TAG-70

Actor Type	Nation State
Attributed to Nation	Belarus, Russia
Directly Linked Intrusion Sets	UAC-0114 , TA473 , Winter Vivern

TAG-70 is a cyber threat group identified by Recorded Future’s Insikt Group. They assess the intrusion set as likely acting on behalf of Belarus and Russia with cyber espionage objectives.

The group reportedly targets government, military and national infrastructure. Researchers observed the group exploiting vulnerabilities in the Roundcube webmail servers of over 80 organizations.

Cyber Threat Graph Context

Explore how this Intrusion Set relates to the wider threat graph

TAG-70 Threat Reports

Report

Russia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign

The Insikt Group has observed the TAG-70 using cross-site scripting (XSS) vulnerabilities to target Roundcube webmail servers in Europe. The ...

View Source

References

go.recordedfuture.com

https://go.recordedfuture.com/hubfs/reports/cta-2024-0217.pdf

www.recordedfuture.com

https://www.recordedfuture.com/russia-aligned-tag-70-targets-european-government-and-military-mail

MITRE ATT&CK Techniques

MITRE ATT&CK techniques observed in use by this intrusion set.

ATT&CK ID	Title	Associated Tactics
T1078	Valid Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1571	Non-Standard Port	Command and Control
T1083	File and Directory Discovery	Discovery
T1056	Input Capture	Collection, Credential Access
T1114	Email Collection	Collection
T1203	Exploitation for Client Execution	Execution
T1212	Exploitation for Credential Access	Credential Access
T1566	Phishing	Initial Access