A campaign dubbed “Operation RoundPress” with ties to the Russia-linked Sednit group has been targeting high-value webmail servers with XSS vulnerabilities.The goal: steal confidential identity data from government email accounts.The Sednit group – also known as APT28 and Fancy Bear – made headlines for being the group that hacked the Democratic National Committee in 2016 just before the 2016 U.S. presidential election. At the time, the Justice Department linked the group to the GRU, the main intelligence directorate of the Russian Federation.In a May 15 blog post, ESET researchers said the Operation RoundPress campaign uses spearphishing that leverages an XSS vulnerability to inject malicious JavaScript code into the victim’s webmail page.Operation RoundPress started by targeting Roundcube in 2023, but then branched out to other webmail software, including Horde, MDaemon and Zimbra.Most of the victims to date are government agencies and defense companies in Eastern Europe, although the ESET researchers have observed governments in Africa, Europe, and South America being targeted as well.“Considering APT28’s historical targeting patterns, it’s plausible that North American entities, especially those in government, defense, critical infrastructure sectors, could be targeted,” said Nic Adams, co-founder and CEO of 0rcus. “The group’s previous operations have included targets in the U.S. and Europe, plus the current campaign’s expansion into diverse geographical regions suggests a broadening scope. Orgs using vulnerable webmail platforms should be particularly vigilant, as hackers have demonstrated the capability to exploit both known and zero-day vulns effectively.”Adams pointed out that Sednit employed spearphishing emails containing malicious JavaScript payloads, executing upon merely opening the email with no additional user interaction required. He said this method can let the hackers steal credentials, emails and contacts, and even bypasses two-factor authentication, all without persistent malware installation.“The use of both zero-day and known vulnerabilities across multiple platforms, coupled with the ability to adapt payloads to specific targets, demonstrates the campaign’s sophistication and challenges it poses to threat detection and response mechanisms,” said Adams.Stephen Kowski, field CTO at SlashNext Email Security, said attacks such as Operation RoundPress show how quickly hackers can shift targets, especially when they find weaknesses in popular email platforms. Whether using paid commercial email systems or free, self-hosted open-source options like RoundCube, Kowski said no solution is completely safe.“Self-hosted systems often give a false sense of security because they still need regular updates and expert maintenance,” said Kowski. “The best way to stay ahead is to make sure email systems are always updated and patched, using strong protections like multi-factor authentication, and having tools that can spot and block phishing emails before they reach users.”
Email security, Identity
Sednit group’s ‘Operation RoundPress’ targets webmail servers globally
An In-Depth Guide to Identity
Get essential knowledge and practical strategies to fortify your identity security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds