Cybersecurity experts have identified a Russian cyber group, known as TAG-70, which has been exploiting a critical Cross-Site Scripting (XSS) flaw in Roundcube webmail servers. This group, which has connections to known threat actors Winter Vivern, TA473, and UAC-0114, has launched attacks on more than 80 organizations related to government, military, and national infrastructure, focusing on targets in Georgia, Poland, and Ukraine since October 2023.
Strategic Email Exploits
The campaign is not isolated, representing the latest in a series of email server attacks by Russian-aligned cyber groups. These groups aim to gather sensitive intelligence that could influence the ongoing conflict between Russia and Ukraine. TAG-70, in particular, has been active in the cyber-espionage arena, previously creating a fake Ukrainian Ministry of Foreign Affairs website and exploiting vulnerabilities in the Zimbra webmail portal.
Detailed Threat Operations
Their recent campaign, exploiting the XSS flaw CVE-2023-5631, allowed them to list and exfiltrate email contents from victim accounts surreptitiously. Suspected TAG-70 controlled IP addresses and domains were tracked, showing communications over TCP port 7662 and the use of Tor for administering command-and-control (C2) servers. A detailed analysis indicated the high level of sophistication and funding behind TAG-70’s operations.
In February 2023, suspicious activity involving a C2 IP address was discovered, leading to the identification of TAG-70 controlled domains communicating with victim systems. This activity also included communications with an IP address associated with the Uzbekistan Embassy in Ukraine, further illustrating the geographical scope of TAG-70’s cyber-espionage activities.
Cybersecurity responders continue to monitor and analyze TAG-70’s evolving tactics and infrastructure. As part of this ongoing surveillance, several domains and IP addresses have been identified as indicators of compromise, along with malware samples linked to the group’s campaigns.
The escalating series of cyber-attacks emphasizes the need for heightened vigilance and robust cybersecurity measures, especially among entities at risk of state-sponsored espionage.
