A joint investigation conducted by Ukraine’s Response Team and researchers has revealed that the Russia-linked APT28 group, also known as Fancy Bear, hacked into Roundcube email servers belonging to multiple Ukrainian organizations. APT28 has been active since at least 2007 and has targeted governments, militaries, and security organizations worldwide. The group has also been involved in previous attacks, including the ones targeting the 2016 Presidential election.
APT28 operates under military unit 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS). Their campaigns primarily involve spear-phishing and malware-based attacks. In the recent campaign, the threat actors used news about the ongoing conflict between Russia and Ukraine as bait. They sent crafted emails to the target organizations, exploiting vulnerabilities in Roundcube Webmail (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) to gain unauthorized access to vulnerable servers.
The hackers deployed scripts to redirect incoming emails to an email address under their control and exploited an SQLi issue (CVE-2021-44026) to steal Roundcube data. One of the scripts, “c.js,” contained an exploit for the CVE-2020-12641 vulnerability. The campaign targeted more than 40 Ukrainian organizations, including government entities.
Researchers believes that this campaign, known as BlueDelta activity, has been active since November 2021. It is likely intended to support Russia’s invasion of Ukraine by gathering military intelligence. The campaign overlaps with previous APT28 attacks that exploited a Microsoft Outlook zero-day vulnerability (CVE-2023-23397) and targeted European organizations.
This incident highlights the ongoing threat posed by APT28 and their persistent targeting of organizations, particularly in the context of geopolitical conflicts. It emphasizes the importance of robust cybersecurity measures, including regular patching, employee education on phishing techniques, and proactive monitoring for potential threats. Organizations within Ukraine and other targeted regions should remain vigilant and collaborate with cybersecurity experts to enhance their defenses against APT28 and similar threat actors.
In April 2023, intelligence services from the United States and the United Kingdom issued warnings regarding APT28’s exploitation of a zero-day vulnerability in Cisco routers. The purpose of these attacks was to deploy the Jaguar Tooth malware, which facilitated the collection of intelligence from targets based in the United States and European Union.
The APT28 group gained notoriety for its role in the high-profile 2015 cyberattack on the German Federal Parliament (Deutscher Bundestag), as well as its involvement in the hacking incidents targeting the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) during the 2016 U.S. elections. The United States officially charged APT28 members in relation to these activities two years later.
Recognizing the severity of APT28’s actions, the Council of the European Union imposed sanctions on individuals associated with the group in October 2020, specifically in response to their participation in the 2015 breach of the Deutscher Bundestag.
These incidents highlight the persistent and wide-ranging cyber threats posed by APT28. It underscores the importance of robust cybersecurity measures and international cooperation in combating such state-sponsored threat actors. Governments, organizations, and individuals should remain vigilant and take proactive steps to protect their systems and sensitive information from APT28 and similar adversaries.