Keypoints
- Recorded Future links the long-running espionage operation to TAG-70, active since at least December 2020.
- In Oct–Dec 2023 TAG-70 exploited XSS vulnerabilities in Roundcube webmail servers to target 80+ organizations.
- Primary victim countries include Georgia, Poland, and Ukraine; Iranian embassies in Russia and the Netherlands were also targeted.
- Compromised mail servers enabled credential and email collection, posing significant operational and diplomatic exposure.
- Appendix A lists IOCs: malicious domains, multiple IP addresses, and SHA256 hashes of payloads.
- Appendix B maps observed tactics to MITRE ATT&CK techniques used in the campaign.
- Recommended mitigations: patch Roundcube installations, hunt for the provided IOCs, and implement proactive threat intelligence and monitoring.
MITRE Techniques
- [T1583.001] Phishing – Used to gain initial access in the operation; (‘Initial Access: Phishing’)
- [T1583.003] Exploitation for Client Execution – Exploited client-side vulnerabilities to execute code; (‘Execution: Exploitation for Client Execution’)
- [T1583.004] Valid Accounts – Maintained access using valid credentials obtained from compromised mail accounts; (‘Persistence: Valid Accounts’)
- [T1566.002] Exploitation for Credential Access – Leveraged exploitation techniques to harvest credentials; (‘Credential Access: Exploitation for Credential Access’)
- [T1203] Input Capture – Captured input such as credentials via exploited webmail interfaces; (‘Credential Access: Input Capture’)
- [T1203] File and Directory Discovery – Performed discovery to locate sensitive mailbox and server files; (‘Discovery: File and Directory Discovery’)
- [T1203] Email Collection – Collected email content from compromised servers for intelligence; (‘Collection: Email Collection’)
- [T1203] Non-Standard Port – Used non-standard ports for command-and-control or exfiltration channels; (‘Command and Control: Non-Standard Port’)
Indicators of Compromise
- [Domains] Command/payload hosting and infrastructure – bugiplaysec[.]com, hitsbitsx[.]com, and 2 more domains
- [IP Addresses] Server infrastructure associated with activity – 38.180.2[.]23, 38.180.3[.]57, and 6 more IPs
- [File Hashes] Malware samples (SHA256) observed – 6800357ec3092c56aab17720897c29bb389f70cb49223b289ea5365314199a26, ea22b3e9ecdfd06fae74483deb9ef0245aefdc72f99120ae6525c0eaf37de32e
Technical summary: TAG-70 exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail to execute client-side payloads and capture user input, enabling credential harvesting and bulk email collection from compromised servers. The exploitation chain focused on webmail interfaces where XSS allowed injection of scripts that intercepted credentials and session data, which were then used to access mailboxes and maintain persistence via valid accounts.
Infrastructure and artifacts: The campaign employed multiple domains and IP addresses for hosting payloads and command channels; Recorded Future enumerated domains such as bugiplaysec[.]com and hitsbitsx[.]com and IPs including 38.180.2[.]23 and 38.180.3[.]57, alongside two SHA256 malware samples. Incident responders should prioritize identifying these IOCs on mail servers, web server logs, and outbound connections, and examine Roundcube logs for anomalous requests that indicate XSS exploitation (specially crafted query strings, injected script fragments, or unusual referer/user-agent patterns).
Mitigation and hunting guidance: Patch and update Roundcube to the latest secure releases, implement web application protections (input sanitization, CSP, XSS filters), and rotate credentials for any accounts showing suspicion. Conduct focused hunts by searching webserver access logs, mailbox access histories, and endpoint telemetry for the listed domains, IPs, and hashes; validate any non-standard ports used for exfiltration and block or sinkhole known malicious infrastructure where possible.
Read more: https://www.recordedfuture.com/russia-aligned-tag-70-targets-european-government-and-military-mail