Image: Bing Image Creator
A threat group tracked as APT28 and linked to the Main Intelligence Directorate of the Russian General Staff (GRU) hacked Roundcube email servers belonging to several Ukrainian organizations, including government entities.
In these attacks, the cyber espionage group (also known as BlueDelta, Fancy Bear, Sednit and Sofacy) exploited information about the ongoing conflict between Russia and Ukraine to trick recipients into opening emails malware that would exploit Roundcube Webmail vulnerabilities to hack servers.
After hacking into email servers, Russian military intelligence hackers deployed malicious scripts that redirected incoming emails from targeted individuals to an email address under the attackers’ control.
These scripts were also used for reconnaissance and to steal victims’ Roundcube address book, session cookies, and other information stored in Roundcube’s database.
Based on evidence gathered during the investigation, the campaign’s goal was to harvest and steal military intelligence to support Russia’s invasion of Ukraine, according to a joint investigation by the team Ukrainian Computer Emergency Response (AU-CERT) and Recorded Future’s Threat Research Division Insikt Group.
It is also estimated that the infrastructure used by the APT28 military hackers in these attacks has been operational since around November 2021.
“We have identified BlueDelta activity most likely targeting a regional Ukrainian prosecutor’s office and central Ukrainian executive authority, as well as reconnaissance activity involving other Ukrainian government entities and an organization involved in upgrading and renovating the infrastructure of Ukrainian military aircraft,” the Insikt group said. said.
“BlueDelta phishing campaign analyzed exploits vulnerabilities CVE-2020-35730, CVE-2020-12641And CVE-2021-44026 in the Roundcube open-source webmail software to run multiple reconnaissance and exfiltration scripts.”
Overlap with previous cyber espionage campaigns
Notably, Recorded Future claims that this campaign overlaps with previous APT28-related attacks when they exploited a critical ground zero of Microsoft Outlook vulnerability (CVE-2023-23397) to target European organizations in attacks that also do not require user interaction.
They used the zero-day bug to steal credentials that helped move laterally through victims’ networks and to modify Outlook mailbox folder permissions to exfiltrate emails for specific accounts .
In the Outlook campaign, GRU hackers breached the networks of approximately 15 government, military, energy and transportation organizations between mid-April and December 2022.
Google’s Threat Analysis Group also recently revealed that approximately 60% of all phishing emails targeting Ukraine in the first quarter of 2023 were sent by Russian attackers, with the APT28 hacking group being one of the main contributors to this malicious activity.
In April 2023, US and UK intelligence services warned of APT28 attacks exploiting a zero-day flaw in Cisco routers to deploy a jaguar tooth Malware that helps harvest intelligence on US and EU based targets.
APT28 is also known for its involvement in a 2015 hack of the German Federal Parliament (Deutscher Bundestag) and attacks on the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) in 2016 (for which they were accused by the United States two years later).
The Council of the European Union sanctioned APT28 members in October 2020 for their involvement in the hacking of the Deutscher Bundestag in 2015.