Russian Espionage Operation Targets Organizations Linked to Ukraine War

A sophisticated cyber espionage operation has been uncovered by cybersecurity firm ESET, revealing a large-scale campaign conducted by Fancy Bear, a notorious Russian hacking group associated with the Kremlin. The operation, dubbed "RoundPress," began at least as early as 2023 and has been targeting Ukrainian governmental entities, defense companies in Bulgaria and Romania, governments in Africa, Europe, and South America.

The primary goal of Operation RoundPress is to steal confidential data from specific email accounts, with a focus on compromising login credentials, exfiltrating email data, and sometimes compromising two-factor authentication (2FA) to enable sustained access to victim mailboxes. The attackers use spearphishing emails, leveraging cross-site scripting (XSS) vulnerabilities in webmail software such as Roundcube, Horde, MDaemon, and Zimbra.

To execute the exploit, the attackers need to convince the target to open the email message in the vulnerable webmail portal. This means that the email needs to bypass any spam filtering and have a convincing subject line, often using well-known news media outlets such as Ukrainian news outlet Kyiv Post or Bulgarian news portal News.bg.

Among the subject lines used in the spearphishing emails were: “SBU arrested a banker who worked for enemy military intelligence in Kharkiv” and “Putin seeks Trump’s acceptance of Russian conditions in bilateral relations.” Once the target opens the email, the attackers unleash a series of JavaScript payloads, including SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA.

The MDaemon vulnerability – CVE-2024-11182, now patched – was a zero-day exploit discovered by the threat group, while the ones for Horde, Roundcube, and Zimbra were older, already known flaws. More recently, the group also started to exploit a more recent vulnerability in Roundcube, CVE-2023-43770.

"Over the past two years, webmail servers such as Roundcube and Zimbra have been a major target for several espionage groups, including [Fancy Bear], GreenCube and Winter Vivern. Because many organizations don’t keep their webmail servers up to date, and because the vulnerabilities can be triggered remotely by sending an email message, it is very convenient for attackers to target such servers for email theft," said ESET researcher Matthieu Faou.

Fancy Bear is a Russian cyber espionage group known by many other names, including Sednit, APT28, Pawn Storm, Forest Blizzard and Sofacy Group. The group has been active since 2004 and is believed to be affiliated with the Russian military intelligence agency (GRU). In 2018, an indictment by the US Special Counsel identified Fancy Bear as GRU Unit 26165.

The group has a long history of involvement in high-profile hacking incidents, including the Democratic National Committee (DNC) hack just before the 2016 US elections and the hacking of the global television network TV5Monde. The group is also presumed to be behind the World Anti-Doping Agency (WADA) email leak, among many other incidents.

Read now: Russia-Backed APT28 Tried to Attack a Ukrainian Critical Power Facility