The APT28 threat group, linked to Russia’s GRU, has successfully breached Roundcube email servers belonging to multiple Ukrainian organizations, including government entities. Exploiting the ongoing conflict between Russia and Ukraine, APT28 tricked recipients into opening malicious emails that exploited vulnerabilities in Roundcube Webmail, allowing them to hack into unpatched servers. Once inside, the hackers deployed malicious scripts to redirect incoming emails to an address under their control and conducted reconnaissance, stealing the victims’ Roundcube address book, session cookies, and other stored information. The joint investigation by Ukraine’s CERT-UA and Recorded Future’s Insikt Group suggests the campaign’s objective was to harvest military intelligence in support of Russia’s invasion of Ukraine.
The APT28 campaign targeting Roundcube servers is estimated to have been operational since November 2021. Recorded Future identifies specific targets, including a regional Ukrainian prosecutor’s office, a central Ukrainian executive authority, Ukrainian government entities, and an organization involved in upgrading and refurbishing Ukrainian military aircraft infrastructure. The campaign leverages vulnerabilities in Roundcube (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) to run reconnaissance and exfiltration scripts. This incident overlaps with previous APT28 attacks, including exploiting a critical Microsoft Outlook zero-day vulnerability to target European organizations. In that campaign, the GRU hackers breached the networks of government, military, energy, and transportation organizations.
Recent findings by Google’s Threat Analysis Group reveal that around 60% of phishing emails targeting Ukraine in Q1 2023 were sent by Russian attackers, with APT28 being a major contributor. In April 2023, U.S. and U.K. intelligence services warned of APT28 attacks exploiting a zero-day flaw in Cisco routers to deploy Jaguar Tooth malware. APT28 is notorious for its involvement in the 2015 hack of the German Federal Parliament, attacks on the Democratic Congressional Campaign Committee and Democratic National Committee in 2016, and faced sanctions by the Council of the European Union in October 2020 for the 2015 Bundestag hack.
