Russian APT Group Caught Hacking Roundcube Email Servers

A prolific APT group linked to the Russian government has been caught exploiting security flaws in the open-source Roundcube webmail software to spy on organizations in Ukraine, including government institutions and military entities involved in aircraft infrastructure.

According to an advisory [PDF] from threat intelligence firm Recorded Future, the Roundcube server infections are being used to run reconnaissance and exfiltration scripts, redirecting incoming emails and gathering session cookies, user information, and address books.

Recorded Future teamed up with Ukraine’s Computer Emergency Response Team (CERT-UA) to document the activity, which is being attributed to Russia’s GRU military spy unit.

“The campaign leveraged news about Russia’s war against Ukraine to encourage recipients to open emails with attachments, which immediately compromised vulnerable Roundcube servers without engaging with the attachment,” Recorded Future explained.

The company said the attachment contained JavaScript code that executed additional JavaScript payloads from the hacking team’s infrastructure. “The campaign displayed a high level of preparedness, quickly weaponizing news content into lures to exploit recipients. The spear-phishing emails contained news themes related to Ukraine, with subject lines and content mirroring legitimate media sources,” Recorded Future said.

The GRU-linked group, which has been operational since at least November 2021, has been blamed for previous use of zero-day flaws in Microsoft’s flagship Outlook software. According to public documentation, the group is focused on digital spying on entities in Ukraine and across Europe, primarily among government and military/defense organizations.  

Recorded Future released IOCs and technical artifacts from the latest discovery to help defenders and recommended that organizations configure intrusion detection systems (IDS), intrusion prevention systems (IPS) or  network defense mechanisms to pinpoint malicious activity from malicious domains.


The company is also recommending that organizations implement measures to disable HTML and/or JavaScript within email attachments, and filter incoming email traffic using anti-spoofing and authentication mechanisms (such as SPF or DKIM) that check the validity of the sender’s records. 

Leave a Reply

Your email address will not be published. Required fields are marked *