The cyberthreat group known as Fancy Bear and Sednit, among a litany of other names, has been active for over 20 years. In that time, the group is supposed to have been responsible for a number of high-profile hacking operations, including the 2016 hacking of the Democratic National Committee, the World Anti-Doping Agency email leak attack, and the TV5Monde hack.
Recently, ESET researchers released information on a long-term campaign, dubbed Operation Roundpress. The Russia-aligned threat group is said to be behind a spate of attacks leveraging XSS vulnerabilities to target high-value webmail servers. The goal of the campaign is believed to be the theft of confidential data from certain email accounts.
Target Profile and Geopolitical Context
According to ESET’s research and analysis, the primary targets of Operation Roundpress have been “related to the current war in Ukraine.” The campaign has targeted Ukrainian government organizations along with Bulgarian and Romanian defense companies. These defense firms are likely in the crosshairs of the attacks due to supplying arms to Ukraine, making them critical players in the ongoing conflict. The operation has also expanded into African, EU, and South American governmental entities. Some of the other affected countries include Greece, Cameroon, and Ecuador.
Attack Methodology
Operation Roundpress is being carried out through spearphishing and exploiting vulnerabilities. Fancy Bear has been seen leveraging a number of known and zero-day XSS vulnerabilities in the past few years, targeting webmail software including Roundcube, Horde, Mdaemon, and Zimbra. They take advantage of these flaws by sending the exploits via email. The target must open the message within the vulnerable webmail portal in order to trigger the execution of a malicious script that enables the collection of sensitive data that is accessible by the target’s email account.
Some of the specific vulnerabilities exploited by the threat group include:
- Horde: It is unclear which precise vulnerability is being exploited, but ESET analysis shows it to be an XSS flaw fixed in Xss.php and Horde Webmail 1.0 (released in 2007).
- MDaemon: The flaw was a zero-day XSS vulnerability in the MDaemon server, later dubbed CVE-2024-11182, exploiting a bug in the HTML parser.
- Roundcube: Fancy Bear has been seen exploiting CVE-2020-35730 in 2023 and CVE-2023-43770 in 2024. The latter flaw enables the use of hyperlink text to execute JavaScript code.
- Zimbra: The group uses CVE-2024-27443, which takes advantage of an unsanitized attribute to add malicious code to the Zimbra HTML page.
Implications for Cybersecurity
Operation Roundpress has far-reaching implications for cybersecurity across all sectors. Browser-based threats are on the rise, presenting a significant threat to many organizations and individuals. Traditional endpoint protection measures like endpoint detection and response (EDR) tools tend to fall short in the face of these modern threats. With cybercriminals increasingly turning to AI/ML technology and automating their threat operations, organizations must implement effective security measures to counter advanced attacks.
Varieties of phishing are particularly insidious because of how they take advantage of the human element, often using social engineering to circumvent technology-based security tools. “Targeted employees may be focused on the ‘pinstripes’ of the email, such as the logo or colors of a legitimate site, to lure them into clicking and thus executing the malicious JavaScript code,” according to Darren Guccione, CEO and Co-Founder at Keeper Security. “Employees should be trained to always verify sender details, carefully inspect links for anything suspicious, and avoid clicking on links or attachments contained in unexpected messages, even when the message appears official.”
Zero-trust principles are essential in email environments to limit the levels of damage possible in the event that an attack is able to compromise an internal account. The principle of least privilege ensures that attackers are not able to access vast swaths of highly sensitive data by compromising one account. Cyber resilience requires not only defending against attacks but also establishing measures for incident response and damage mitigation.
Global Security Ramifications
Operation Roundpress is an example of the way that traditional warfare can be extended and supported by cyber operations. A Russian state-linked group targeting Ukrainian governmental institutions and the defense companies supplying weapons to Ukraine is a clear indication of their goal of undermining war efforts through cyberattacks. Military and government institutions, defense firms, and organizations in other critical sectors are heavily reliant on IT and OT systems that are susceptible to threats.
It is crucial to prepare a response to this kind of attack in order to protect against potentially catastrophic damage. Organizations should take steps to implement policies to protect against browser-based email attacks, including security awareness training and email hygiene. It is also crucial to ensure that security strategies are able to evolve over time to meet emerging threats. “Adapting cybersecurity strategies is an ongoing process that demands flexibility and agility,” says Guccione.
Looking Ahead
When dealing with state-sponsored cybercrime, the issue of attribution and accountability can be tricky. Investigators use their analysis and investigation of incidents in conjunction with geopolitical context in order to consider whether attacks can be attributed to known threat actors. ESET researchers have carried out an analysis of Operation Roundpress to understand where the attacks have come from and how to mitigate the risks.
Organizations should implement defenses against spearphishing and malicious code, educate and train employees in recognizing phishing attempts and exercising good email hygiene, and invest in advanced tools to fight advanced threats. Espionage campaigns tied to geopolitical conflict may continue to rise as state-aligned threat actors look for ways to undermine the efforts of government- and military-related institutions.
