Russian APT28 hackers breach Ukrainian govt email servers

Image: Bing Image Creator

A threat group tracked as APT28 and linked to Russia's General Staff Main Intelligence Directorate (GRU) has breached Roundcube email servers belonging to multiple Ukrainian organizations, including government entities.

In these attacks, the cyber-espionage group (also known as BlueDelta, Fancy Bear, Sednit, and Sofacy) leveraged news about the ongoing conflict between Russia and Ukraine to trick recipients into opening malicious emails that would exploit Roundcube Webmail vulnerabilities to hack into unpatched servers.

After breaching the email servers, the Russian military intelligence hackers deployed malicious scripts that redirected the incoming emails of targeted individuals to an email address under the attackers' control.

These scripts were also used for reconnaissance and to steal the victims' Roundcube address book, session cookies, and other information stored within Roundcube's database.

Based on evidence collected during the investigation, the campaign's objective was to harvest and steal military intelligence to support Russia's invasion of Ukraine, according to a joint investigation conducted by Ukraine's Computer Emergency Response Team (CERT-UA) and Recorded Future's threat research division Insikt Group.

It is also estimated that the infrastructure employed by APT28 military hackers in these attacks has been operational since roughly November 2021.

"We identified BlueDelta activity highly likely targeting a regional Ukrainian prosecutor's office and a central Ukrainian executive authority, as well as reconnaissance activity involving additional Ukrainian government entities and an organization involved in Ukrainian military aircraft infrastructure upgrade and refurbishment," the Insikt Group said.

"The analyzed BlueDelta phishing campaign exploits the vulnerabilities CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026 in the open-source webmail software Roundcube in order to run multiple reconnaissance and exfiltration scripts."

Overlap with previous cyber-espionage campaigns

Notably, Recorded Future says this campaign overlaps with previous attacks linked to APT28 when they exploited a critical Microsoft Outlook zero-day vulnerability (CVE-2023-23397) to target European organizations in attacks that also didn't require user interaction.

They used the zero-day bug to steal credentials that helped move laterally within the victims' networks and to change Outlook mailbox folder permissions to exfiltrate emails for specific accounts.

In the Outlook campaign, the GRU hackers breached the networks of around 15 government, military, energy, and transportation organizations between mid-April and December 2022.

Google's Threat Analysis Group also recently revealed that roughly 60% of all phishing emails targeting Ukraine in the first quarter of 2023 were sent by Russian attackers, with the APT28 hacking group one of the major contributors to this malicious activity.

In April 2023, the U.S. and U.K. intelligence services warned about APT28 attacks exploiting a zero-day flaw in Cisco routers to deploy a Jaguar Tooth malware that helps harvest intelligence from U.S. and EU-based targets.

APT28 is also known for its involvement in a 2015 hack of the German Federal Parliament (Deutscher Bundestag) and attacks on the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) in 2016 (for which they were charged by the US two years later).

The Council of the European Union sanctioned APT28 members in October 2020 for their involvement in the 2015 hack of the Deutscher Bundestag.