Hackers Hit Mail Servers for Political and Military Intel

A Russian-linked actor, TAG-70, has targeted mail servers in Ukraine, Georgia, and Poland, aiming to collect intelligence on European political and military activities, particularly related to Ukraine’s war efforts.

Recorded Future’s Insikt Group has identified TAG-70, a potential threat actor allegedly working for Belarus and Russia, targeting government, military, and infrastructure entities across Europe and Central Asia since December 2020. The latest round of attacks was observed between October and December 2023.

The group is also known as Winter Vivern, TA-473, and UAC-0114. According to Insikt Group’s report (PDF), Tag-70 was discovered exploiting cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers across Europe.

The group mainly targeted government, military, and national infrastructure in Georgia, Poland, and Ukraine whereas targets were also observed in Belgium, France, the Czech Republic, Germany, and the UK. 

TAG-70, reportedly, used social engineering techniques to gain unauthorized access to mail servers across 80 organizations, including the Iranian Embassies in Moscow and the Netherlands, and the Georgia Embassy in Sweden.

The campaign aimed to gather intelligence on European political and military affairs, potentially gaining strategic advantages or undermining European security and alliances. Servers were primarily affected in Ukraine (30.9%), Georgia (13.6%), and Poland (12.3%)

This espionage attack uses spearphishing emails to deliver JavaScript payloads, exploiting the Roundcube vulnerability tracked as CVE-2023-563. Malicious code logs users out of Roundcube, presenting a new sign-in window.

The zero-day exploit allowed unauthorized access to mail servers across 80 organizations, including transport, education, chemical, and biological research sectors. The activity is similar to previous campaigns by other Russian-aligned threat groups like BlueDelta and Sandworm, which also targeted email solutions like Roundcube.

The compromised email servers pose a significant risk to Ukraine’s war effort, diplomatic relations, and coalition partners. Researchers warn that cyber-espionage groups targeting webmail software platforms, including Roundcube, may expose sensitive information about Ukraine’s defence efforts, partner countries, and third-party cooperation. They predict that these groups will continue targeting these platforms as Ukraine’s conflict continues and tensions with the EU and NATO rise.

Organizations must patch Roundcube installations, detect indicators of compromise (IoCs), and implement robust cybersecurity measures to mitigate the threat. Other effective security measures include strengthening email security, preferring encryption, secure email gateways, regular audits, employee awareness training, and network segmentation. The sophisticated attack methods and potential national security impact highlight the need for vigilance and awareness.