaries, evident in their targeting of Iranian embassies in Russia and the Netherlands, along with the Georgian Embassy in Sweden. Analysts theorise that these precise embassy targets signify a wider geopolitical interest, specifically in evaluating Iran’s diplomatic activities and its support for Russia in Ukraine. Likewise, the espionage directed at Georgian government entities underscores a keen interest in surveilling Georgia’s ambitions for accession to the European Union (EU) and NATO.
The cyber espionage campaign highlights the evolving tactics of threat actors and the critical need for organisations to bolster their cybersecurity measures. As cyber threats become increasingly sophisticated, vigilance and proactive security measures are imperative to protect sensitive information from falling into the wrong hands.
