TAG-70's sophisticated espionage campaign targeted a range of geopolitical targets, suggesting a highly capable and well-funded state-backed threat actor.

3 Min Read
Dragon, Symbol of Ljubljana, Dragonbridge, Ljubljana Slovenia
Source: Cro_Magnon via Alamy Stock Photo

The Russia-aligned threat group known as Winter Vivern was discovered exploiting cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers across Europe in October — and now its victims are coming to light.

The group mainly targeted government, military, and national infrastructure in Georgia, Poland, and Ukraine, according to Recorded Future's Insikt Group report on the campaign released today.

The report also highlighted additional targets, including the Embassy of Iran in Moscow, the Embassy of Iran in the Netherlands, and the Embassy of Georgia in Sweden.

Utilizing sophisticated social engineering techniques, the APT (which Insikt calls TAG-70 and which is also known as TA473, and UAC-0114) used a Roundcube zero-day exploit to gain unauthorized access to targeted mail servers across at least 80 separate organizations, ranging from the transport and education sectors to chemical and biological research organizations.

The campaign is thought to have been deployed to gather intelligence on European political and military affairs, potentially to gain strategic advantages or undermine European security and alliances, according to Insikt.

The group is suspected of conducting cyber-espionage campaigns serving the interests of Belarus and Russia, and has been active since at least December 2020.

Winter Vivern's Geopolitical Motivations for Cyber Espionage

The October campaign was linked to TAG-70's previous activity against Uzbekistan government mail servers, reported by Insikt Group in February 2023.

An obvious motivation for the Ukrainian targeting is the conflict with Russia.

"In the context of the ongoing war in Ukraine, compromised email servers may expose sensitive information regarding Ukraine's war effort and planning, its relationships, and negotiations with its partner countries as it seeks additional military and economic assistance, [which] expose third parties cooperating with the Ukrainian government privately, and reveal fissures within the coalition supporting Ukraine," the Insikt report noted.

Meanwhile, the focus on Iranian embassies in Russia and the Netherlands could be tied to a motive to evaluate Iran's ongoing diplomatic engagements and foreign policy positions, particularly considering Iran's involvement in supporting Russia in the conflict in Ukraine.

Similarly, the espionage targeting the Georgian Embassy in Sweden and the Georgian Ministry of Defense probably stems from comparable foreign policy-driven objectives, especially as Georgia has revitalized its pursuit of European Union membership and NATO accession in the aftermath of Russia's incursion into Ukraine in early 2022.

Other notable targets included organizations involved in the logistics and transportation industries, which is telling based on the context of the war in Ukraine, as robust logistics networks have proved crucial for both sides in maintaining their ability to fight.

Cyber Espionage Defense Is Difficult

Cyber-espionage campaigns have been ramping up: Earlier this month, a sophisticated Russian APT launched a targeted PowerShell attack campaign against the Ukrainian military, while another Russian APT, Turla, targeted Polish NGOs using a novel backdoor malware.

Ukraine has also launched its own cyberattacks against Russia, targeting the servers of Moscow Internet service provider M9 Telecom in January, in retaliation for the Russia-backed breach of Kyivstar mobile phone operator.

But the Insikt Group report noted that defending against attacks like these can be difficult, especially in the case of zero-day vulnerability exploitation.

However, organizations can mitigate the impact of compromise by encrypting emails and considering alternative forms of secure communications for the transmission of particularly sensitive information.

It's also crucial to ensure that all servers and software are patched and kept up-to-date, and users should only open emails from trusted contacts.

Organizations should also limit the amount of sensitive information stored on mail servers by practicing good hygiene and reducing data retention and restrict sensitive information and conversations to more secure high-side systems whenever possible.

The report also noted that responsible disclosure of vulnerabilities, particularly those exploited by APT actors such as TAG-70, is crucial for several reasons.

A threat intelligence analyst at Recorded Future's Insikt Group explained via email this approach ensures vulnerabilities are patched and rectified quickly before others discover and abuse them, and enables containment of exploits by sophisticated attackers, preventing broader and more rapid harm.

"Ultimately, this approach addresses the immediate risks and encourages long-term improvements in global cybersecurity practices," the analyst explained.

About the Author(s)

Nathan Eddy, Contributing Writer

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights