TLDR:
- Russia-aligned hackers targeted European and Iranian embassies in a new espionage campaign using a known bug in a popular webmail server.
- The hackers aimed to gather intelligence on European political and military activities, potentially to gain strategic advantages or undermine security and alliances.
A recent report reveals that a Russia-linked hacking group, identified as TAG-70, exploited a cross-site scripting vulnerability in the Roundcube web-based email server to spy on government and military agencies in Europe, as well as Iranian embassies in Russia. The goal of the espionage campaign was to collect intelligence on European political and military activities, with a possible aim of gaining strategic advantages or undermining security and alliances. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the Roundcube bug to its catalog of known exploited vulnerabilities earlier in February.
The hackers, who are connected to the Winter Vivern group, began exploiting Roundcube webmail servers in October 2023, targeting victims mainly in Georgia, Poland, and Ukraine. The group is considered a well-funded and skilled threat actor with a high level of sophistication in its attack methods. The targeting of Iranian embassies in Russia and the Netherlands may be linked to assessing Iran’s foreign policy.
Winter Vivern’s attack on Roundcube webmail servers is the latest instance of targeted email software attributed to Russia-aligned threat actors. The group poses a significant threat to Ukraine, as compromised email servers could expose sensitive information regarding Ukraine’s war efforts and relationships with partner countries. The group has also targeted government agencies and telecom operators in Ukraine, India, and Europe in previous campaigns.