A Russia-linked state-backed threat actor has been abusing an XSS vulnerability in the popular RoundCube webmail software in a cyberespionage campaign targeting government, military, and national infrastructure-related entities across Europe, including Ukraine, Poland and Georgia.

According to a new report from Recorded Future’s Insikt Group, the threat actor it tracks as TAG (Threat Activity Group)-70 (aka Winter Vivern, TA473 and UAC-0114), has targeted over 80 organizations since October 2023. Additionally, TAG-70 targeted Uzbekistan’s government mail servers and Iran’s embassies in Russia and the Netherlands as part of this campaign.

The threat actor’s exploitation of RoundCube flaws was previously detailed by Slovak cybersecurity firm ESET. The targeted vulnerabilities included CVE-2023-5631 and CVE-2020-35730, both cross-site scripting issues that can be used by a remote attacker to execute arbitrary HTML and script code in the user's browser in the context of a vulnerable website.

On the same note, the US Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2023-43770 security flaw impacting RoundCube email software to its Known Exploited Vulnerabilities (KEV) catalog, indicating that this bug is being exploited by hackers.

Winter Vivern has been active since at least 2020, targeting governments in Europe and Central Asia. To compromise its targets, the group uses malicious documents, phishing websites, and a custom PowerShell backdoor. While the group has not been linked to any particular government, security researchers say that the threat actor’s targeting aligns with the support of Russian and/or Belarusian geopolitical goals related to the Russia-Ukraine war. According to researchers, Winter Vivern has been targeting Zimbra and Roundcube email servers belonging to governmental entities since at least 2022.

In June 2023, Russia’s GRU military hacking unit known as APT28 (Fancy Bear, Forrest Blizzard or Blue Delta) was observed compromising government institutions and military entities involved in aircraft infrastructure in Ukraine via security flaws in vulnerable RoundCube webmail servers. The APT28 campaign exploited three vulnerabilities in the RoundCube email software (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) to run malicious scripts designed to perform reconnaissance on RoundCube servers, redirect incoming emails to the attacker-controlled address, collect session cookies, user information, and address books.

“In the context of the ongoing war in Ukraine, compromised email servers may expose sensitive information regarding Ukraine’s war effort and planning, its relationships and negotiations with its partner countries as it seeks additional military and economic assistance, expose third parties cooperating with the Ukrainian government privately, and reveal fissures within the coalition supporting Ukraine,” Recorded Future said.

Continuing the theme of Russia-aligned hacker groups, VulnCheck’s Patrick Garrity put together a comprehensive visualization of targets, tactics and exploits used by the Cozy Bear cyberespionage group.