Russia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign
Recorded Future’s Insikt Group has identified TAG-70, a threat actor likely operating on behalf of Belarus and Russia, conducting cyber-espionage against government, military, and national infrastructure entities in Europe and Central Asia since at least December 2020. TAG-70 overlaps with activity reported by other security vendors under the aliases Winter Vivern, TA473, and UAC-0114.
In its latest campaign, which ran between October and December 2023, TAG-70 exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers in its targeting of over 80 organizations, primarily in Georgia, Poland, and Ukraine. This campaign has been linked to additional TAG-70 activity against Uzbekistan government mail servers, which involved infrastructure reported by Insikt Group in February 2023.
TAG-70’s targeting of Roundcube webmail servers is only the most recent instance of targeting email software attributed to Russia-aligned threat actor groups. In June 2023, Insikt Group discovered that the Russian state-sponsored cyber-espionage group BlueDelta (APT28, Fancy Bear) was targeting vulnerable Roundcube installations across Ukraine and had previously exploited CVE-2023-23397, a critical zero-day vulnerability in Microsoft Outlook in 2022. Other well-known Russian threat actor groups, such as Sandworm and BlueBravo (APT29, Midnight Blizzard), have also previously targeted email solutions in various campaigns.
Geographic spread of victims of TAG-70s Roundcube exploit in October 2023 (Source: Recorded Future)
In this campaign, beginning on March 16, 2023, Insikt Group used Recorded Future Network Intelligence to detect suspicious activity from a victim IP address belonging to the Center for Economic Research and Reforms of Uzbekistan. The victim IP address was observed communicating with the domain bugiplaysec[.]com over TCP port 443, which at the time resolved to IP address 176.97.66[.]57. This data was then likely relayed to command and control (C2) IP address 198.50.170[.]72 on TCP port 7662. It is suspected that TAG-70 administered 198.50.170[.]72 via Tor. CERT-UA attributed the domain bugiplaysec[.]com to TAG-70 in February 2023.
Insikt Group observed similar activity between an IP address registered to the Embassy of the Republic of Uzbekistan in Ukraine and a previously reported C2 domain, ocsp-reloads[.]com, which resolved to IP address 38.180.2[.]23. This additional C2 likely forwarded the data it received to IP address 86.105.18[.]113 on TCP port 1194 and TAG-70 likely connected to the C2 via Tor, also below.
TAG-70 operational infrastructure in March 2023 (Source: Recorded Future)
On July 27, 2023, a new TAG-70 domain, hitsbitsx[.]com, resolved to IP address 176.97.66[.]57. Insikt Group also detected this domain in a JavaScript-based malware sample uploaded to a malware repository (SHA256: ea22b3e9ecdfd06fae74483deb9ef0245aefdc72f99120ae6525c0eaf37de32e). The discovered JavaScript malware matches the second-stage loader used in TAG-70’s previous Roundcube exploitation described by ESET. This JavaScript is loaded via XSS from a malicious email and is used to decode a Base64-encoded JavaScript payload (jsBodyBase64). The payload is then inserted into the Document Object Model (DOM) of the Roundcube webpage within a newly created script tag.
The content of the JavaScript payload, jsBodyBase64, shown in Figure 3, suggests the actors were targeting the Georgian Ministry of Defence domain mail[.]mod[.]gov[.]ge. The structure of this payload overlaps with the one described in ESET’s report; however, its functionality differs: instead of exfiltrating the contents of the victim’s mailbox, it logs the user out of Roundcube and presents them with a new sign-in window. When the victim submits their credentials, their account name, username, and password are sent to the C2 server, and they are then logged into Roundcube.
Insikt Group also identified a related JavaScript sample from November 2022 (SHA256: 6800357ec3092c56aab17720897c29bb389f70cb49223b289ea5365314199a26). This older sample was hosted on the domain bugiplaysec[.]com, used the same JavaScript loader technique, and had a similar credential exfiltration payload. The content within the payload suggests that it was used to target the Ukrainian Ministry of Defence.
The compromised email servers represent a significant risk, particularly in the context of the ongoing conflict in Ukraine. They could expose sensitive information about Ukraine's war effort, its diplomatic relations, and its coalition partners. Moreover, the targeting of Iranian embassies in Russia and the Netherlands suggests a broader geopolitical interest in assessing Iran's diplomatic activities, especially regarding its support for Russia in Ukraine. Similarly, espionage against Georgian government entities reflects interests in monitoring Georgia's aspirations for European Union (EU) and NATO accession.
Mitigation Strategies
To mitigate the risk posed by TAG-70's campaign, organizations should ensure that their Roundcube installations are patched and up-to-date, while actively hunting for indicators of compromise (IoCs) in their environments. The sophistication of TAG-70's attack methods and its targeting of government and military entities underscore the need for robust cybersecurity measures and proactive threat intelligence efforts. The widespread nature of TAG-70's activities and its potential impact on national security highlight the urgency for vigilance and preparedness among affected organizations and government agencies.
Note: This report summary was first published on February 16, 2024 and has been updated on October 29, 2024. The original analysis and findings remain unchanged.
To read the entire analysis, click here to download the report as a PDF.
Appendix A — Indicators of Compromise
| Domains: bugiplaysec[.]com hitsbitsx[.]com ocsp-reloads[.]com recsecas[.]com IP Addresses: 38.180.2[.]23 38.180.3[.]57 38.180.76[.]31 86.105.18[.]113 176.97.66[.]57 176.97.76[.]118 176.97.76[.]129 198.50.170[.]72 Malware Samples (SHA256): 6800357ec3092c56aab17720897c29bb389f70cb49223b289ea5365314199a26 ea22b3e9ecdfd06fae74483deb9ef0245aefdc72f99120ae6525c0eaf37de32e |
Appendix B — MITRE ATT&CK Techniques
| Tactic: Technique | ATT&CK Code |
| Initial Access: Phishing | T1583.001 |
| Execution: Exploitation for Client Execution | T1583.003 |
| Persistence: Valid Accounts | T1583.004 |
| Credential Access: Exploitation for Credential Access | T1566.002 |
| Credential Access: Input Capture | T1203 |
| Discovery: File and Directory Discovery | T1203 |
| Collection: Email Collection | T1203 |
| Command and Control: Non-Standard Port | T1203 |
Related