A cyber espionage campaign linked to threat actors aligned with Belarus and Russia has targeted over 80 organizations, primarily located in Georgia, Poland, and Ukraine. The campaign likely exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers to gain unauthorized access.
Recorded Future attributed the campaign to a threat actor known as Winter Vivern, also identified as TA473 and UAC0114, and tracked it as Threat Activity Group 70 (TAG-70). Winter Vivern has been active since at least December 2020 and has previously exploited vulnerabilities in Zimbra Collaboration email software.
The recent campaign, occurring from early to mid-October 2023, aimed to collect intelligence on European political and military activities. The attack methods employed by TAG-70 included social engineering techniques and exploitation of Roundcube webmail server vulnerabilities to bypass defenses of government and military organizations.
The attackers leveraged Roundcube flaws to deliver JavaScript payloads designed to exfiltrate user credentials to a command-and-control (C2) server. Recorded Future noted that TAG-70 also targeted Iranian embassies in Russia and the Netherlands, as well as the Georgian Embassy in Sweden.
The targeting of Iranian embassies suggests an interest in assessing Iran’s diplomatic activities, especially regarding its support for Russia in Ukraine. Similarly, espionage against Georgian government entities reflects interests in monitoring Georgia’s aspirations for European Union (EU) and NATO accession.
The campaign underscores the ongoing threat posed by sophisticated cyber actors and the importance of implementing robust cybersecurity measures. Organizations are advised to patch vulnerabilities promptly and remain vigilant against social engineering attacks and exploitation of software flaws.