Security Intelligence
Loading table of contents...
Loading table of contents...
Hackers belonging to Russia’s Main Intelligence Directorate (GRU), known as APT28, Fancy Bear and Sednit, have been implicated in a series of attacks targeting webmail servers through cross-site scripting (XSS) vulnerabilities. Dubbed "Operation RoundPress", the campaign began in 2023 and primarily aims to extract sensitive information from specific email accounts.
APT28 exploited known vulnerabilities in webmail platforms like Roundcube, Horde, and Zimbra. However, a significant aspect of this operation was the use of a previously unknown zero-day vulnerability in the MDaemon email server, designated CVE-2024-11182. This flaw, which was patched in November 2024, allowed attackers to execute arbitrary JavaScript code within the context of the webmail interface, facilitating unauthorized data access.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
The attack vector involved sending specially crafted emails containing malicious HTML code. When recipients opened these emails in a vulnerable webmail client, the embedded JavaScript—referred to as "SpyPress"—would execute, enabling the attackers to harvest credentials, emails, and contact information. Notably, the malicious code was concealed within the email's HTML, making it invisible to the user and difficult to detect.
Targets of Operation RoundPress included Ukrainian government agencies and defense firms in Bulgaria and Romania, some of which are involved in producing Soviet-era weaponry for Ukraine. Other affected organizations spanned various sectors in countries like Greece, Cameroon, Ecuador, Serbia, and Cyprus. The selection of targets suggests a strategic intent to gather intelligence related to geopolitical and defense matters.
Source: The Hacker News
Analysis
The compromise of Ukrainian government agencies and defense firms in Bulgaria and Romania would likely yield valuable intelligence for the GRU, currently tasked with supporting Russia’s invasion of Ukraine.
APT28 has a long history of exploiting vulnerabilities in the Roundcube webmail platform to conduct cyber-espionage campaigns. Dating back to at least 2020, the group has leveraged both known and zero-day flaws in Roundcube to gain access to email accounts belonging to government agencies, defense contractors, and other high-value targets, particularly in Eastern Europe and the Middle East. These attacks typically involve sending crafted emails containing malicious HTML or JavaScript, which execute in the victim's browser when the message is viewed, enabling credential theft, session hijacking, or full inbox access. APT28’s repeated use of Roundcube exploits demonstrates the group’s preference for stealthy, server-side email compromises that avoid endpoint detection and provide long-term access to sensitive communications.
APT28’s persistent success in targeting email servers largely stems from organizations failing to apply security patches in a timely manner. Most of the vulnerabilities exploited in these campaigns—including those affecting platforms like Roundcube, Horde, and Zimbra—were publicly disclosed and patched before the attacks occurred. If administrators had promptly applied available updates, APT28’s ability to silently compromise webmail accounts via malicious emails would have been significantly reduced or even eliminated.
While the MDaemon zero-day (CVE-2024-11182) is an exception, representing a genuine blind spot in defenses, the broader pattern reveals that many of APT28’s tactics rely on well-known, preventable weaknesses. This underscores the critical importance of maintaining a disciplined patch management program to reduce exposure to state-sponsored threats.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for threats stemming from sophisticated threat actors like APT28. Field Effect MDR users are automatically notified if threat-related activity is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect recommends that governments and organizations in Ukraine, and those in support of Ukraine, adopt a heightened security posture towards cybersecurity given the threat posed by Russian state-sponsored cyber actors. We encourage all organizations to review the U.S. Cybersecurity & Infrastructure Security Agency (CISA) ShieldsUp program, which provides robust guidance for preparing, responding to, and mitigating the impacts of Russian state-sponsored cyberattacks.
