In the ongoing conflict between Russia and Ukraine, cyber warfare continues to escalate, with the latest reports highlighting a sophisticated campaign known as Operation RoundPress. According to research conducted by the security firm ESET, this operation is attributed to the Russian state-backed cyber group Sednit, also recognized as APT28 or Fancy Bear. This group has a history of espionage dating back to 2004, with notable involvement in the notorious Democratic National Committee hack prior to the 2016 US elections.
Operation RoundPress is particularly concerning as it focuses on exploiting multiple cross-site scripting (XSS) vulnerabilities to target high-value webmail servers. Among the vulnerabilities exploited in this campaign are CVE-2020-35730, a well-known Roundcube flaw, as well as newer vulnerabilities identified in Roundcube, MDaemon, and Zimbra systems. The targets primarily consist of entities tied to the Ukrainian government and defense contractors in Bulgaria and Romania, many of which supply Soviet-era armaments to Ukraine.
ESET researchers clarified that the campaign employs spear-phishing attacks to send XSS exploits via emails designed to appear credible. Once a potential victim interacts with the malicious email, harmful JavaScript code can execute in their webmail client, allowing attackers to exfiltrate sensitive data. This distinguishes Operation RoundPress from previous campaigns, as it specifically targets webmail systems instead of traditional computer environments.
While the focus has shifted towards espionage-related activities over destructive attacks, cybersecurity experts warn that the threat remains significant. ESET’s telemetry indicates that Sednit’s efforts are primarily concentrated in Ukraine, but they also extend to European, African, and South American targets. Enhanced defenses have reportedly decreased instances of sabotage, but cybersecurity analysts assert that Russia’s long-term objectives must not be disregarded.