New Russian cyber-espionage campaign targeting Europe’s webmail servers

Researchers are warning about a new cyber-espionage campaign against Roundcube webmail servers in Europe conducted by a Russian-linked threat actor with a “long-term strategic interest in gathering intelligence.” The main targets are government, military, and national infrastructure-related entities.

Over 80 organizations have been targeted during a new campaign by TAG-70, a threat actor with links to Russia and Belarus, Recorded Future’s Insikt Group has found.

TAG-70’s activities overlap with those reported under the aliases Winter Vivern, TA473, and UAC-0114.

Most of the affected servers were in Ukraine (30.9%), followed by Georgia (13.6%) and Poland (12.3%). Some targets were observed in Belgium, France, the Czech Republic, Germany, the UK, and other countries.

The Russian-linked actor aims to collect intelligence on European political and military activities, especially related to war efforts in Ukraine.

“The group likely conducts cyber-espionage campaigns to serve the interests of Belarus and Russia and has been active since at least December 2020, primarily targeting governments in Europe and Central Asia,” said Recorded Future.

The latest campaign targeting Roundcube webmail servers started at the beginning of October 2023. TAG-70 has demonstrated “a high level of sophistication in its attack methods,” which include social engineering techniques and exploiting of cross-site scripting (XSS) vulnerabilities, allowing it to bypass defenses and gain unauthorized access.

Researchers warn that the campaign has had a significant impact. The compromised email servers may expose sensitive information regarding Ukraine’s defense effort and planning, relationships or negations with partner countries, and affect third parties cooperating with the Ukrainian government privately.

The group’s activity suggests a long-term strategic interest in gathering intelligence regarding the war in Ukraine and the evolving foreign policies of regional powers.

“Belarus and Russia-aligned cyber-espionage groups will almost certainly continue, if not expand, targeting webmail software platforms, including Roundcube, while the conflict in Ukraine continues and while tensions with the EU and NATO remain high,” researchers warn.

Iran was also targeted

Iran’s embassies in Russia and the Netherlands were also targeted by TAG-70, “which is notable given Iran’s support” of Russia, Insikt Group detected.

“The targeting of the Iranian embassies in Russia and the Netherlands may be linked to a desire to assess Iran's current diplomatic activities and foreign policy, especially as Russia continues to rely on Iran-provided weapons in Ukraine,” the report reads.

How does the attack work?

TAG-70's latest campaign attack flow usually starts as a spearphishing email with the goal of delivering JavaScript payloads. Attackers exploit the Roundcube vulnerability (CVE-2023-5631), which allows XSS to load JS code in the context of the user’s browser window.

Malicious code logs the user out of Roundcube and presents them with a new sign-in window.


“When the victim submits their credentials, their account name, username, and password are sent to the command-and-control server, and they are then logged into Roundcube.”

Safety recommendations by the researchers include strengthening email security measures with MFA, encryption, secure email gateways, conducting regular security audits and employee awareness training, and implementing network segmentation, among other measures.