A recent report by Recorded Future has revealed a sophisticated cyber espionage campaign attributed to threat actors with ties to Belarus and Russia. This operation has reportedly taken advantage of cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers, targeting over 80 organizations predominantly based in Georgia, Poland, and Ukraine.
The hacking group, identified as Winter Vivern—also known as TA473 and UAC0114—is being monitored under the designation Threat Activity Group 70 (TAG-70). Recorded Future has linked this group to a series of intrusions aimed at gathering intelligence related to European political and military activities. The group’s history of activity stretches back to at least December 2020 and includes previous exploits against Zimbra Collaboration email software to gain access to organizations in Moldova and Tunisia.
Earlier this month, evidence emerged indicating that Winter Vivern had continued to exploit Roundcube vulnerabilities, as previously noted by ESET in October 2023. This troubling trend aligns with the tactics of several other Russian-affiliated hacking groups, such as APT28, APT29, and Sandworm, all of which have been known to target email systems.
The campaign, which began in early October and persisted until mid-month, appears designed not only to infiltrate but also to assess geopolitical dynamics. Recorded Future reported that TAG-70’s activities extended to Iranian embassies in Russia and the Netherlands, as well as the Georgian Embassy in Sweden, suggesting a deep interest in monitoring diplomatic engagements and geopolitical maneuvers.
TAG-70 has demonstrated a notable level of sophistication in its methods. The group employed social engineering along with exploitation of XSS vulnerabilities in Roundcube webmail servers, allowing them to bypass security measures set in place by government and military organizations. This implies potential tactics aligned with the MITRE ATT&CK framework, particularly in areas such as initial access, persistence, and exploitation of vulnerabilities.
Through the attack chains, the adversary is believed to have used JavaScript payloads to exfiltrate user credentials back to a command-and-control (C2) server, thereby compromising sensitive information while remaining stealthy. The overlap between this campaign and early TAG-70 incursions targeting Uzbekistan indicates a pattern of espionage directed toward regions of strategic importance.
As organizations increasingly rely on email for operations, the vulnerabilities exploited by Winter Vivern underscore the necessity for robust cybersecurity measures. With threats evolving, business owners must remain vigilant in assessing their security strategies against advanced persistent threats like those posed by TAG-70 and similar entities.
