Hackers linked to Russia’s GRU have targeted defense companies in Bulgaria and Romania as part of a large-scale espionage campaign aimed at gathering information related to the war in Ukraine, according to researchers from cybersecurity firm ESET, who discovered the operation—named RoundPress. The attack has been attributed to the hacker group Sednit (also known as Fancy Bear or APT28), which the U.S. Department of Justice has previously linked to Russian military intelligence, as reported by helpnetsecurity.
The primary goal of the campaign was to steal confidential data from email servers by exploiting vulnerabilities in popular webmail software, such as Horde, MDaemon, Roundcube, and Zimbra. Sednit sent malicious emails embedded with XSS exploits that were triggered when opened on a vulnerable server. As a result, JavaScript code would be executed on the victim's device, enabling the theft of logins, passwords, address books, and even bypassing two-factor authentication.
Targets included Ukrainian government agencies and defense companies in Bulgaria and Romania, including those manufacturing Soviet-era weapons for supply to Ukraine. In addition, hackers attacked government organizations in EU countries, Africa, and South America.
To carry out phishing attacks, Sednit used email subjects imitating news headlines to entice victims to open the messages. These messages mentioned fake news about the SBU, Putin, and Trump. Experts note that webmail servers have become a favored target of espionage groups, as many organizations fail to update their software in time, and the vulnerabilities can be exploited remotely.
Sednit has been active since 2004 and is known for several high-profile attacks, including the hacking of the U.S. Democratic Party’s servers before the 2016 election and data leaks from the World Anti-Doping Agency (WADA).
