Russian hackers target vulnerable webmail servers in Europe for espionage

Vulnerable webmail servers seem to be a part of the general modus operandi the Russian hackers use for espionage campaigns. Previously in June 2023, another Russian state-sponsored cyber espionage group BlueDelta (aka FancyBear, APT28) was targeting vulnerable Roundcube installations across Ukraine and had also exploited CVE202323397, a critical zero-day vulnerability in Microsoft Outlook in 2022, according to Insikt Group.

Other well-known Russian threat actor groups, such as Sandworm and BlueBravo APT29, Midnight Blizzard, have also targeted email solutions in various campaigns in the past, Insikt Group added.

CVE-2023-5631 affects Roundcube versions before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4. “To mitigate the risk posed by TAG-70’s campaign, organizations should ensure that their Roundcube installations are patched and up-to-date, while actively hunting for indicators of compromise (IoCs) in their environments,” the report added.

Campaign with geo-political motives

The research notes that email servers represent a significant risk in the context of the ongoing Russia-Ukraine conflict, exposing sensitive information regarding Ukraine’s war effort and planning. Thirty-one percent of Wintern Vivern victims were from Ukraine, according to Insikt Group findings.

“Additionally, Insikt Group detected TAG70 targeting Iran’s embassies in Russia and the Netherlands, which is notable given Iran’s support of Russia’s war effort in Ukraine,” the report added. “Similarly, espionage against Georgian government entities reflects interests in monitoring Georgia’s aspirations for European Union (EU) and NATO accession.”

In March 2023, the threat group was reported to have targeted elected officials in the United States and their staffers. Around the same time, SentinelLabs revealed the group’s other espionage campaigns with global targets.