ESET Research Uncovers Operation RoundPress: Russia-Aligned Sednit Targets Entities Linked to the Ukraine War to Steal Confidential Data
May 20, 2025 - ESET researchers have made a groundbreaking discovery, uncovering a sophisticated espionage operation dubbed Operation RoundPress. The operation, which is believed to be aligned with Russian interests, targets webmail servers via cross-site scripting (XSS) vulnerabilities. Behind this operation is likely the notorious Russia-aligned Sednit cyberespionage group, also known as Fancy Bear or APT28.
The primary objective of Operation RoundPress is to steal confidential data from specific email accounts belonging to entities linked to the ongoing Ukraine war. The targets include Ukrainian governmental entities, defense companies in Bulgaria and Romania, as well as African, EU, and South American governments. These organizations are producing Soviet-era weapons to be sent to Ukraine, adding a layer of complexity to this already sensitive conflict.
The Sednit Group: A History of Notorious Cyberespionage
Sednit has been operating since at least 2004, making it one of the oldest and most notorious cyberespionage groups in history. The group has been linked to numerous high-profile incidents, including the hacking of the Democratic National Committee (DNC) just before the 2016 U.S. elections, the GRU's involvement, and the infamous TV5Monde hack.
Operation RoundPress: A Step-by-Step Guide
Sednit sends XSS exploits via email, which leads to the execution of malicious JavaScript code in the context of the webmail client's web page running in a browser window. Only data accessible from the target's account can be read and exfiltrated. To make this work, the target must be convinced to open the email message in the vulnerable webmail portal.
The email needs to bypass spam filtering and have a convincing subject line that entices the target into reading the email message. The attackers use well-known news media outlets like Kyiv Post or News.bg to create spearphishing campaigns, with headlines such as: “SBU arrested a banker who worked for enemy military intelligence in Kharkiv” and “Putin seeks Trump’s acceptance of Russian conditions in bilateral relations.”
The Attack Payload: SpyPress.HORDE, SpyPress.MDAEMON, and More
Sednit unleashes JavaScript payloads such as SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA upon the targets. These payloads are capable of credential stealing, exfiltration of address books, contacts, log-in history, and email messages.
Convenience for Attackers: Exploiting Zero-Day Vulnerabilities
The use of zero-day vulnerabilities in webmail servers such as Roundcube and Zimbra has made them a prime target for espionage groups like Sednit. ESET researcher Matthieu Faou notes that many organizations don't keep their webmail servers up to date, leaving them vulnerable to remote exploitation via email.
A Call to Action: Protecting Against Operation RoundPress
ESET urges individuals and organizations to take immediate action to protect themselves against this operation. Regularly update webmail server software, use strong passwords, and enable two-factor authentication to minimize the risk of being targeted by Sednit's sophisticated attack payloads.
Stay Informed with ESET
ESET is committed to providing cutting-edge digital security solutions and threat intelligence to keep users safe. Follow our latest news on Twitter (now known as X), BlueSky, and Mastodon for the latest updates on Operation RoundPress and other emerging threats.
Learn More About ESET's Advanced Persistent Threat Report
ESET has released its latest advanced persistent threat (APT) report, providing in-depth analysis of Russian APT groups' intensified attacks against Ukraine and the EU. Visit our website for more information and stay ahead of the threats.