Full Report
ESET reports on RoundPress, a cyber espionage campaign by Russia’s Fancy Bear (Sednit) targeting Ukraine-related organizations via webmail…
Analysis Summary
# Threat Actor: Sednit (Russia-Linked)
## Attribution & Identity
* **Attribution:** Linked to Russia.
* **Known Aliases and Groups:** Sednit group.
* **Associated High-Profile Events:** Linked by the US Department of Justice to the 2016 Democratic National Committee (DNC) hack. Also tracked in attacks on TV5Monde and WADA.
## Activity Summary
The actor is actively engaged in espionage targeting Ukraine using spearphishing emails that deliver the SpyPress malware via webmail compromises. This ongoing campaign is referred to internally by researchers as **RoundPress**. The activity centers on exploiting vulnerabilities in popular webmail servers to steal emails.
## Tactics, Techniques & Procedures
* **Delivery Mechanism:** Targeted spearphishing emails that mimic news content or sensitive topics (e.g., local arrests, political figures).
* **Exploitation:** Exploits Cross-Site Scripting (XSS) vulnerabilities in webmail platforms (RoundCube, Horde, Zimbra, MDaemon).
* **Payload:** Injects malicious JavaScript code, dubbed **SpyPress**, into the victim’s browser session via the exploited XSS vulnerability.
* **Vulnerabilities Exploited (Chronological/Observed):**
* CVE-2020-35730 (Roundcube, observed in 2023).
* CVE-2023-43770 (Roundcube, patched September 14, 2023).
* Horde (older XSS flaw).
* CVE-2024-27443 (Zimbra, patched March 1, 2024).
* CVE-2024-11182 (MDaemon, a zero-day reported November 1, 2024).
## Targeting
* **Sectors:** Unspecified sectors, but the focus on specific geographic targets and government-adjacent espionage suggests a focus on **Government/Intelligence** and **Political/Media** entities.
* **Geography:** Primary focus is on **Ukraine**. Attacks observed also targeted a victim in **Bulgaria**.
* **Victims:** Organizations using vulnerable webmail servers like RoundCube, Zimbra, Horde, and MDaemon. Specific examples include phishing emails directed at Ukrainian targets (using domains like `ukrnet`) and Bulgarian targets (using domains like `terembgcom`).
## Tools & Infrastructure
* **Malware families used:** SpyPress (malicious JavaScript code acting as a webmail stealer).
* **Infrastructure (C2, domains, IPs):**
* Spearphishing email addresses used: `katecohen1984[at]portugalmailpt`, `kyivinfo24[at]ukrnet`, `office[at]terembgcom`.
## Implications
Sednit remains an active and sophisticated cyber espionage entity demonstrating a consistent focus on exploiting legacy or unpatched webmail software to gain persistent access to sensitive communications. Their history of targeting high-profile political organizations suggests their primary goal is strategic intelligence gathering supporting Russian state interests, particularly concerning current geopolitical conflicts (e.g., Ukraine).
## Mitigations
* Immediately apply patches for known webmail vulnerabilities (RoundCube, Zimbra, MDaemon).
* Implement strong ingress filtering and network monitoring for traffic associated with webmail logins where XSS payloads might be injected.
* Educate users on spearphishing techniques, especially those referencing current events or local sensitive information (e.g., news content, arrests). Operators should be wary of emails originating from external personal domains targeting internal systems.
* Review and secure configurations for all self-hosted webmail solutions to mitigate XSS exploitation vectors.